The Deep Tech revolution -- Part 3: Bounty programs
So far in our 'Deep Tech Series,' we have explored ways for companies to share the more technical side of their work, with research-based publications such as white papers, and how to connect with their community through meetup events. While both initiatives have the purpose of reaching out and engaging with the target audience, one component that has been missing so far is that of a true call to action -- an invitation for the audience to become an integral part of these activities.
In 2022, Google awarded more than $12 million in bug bounties to security researchers who helped identify and fix over 2,900 issues and vulnerabilities. A bounty program is one of the most popular ways to achieve this, where vendors offer monetary rewards to anyone finding a security vulnerability in their products. In this particular case, vendors encourage security researchers to disclose their findings and let the company fix the security issue, instead of encouraging a black market for vulnerabilities that would be the only way for its authors to get some money out of their work. The bounties are open to individuals who have the right skill set to identify and potentially fix issues, work for which they can be economically rewarded.
For Deep Tech companies, bounty programs are extremely helpful when launching a new product -- a technology or update, new software, or protocol; a company can then use the program to test how robust the product is, stressing its operational properties and security characteristics by opening it up to external factors, and hopefully find and fix mistakes and vulnerabilities ahead of the public release.
Scope, Rules, and Rewards: Essential Elements for a Successful Bounty
In a classical bounty program, the scope is usually defined either by the company or by the individuals. Bounty beneficiaries, usually a company, define both the scope of work for the bounty and the reward. They should also set the bounty rules, what is acceptable and what is not, to avoid misunderstandings. Once these general rules are set, bounty topics could be suggested by both parties (company and individuals). Topics could range from completely open (like a bug bounty), where only the result is important, to something with clear guidelines (like light specifications) to clearly state the expectations when the scope is developing missing features.
The beneficiary should also define the application and submission process to clarify the timeline and the different steps required, as well as clearly indicating the level of skills and qualifications required for the hunters to participate successfully.
Worth the Risk?
There are, of course, some possible unexpected consequences when it comes to bounty programs. On the one hand, a company might find out that there are no problems to solve; on the other, it might incur the risk of exposing its technology to dishonest people looking to take advantage of vulnerabilities. However, the advantages of promoting this kind of program easily outweigh the potential downsides, especially when Deep Tech companies and startups manage to shape the challenge in a way that can go beyond the traditional purpose of the bounty and showcase some of the key characteristics of the company.
First and foremost, a bounty program creates public technical topics that people can follow. They are free to participate but offer monetary rewards, showing the community that their work is taken seriously and can be potentially integrated into documents or products.
This kind of activity can also be a great way to find and acquire the right talent. Through the bounty, a company can firsthand see the skills of a person, how well they know or how quickly they can learn about the technology and products, and therefore identify someone with the right profile to join the ranks.
Community is always a big focus when it comes to modern technologies: hunters, developers, experts, and sometimes just passionate people dabbling in something specific often enjoy the opportunity to engage with others with similar interests. Developing a missing feature without externalizing or hiring is also a way to build a community around a product by giving responsibilities to the community and showing its importance to the company.
When it comes to bounty programs, a case can also be made for transparency and openness for a Deep Tech company. First, it demonstrates the current status of your product by onboarding new users, and secondly, it allows you to add new features to your products without diverting the development team's focus. Lastly, it brings creative solutions by letting people work on hard problems without the internal bias of knowing what is possible or not with the product.
Beyond the Bounty
Sometimes the bounty can even work as a competitive grant, where several contributors work toward achieving the same goal and only the best submission is rewarded. This is a way to encourage users to get their hands on new technology while not losing the competitive edge by only rewarding the best submissions.
With bounty programs for open-source projects like the ones Zama promotes, new bounty hunters could start by reviewing old bounties and their accepted solutions as training materials. Typically, these are then used to add tutorials and demos, as it is a great way to advertise what can be done with Fully Homomorphic Encryption (FHE), focusing on pushing the limits of the technology internally.
Open source programs are meant to be understood by the users. The source code is available; it's not only a product that provides a list of features but also explains how it is done under the hood, offering a way to learn. It could lead to users suggesting new features, exactly like with a closed-source program, but also contributing to the project to add these features -- something not possible when a program is closed source. With open-source programs, the purpose shifts from identifying vulnerabilities to exploring use cases and creating functional applications for the technology instead.
The Real Value of a Bounty
One might easily think that what we have discussed so far doesn’t necessarily justify the expense of awarding money to participants; after all, one of the main components of a bounty program is to give compensation to an external actor who might or might not become a client or user. However, bounty programs still bring benefits to the business side of operations that should not be overlooked.
By putting your products under this kind of scrutiny, you show a wider audience that you are confident your tool can withstand external testing and handling, and demonstrate how ready-to-market you are. Transparency is something consumers, users, and investors always appreciate, and it adds value to the business. The feedback from the hunters participating in the bounty will also give you invaluable insight into the viability and quality of your product, from its conception to realization, and perhaps its appeal to users.
Especially with open bounties, people can suggest their own topics: if these are feasible, the benefit is twofold because the business can focus on the things it is building, but also it provides the business with a potential new market that you can work on with externalized efforts. In the words of Mark Twain, "They did not know it was impossible, so they did it."
Alexandre Quint is Director of DevRel and Presales at Zama.