Meet the bug bounty hunters
Philip Ellison 05 March, 2015 at 10:03
More and more hackers are deciding to use their powers for good, thanks to ‘bug bounty’ programs at tech giants like Google and Paypal which offer financial rewards to individuals who attack their systems and then report back on the security flaws they encountered. And we’re not talking small change; while companies shelled out paltry amounts or credit vouchers to their bug finders when the concept began just four years ago, it has since become lucrative work. Facebook spent a reported $1.3 million on its bug bounty program in 2014, paying over 700 white hat hackers to help strengthen security.
“The majority of the bug bounty programs seem to have had a positive impact,” says John Pescatore, Director of Emerging Trends at the SANS Institute. “Without these programs, a high percentage of those who found vulnerabilities would have done nothing with the information; an unknown number would have constructively informed the affected company, while another subset would probably have passed the information to the bad guys.”
Outsourcing the often lengthy, time-consuming security triage process to experts is a natural fit for tech companies, even if these experts don’t come from the most conventional professional backgrounds. But non-tech organisations, such as financial institutions, are less keen on the idea. “It’s not always clear who you are dealing with,” says Gus Agagnos, former head of Paypal’s bug bounty program. “You don’t know whether you are working with a white hat or a black hat.”
The financial incentive also opens up companies to an influx of flimsy or duplicate submissions, as Trello’s Daniel LeCheminant knows all too well: “The downside of saying ‘if you give us vulnerability we will give you money’ is you get a lot of garbage reports… In the first week and a half [of Trello’s bounty program] we have gotten 200 submissions and maybe 10 were actionable.”
But it doesn’t look like the money is going to run out any time soon, in the tech world at least. Google recently updated the rules of its Pwnium bug bounty program, changing it from an annual $2.7 million prize to a rolling reward that will run all year round. In an official blog post, the Pwnium team explained that this decision was made to remove barriers to entry, and to prevent researchers from “hoarding” bugs and fixes until the competition date. “We crunched the numbers and the results are in: [the prize money] now goes all the way up to infinity,” says Pwnium’s Tim Willis. “Happy hunting!”