Question

Bug bounties are currently one of the most popular ways for organizations to receive feedback about security bugs. Large corporations, like PayPal and Facebook, as well as government agencies like the US Department of Defense, have all embraced the idea. Yet not too long ago, reporting a vulnerability to a company would have more likely landed you in jail than gotten you a reward.

“漏洞赏金目前是企业收到安全漏洞反馈的最流行方式之一。像 PayPal 和 Facebook 这样的大公司，以及美国国防部这样的政府机构都拥抱了这个想法。但是不久以前，向公司报告漏洞可能更有可能让你进监狱而不是得到奖励。”

In 1995, Netscape launched the first-ever bug bounty program. The company encouraged users to report bugs found in its brand-new browser, the Netscape Navigator 2.0, introducing the idea of crowdsourced security testing to the internet world. Mozilla launched the next corporate bug bounty program nine years later, in 2004, inviting users to identify bugs in the Firefox browser.

1995 年，Netscape 推出了首个赏金计划。该公司鼓励用户报告发现的漏洞，这些漏洞存在于其全新的浏览器—Netscape Navigator 2.0 中。介绍众包安全测试的概念，成为了互联网世界的一股清流。而 Mozilla 公司则于 9 年后（即 2004 年）推出了下一个公司赏金计划，邀请用户鉴定 Firefox 浏览器中的漏洞。

But it was not until the 2010s that offering bug bounties become a popular practice. That year, Google launched its program, and Facebook followed suit in 2011. These two programs kick-started the trend of using bug bounties to augment a corporation’s in-house security infrastructure.

但直到 2010 年代，提供漏洞赏金成为一种流行的做法。那一年，谷歌启动了它的计划，Facebook 在 2011 年也效仿了这种做法。这两个计划开启了利用漏洞赏金来增强公司内部安全基础设施的趋势。

As bug bounties became a more well-known strategy, bug-bounty-as-a-service platforms emerged. These platforms help companies set up and operate their programs. For example, they provide a place for companies to host their programs, a way to process reward payments, and a centralized place to communicate with bug bounty hunters.

随着漏洞赏金成为更为流行的策略，漏洞赏金作为服务的平台出现了。这些平台帮助公司建立和运营其程序。例如，他们提供公司托管其程序的地方，处理奖励付款的方式以及与漏洞赏金猎人进行集中交流的中心化平台。

The two largest of these platforms, HackerOne and Bugcrowd, both launched in 2012. After that, a few more platforms, such as Synack, Cobalt, and Intigriti, came to the market. These platforms and managed bug bounty services allow even companies with limited resources to run a security program. Today, large corporations, small startups, nonprofits, and government agencies alike have adopted bug bounties as an additional security measure and a fundamental piece of their security policies. You can read more about the history of bug bounty programs at https://en.wikipedia.org/wiki/Bug_bounty_program .

其中最大的两个平台是 HackerOne 和 Bugcrowd，它们都在 2012 年推出。此后，还有一些平台，如 Synack、Cobalt 和 Intigriti，进入了市场。这些平台和托管漏洞赏金服务，使得即使是资源有限的公司也能够运营安全计划。今天，大型企业、小型初创企业、非营利组织和政府机构都采用漏洞赏金作为额外的安全措施和安全策略的基本组成部分。您可以在 https://en.wikipedia.org/wiki/Bug_bounty_program 上了解更多关于漏洞赏金计划的历史。

The term security program usually refers to information security policies, procedures, guidelines, and standards in the larger information security industry. In this book, I use program or bug bounty program to refer to a company’s bug bounty operations. Today, tons of programs exist, all with their unique characteristics, benefits, and drawbacks. Let’s examine these.

安全计划一般指更广泛的信息安全行业中的信息安全政策、程序、指南和标准。在本书中，我用“计划”或“赏金计划”来指代公司的赏金计划操作。目前有很多这样的计划，每个计划都有其独特的特点、好处和缺陷。让我们来看看这些内容。