One of the first things I learned in a Hacking / Incident Response class is that you do not hack anything that does not belong to you without explicit permission from the owner of the equipment and the data. That being said I have had a HackerOne account for quite a bit now. I have yet to sit down and try any of the bounties due to time constraints. I have however sat down and read a contract or two for the bounties. The contracts usually clearly state that you may hack the systems as long as data is not taken and day to day operations are not affected. What I found interesting about the article is the time frame it took for the government to implement vulnerability disclosure policies. Another thing that stood out in the article for me is that they claim that ethical hackers are “price insensitive” implying that smaller companies can also benefit from bug bounties. The industry affects are not surprising, human nature is to go after the thing they think is going to make them the most money so of course the banks are going to report the most findings. In the end I find bug bounty programs to be a way to both make a little money on the side and also help said company identify their vulnerabilities in a controlled setting.