Earlier this month, many of us let out a collective groan as we received that dreaded message: “Have you seen the latest Adalytics report?”
Cue the usual discussions of the ad industry’s latest horror story.
Making matters worse, the Adalytics report on advertisers monetizing child sexual abuse material came just a week after DeepSee.io’s disclosures about ads lining the pockets of content pirates.
In both cases, ads ended up on sites that advertisers don’t want to be on. This is a sizable, intractable problem. Untold billions are spent each year on fraudulent advertising.
But there’s a solution that the advertising industry could borrow from the hacker world: bug bounties.
Taking inspiration from cybersecurity
Bug bounties have helped the cybersecurity industry solve some of its intractable problems, identifying bugs in software, websites and applications.
Software companies have paid individual bug bounties as high as $16 million. Some companies – like Apple – will pay a lot for exposures of zero-day exploits in particular, which could be used by state actors to hack cellphones or other critical infrastructure.
Outside of these big-ticket items, bug bounties typically range from $250 to $10,000, depending on their severity. Still, these bounties can really add up. Meta paid out $2.3 million in 2024 to researchers from more than 200 countries for uncovering bugs in its platforms.
Many software companies include these bounties as part of their operating budget. And their internal teams have a set process for onboarding and implementing external bug research. The idea is that, if the external market can solve a company’s bug problems, then it helps the company save money. And it’s good for the company’s customers because bugs are continuously being caught and addressed.
Breaking the outrage cycle
We need new incentives to inspire change in the digital ad ecosystem – and bug bounties could provide exactly that.
The industry is riding a perpetual motion machine. Digital advertising is pervasive, global and always on. It’s an inevitable fact that, with such a big system, things will break.
Reports like those published by Adalytics and DeepSee.io are good for the industry, because they help shine the light on unintended consequences – or ratbags intentionally gaming the system.
But a by-product of these public disclosures is that they highlight the ways bad actors can exploit ad tech. And because ad tech companies don’t collaborate with researchers and watchdogs, these reports necessarily take an oppositional stance. That framing ultimately discredits the digital ad industry and could potentially turn brands away from investing in advertising.
But these issues aren’t unique to ad tech. Bug bounties became a thing in cybersecurity because hackers and software companies kept dancing that same familiar dance we know all too well. Hackers would find exploits in software systems and disclose them to the software companies, but the companies impacted by the bugs would be embarrassed, and their internal teams would not want to shine the light on their own mistakes or omissions. So, when the hackers were inevitably ignored, that forced them to disclose the bugs publicly to effect change.
Does this sound familiar? It’s exactly what’s happening in ad tech right now, with researchers having to publicly disclose their findings because companies aren’t interested in making changes on their own.
So how can we get off the perpetual motion machine? Each release by industry watchdogs risks fatigue. When the same problems keep getting highlighted without being solved, people give up on solutions and stop paying attention.
But we need to improve the system. The work doesn’t stop just because it’s tiring.
Bug bounties as a cost of business
Bug bounties helped the cybersecurity industry solve some of its intractable problems. So ad tech should adopt the concept to get over its own inertia.
If you find a bug causing ads to be served where they shouldn’t, submit it to the software company for verification. And companies should reward researchers with payment for finding such bugs.
Cybersecurity bounty programs have their own terms and conditions, rules for disclosure, parameters for what types of bugs they will pay for, suggested payment tiers and legal protections. This is good for researchers, because they have a framework in which to work.
There are even platforms like HackerOne, which help manage bug bounty programs for companies, providing a consistent workflow and process.
By design, programmatic is a high-scale, far-reaching ecosystem. Its oversight requires checks and balances. Bug bounties help democratize this oversight so anyone with enough know-how can contribute.
Who would pay these bounties? Brand safety firms immediately come to mind, since so many of these reports by ad tech watchdogs expose holes in brand safety systems. Advertisers are essentially buying insurance for their campaigns through their brand safety partners, so bug bounties could become part of the insurance package.
Maybe DSPs could also offer bounty programs to build better protections for media buyers.
Bug bounties wouldn’t replace these companies’ existing internal efforts and investments aimed at rooting out vulnerabilities in their software. But they would help the open market supplement these internal efforts with fresh eyes and outsider perspectives.
If we want the open web to continue to thrive and improve, we need more collaboration between researchers and ad tech. And, in a digital ad industry that’s driven by incentives, bug bounties just make sense.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Nudge and AdExchanger on LinkedIn.
For more articles featuring Ben Young, click here.
