Founder Ash Conway said Bugwolf was seeking to service high-risk organisations such as government and large corporations, and its second contest would raise the bounty to $1000. "We hope to continue to increase those as we progress," Conway said. "A lot of the programs out there are still only offering leader board recognition, and my vision is to increase the value by creating this marketplace for security researchers and putting more money back in their pockets." Conway said crowd-sourced testing added a layer of protection above other forms of software testing, which has become more important as release cycles have shortened. "There are things being missed, and this provides an extra level of comfort," Conway said. Bugwolf's launch follows that of fellow Australian start-up Bugcrowd, which has held five contests since late last year and signed up 1500 testers.

Founder Casey Ellis said cost-effectiveness was one of the concept's strongest selling points. "The number of findings we get is amazing, when you compare that to what you could get out of a consultant for that kind of money," Ellis said. While the company was also targeting large clients, Ellis said the model could also scale down for smaller businesses. "At the moment those guys get hacked to the ground all the time and there is no real way for them to fix it," Ellis said. One of the first-ever bug bounty contests was run by the Mozilla project in 2004 to test the Firefox browser. Mozilla's director of security assurance Michael Coates said contests were just one weapon in its testing arsenal, but the benefits were significant.

"The types of issues that we address through the bug bounty program would be large concerns if they had been publicly released in the wild," Coates said. Google is another long-timer user of bounties. While contests were open to the broad security research community, Google information security engineer Chris Evans said he was not aware of any downside. "It's important to understand that bad guys are going to target you and your users regardless of whether you offer rewards or not," Evans said. "Therefore, it's logical to run a rewards program so there's a greater chance of a good guy finding and reporting a given issue before a bad guy abuses it." Microsoft too has a long-standing strategy for working with hackers to identify bugs. It invites "white hats" to its internal annual conference Blue Hat and hires hackers to test new products. Hunting bugs can be a lucrative business. According to the founder of California-based WhiteHat Security, Jeremiah Grossman, more than $US1 million was paid out by Google, Facebook and Mozilla in the past 18 months.

"That's a lot of vulnerabilities that they have taken off the market for a rather trivial sum in the grand scheme of things," Grossman said. Follow IT Pro on Twitter