Idea: Vulnerability Bounty Insurance

The Background

Did you know that there is a whole world of ethical hacking out there?

People will search for vulnerabilities in large sites, just to turn around and tell the site about them.

Now, most of them don't do this out of the kindness of their heart. They do it to earn bounties.

The idea is that, depending on the severity of the bug, the company will pay you money for bringing it to their attention.

The problem is that small and medium-sized businesses don't have the money to offer these bounties. If someone finds a major vulnerability, they're not going to be able to afford a $10k bounty.

So, either no one finds the bounty and it remains un-fixed, or someone finds it and either exploits it or blackmails them.

The Idea

This doesn't need to be the case. These vulnerabilities are rare.

Even huge software companies with massive bounties only see a few serious vulnerabilities found each year.

So, the idea is to provide small and medium-sized internet companies with bounty insurance.

This way they can have their own bounty program and offer competitive prizes compared to the larger companies.

They pay some modest premium each month.

Then, if an ethical hacker finds a vulnerability, they can claim the bounty and the insurance company will pay it.

Obviously there are some things to get around. If someone finds a vulnerability in wordpress, they shouldn't be able to claim bounties from every site that uses it.

And there would need to be fraud safeguards to make sure the company isn't intentionally building vulnerabilities in order to claim bounties.

But these are surface-level and can be easily avoided.

As part of this they could also provide insurance in the case of user data breaches and other similar cyber-security issues.