INVITATION TO CYBERSECURITY 50 3.1.1.4 Cybersecurity Researchers “Our Bug Bounty Program encourages collaboration with the research community and incentivize [sic] researchers to report vulnerabilities in Intel products. Through the Bug Bounty program, Intel invites researchers to test specific targets, submit vulnerabilities, and get paid for their work.” - Intel Bug Bounty Program2 Cybersecurity researchers perform vulnerability assessments on websites, software, and hardware products. Like pentesters, their goal is to find and disclose vulnerabilities to improve cybersecurity. Some work for large organizations. Others are academics—professors, graduate students, and fellows at a university. Still others are independent cybersecurity researchers. One way that cybersecurity researchers earn money is through bug bounty programs. A bug bounty is a payment made by an organization for finding a vulnerability in one of their products. Companies promote these programs, in effect inviting cybersecurity researchers to probe their products, as a way to “hire” outside researchers to help make their products more secure. They would prefer to know that a vulnerability exists before cyber attackers discover it and cause fall-out for their customers. Bug bounty programs outline the ROE, how to contact the company with findings, and how much money they will pay for different classes of vulnerabilities. Cybersecurity researchers might also probe for vulnerabilities even when there are no bug bounty programs. Here, they must be careful if they are proceeding without explicit permission from the company. Copyright-related laws, including the Digital Millennium Copyright Act (DMCA), provide intellectual property (IP) protections for companies. IP is proprietary information that provides a competitive advantage to an organization. The DMCA prohibits the dissecting of hardware and software and the undermining of security controls. There are carve outs in the DMCA for cybersecurity researchers who are acting in good faith. However, engaging in reverse engineering of products without explicit permission is a gray area. There have been incidents where researchers have discovered vulnerabilities and informed the company of their findings, and instead thanking them for helping to improve cybersecurity, the company promptly sued the researchers for violating their intellectual property rights. Another major target of cybersecurity researchers is free and open-source software (FOSS). FOSS is software that is free to use and whose source code is publicly available. The computing industry and the Internet are heavily dependent on FOSS. Occasionally, researchers find major vulnerabilities in FOSS that impact systems across the world, and these vulnerabilities become frontpage news. One such vulnerability was discovered in the OpenSSL library in 2014. The vulnerability could be exploited to allow attackers to eavesdrop on encrypted communications, among other things. Around this era the 2 intel.com website. Intel Bug Bounty Program - Collaborating with the Research Community. Retrieved June 2025.
RkJQdWJsaXNoZXIy MTM4ODY=