A maker of supervisory control and data acquisition (SCADA) equipment, IntegraXor, said it would implement a bug bounty program offering points redeemable for company services to researchers that disclose security vulnerabilities in the IGX SCADA system.
In most bug bounty programs, with Google being the best example, vendors pay researchers for responsibly disclosing bugs in their products. Most vendors offer monetary payments. Although Microsoft just revealed it would dole out six figures payouts for severe vulnerabilities. However, that is for a white hat endeavor. If a researcher wants to go over to the dark side, he or she can make much more cash on the private vulnerability sales marketplace.
SCADA machines play a central role in the maintenance of critical infrastructure systems.
In this case, IntegraXor is not offering money for vulnerability reports. It has set up a system where researchers earn points for disclosing vulnerabilities in the company’s IGX SCADA systems. More severe bugs warrant more points for the researcher that disclosed them. The company is calling the program “non-monetary,” but the points can end up exchanged for IntegraXor products and services and the company said the researcher can sell their points for whatever value they can attract on the open market. The company claims their lowest payout is roughly the equivalent of $149 and their highest payout is just short of $4000.
IntegraXor said researchers will end up disqualified for running vulnerability tests on live systems. In order to be eligible for a reward, researchers must download their own testing environment, which is available on IntegraXor’s website. The company will only accept “closed disclosures.” Third party disclosures do not qualify.
A study from the University of California Berkeley found bug bounties are actually saving tech firms money in the end. Their research focuses mostly on the fact it costs less to pay bounties than is it does to hire a full-time security researcher or two.