Bug Bounties
But organizations that offer financial rewards to hackers or security researchers typically get more tips, Bayuk said. The amount of the bug bounties depend on the quality of the information provided by the tipster and the severity of the hack, and rewards range from a couple hundred dollars to hundreds of thousands of dollars.
Apple Inc., for instance, will pay out as much as $50,000 for pointing out a bug that allows a hacker to access iCloud account data on Apple servers, and as much as $200,000 for vulnerabilities in its secure boot firmware components, which blocks malware when a phone starts, according to the company’s iOS security guide. On Monday, Microsoft Corp. announced that it was doubling the top bounty reward, to $40,000, for finding bugs in Azure, the company’s competitor to Amazon Web Services.
Goldman Sachs Group Inc. has had a private disclosure program in place since January 2018 and awarded $40,500 since it was started, said Patrick Lenihan, a bank spokesman. Goldman offers a maximum payout of $15,000 to people who identify vulnerabilities, though awards are usually around $1,000, Lenihan said.
In recent weeks, it also started a public program -- offering incentives to people who identify flaws such as “unauthorized access to sensitive information.” It too has a maximum reward of $15,000 but that’s likely to increase as it expands, Lenihan said.
‘Thank-you T-shirt’
Even if Capital One offered cash rewards, it’s not clear that the unnamed tipster would have netted a huge reward. That’s because the information provided was more of a heads-up about a leaked data, rather than a detailed report outlining a major flaw, Aitel said.
“You’re not gonna make a ton of money saying, ‘Hey, I think someone has your information on a Github account,’ ” he said, adding, “They might send you a thank you T-shirt. They definitely owe you a thank you T-shirt.”
This story provided by Bloomberg News.