Francois Guay says there’s a fine line between acting out of goodwill and turning vulnerability findings into a pay-to-play situation.
Doug, our battle-hardened cybersecurity veteran, has seen just about everything. But even he did a double-take when an email landed in his inbox recently: someone claimed to have found vulnerabilities on his company’s website and straight-up asked, “So, what’s the payout for this info?” Without missing a beat, Doug responded that his company doesn’t pay for vulnerabilities and requested more details. The reply? “Not a chance.” It’s a perfect example of what’s being called a “beg bounty” in the industry, and it’s becoming more common. Naturally, we at the Canadian Cybersecurity Network.com (CCN) decided to dig a little deeper to find out what’s driving this trend.
The rise of beg bounties
In the cybersecurity world, white hat hackers—those who ethically find and report vulnerabilities—play a crucial role in keeping systems safe. But when should they expect to get paid for their efforts? There’s a fine line between acting out of goodwill and turning vulnerability findings into a pay-to-play situation. It begs the question: are these ethical disclosures or subtle forms of extortion?
Platforms like disclose.io and the OWASP Responsible Disclosure Guidelines support an approach where vulnerabilities are reported without an expectation of compensation. Many large tech companies offer bug bounty programs with financial rewards, but smaller businesses may not have the budget to pay for every vulnerability identified. So, what’s a hacker to do?
Money vs. mission: The ethical dilemma
For some hackers, the mission is clear: improve security, protect data, and do good. But let’s be honest—finding and reporting vulnerabilities takes time, skill, and expertise. Is it really fair to expect hackers to work for free? Or does asking for compensation blur the line between ethics and extortion?
According to a survey conducted by the Canadian Cybersecurity Network, opinions in the community are sharply divided. Thirty per cent of respondents believe that hackers should withhold vulnerability details if there’s no bounty offered, while 70 per cent support disclosing vulnerabilities regardless of payment. It’s clear that the debate on whether white hat hackers should prioritize security or seek fair compensation is far from settled.
To pay or not to pay: What’s the verdict?
To navigate these complexities, many organizations are implementing Vulnerability Disclosure Policies (VDPs). A VDP outlines how a company handles vulnerability reports, including whether compensation is on the table and how communication should be managed. Clear policies set expectations, reduce misunderstandings, and help foster trust between researchers and companies.
Chris Parsons, a Canadian cybersecurity expert, points out that fear of legal action often prevents hackers from reporting vulnerabilities—especially when it comes to government entities. Similarly, the Lassonde School of Engineering emphasizes that both proper recognition and financial rewards are becoming more critical as the demand for cybersecurity professionals grows. With no easy answer, it’s clear that striking a balance between doing good and being valued for it is more important than ever.
What’s next for white hat hackers?
So, what’s the future for white hat hackers and vulnerability disclosure? Should companies focus on implementing robust VDPs to provide clarity and support? Should hackers continue to report vulnerabilities for free, or should they be compensated for their time and expertise?
The answer might lie somewhere in the middle. But one thing’s certain: as beg bounties become more prevalent, companies and hackers alike need to find common ground to ensure the industry moves forward in a way that’s both ethical and sustainable.