WIRED Security is a new one-day event from WIRED, curated to explore, explain and predict new trends, threats and defences in cyber security. To find out more and to book tickets, click here.
It seems like everything is at risk of getting hacked these days – from hospitals to big corporations such as Sony and Yahoo. But some security researchers are chasing down the bugs that make software vulnerable, responsibly reporting them and receiving some big prizes in return.
The rise of “bug bounty” programs at large companies, from Facebook to Apple, has put stacks of cash and other spoils on the table for hackers who can find security issues and disclose them to the company's affected.
Not all firms know how to interact with the hacker community, though, and managing a bug bounty program to ensure it is fair and safe is a tricky business. That’s where HackerOne comes in – it’s a sort of middle-man between corporations and bug-hunters. “It’s a process that most companies are very poorly set up for,” explains co-founder and CTO Alex Rice who will be among the speakers at the inaugural WIRED Security conference on October 20. “There’s actually a significant amount of risk for you as a hacker.”
There have been reports of researchers threatened with legal action for flagging vulnerabilities in the past, for example. When clients sign up to HackerOne, they set the rules of engagement and then wait for a response. A notification that a bug has been found in their app or on their website, for example, can be quickly investigated by their own engineers – sometimes it’s patched within hours. Of the 600 programs launched via HackerOne, 77 per cent have revealed a new vulnerability within a day.
Some organisations, including the Electronic Frontier Foundation, have published online guidelines describing the procedure they’d like hackers to follow. These might include what kind of penetration testing is off-limits and how to enter into correspondence about a flaw that has been found.
“It’s really kind of sad that you have to go into that level of caveating,” says Rice, but the flipside is the opportunity to engage in carefully managed bug bounty programs – which is where the big prizes lie.
One of HackerOne’s co-founders, Jobert Abma, has said he makes nearly $100,000 a year via bug bounty schemes. And HackerOne has helped dish out heaps of cash rewards to others. A recent project with Uber resulted in $345,000 being distributed to researchers within 100 days.
Uber, says Rice, “could not be happier” with the result. In total, 161 security issues were found and fixed. A pertinent example concerns a bug that allowed app users to evade the higher costs of surge pricing. It involved simply switching pick-up locations in the app to areas where there was and wasn’t higher pricing in effect.
“Now you can see the price without surge even though there is surge in that area,” explained the engineer who alerted Uber. Within two days he received a response thanking him, affirming that it looked “legit”. A few days more days passed it was fixed. Within a month, the engineer received $3,000 for the tip.
Money isn’t the only incentive, though. Sometimes there are other perks. “We run events periodically where we fly the hackers out to meet security teams,” says Rice, “which is a special privilege for the top hackers.” The best of the best end up working fairly closely with the engineers at firms they’ve helped out, adds Rice. “They really treat them as part of their security team rather than an external party.” This can lead to a bond between that firm and subsets of the hacker community. They’ll build up what Rice describes as “a pool of people they can direct as needed”.
A recent survey of 600 hackers on HackerOne found there was a mix of motivations for participating in bug bounty programs; 72 per cent did it for the money, but a similar proportion, 70 per cent, said they were also in it for “the fun”. Just over half said they wanted to “do good in the world”.
There is the odd problem case, though. HackerOne has had to ban “a handful” of hackers, says Rice, for interacting with firms in unprofessional ways via the platform. One provocateur didn’t have “mature enough communication skills”, he adds. “Let’s just call it plain rude behaviour.”
But there haven’t been many problems with hackers pushing their luck with the actual code. Those with malicious intent, Rice explains, don’t gain much from taking part in a bug bounty program. They might as well just tinker with what they can find on the open internet – and that’s available to everyone.
A happy hacker-client ecosystem requires both sides to be respectful, explains Rice. His own background taught him that. Ten years ago he was working for a company called Websense that built systems to crawl the internet looking for vulnerabilities. From there, he moved to Facebook because, he says, he was impressed by the company’s openness to receiving help from external hackers.
“Too many companies have their head buried in the sand and believe they can solve security on their own,” he says. “If they figure out how to do that they’ll be the first company in history to do so.” And finding out a firm’s approach to these problems even has potential as a USP for consumers, he adds. In fact, that’s how he differentiates between gadgets on the market himself.
Take the example of Chromebooks. Google started paying out a few thousand dollars to researchers in the first year of its bug bounty scheme for the laptops. But as it got harder to find vulnerabilities, Google steadily increased the reward. The discovery of a single flaw can now net a hacker $100,000 – but no-one has claimed it yet.
“They got to the point where they could say this machine is so secure that we’re able to put $100,000 on the line,” says Rice. “I end up making personal consumer decisions based on that.”
It’s something to think about next time you hear about a big corporation that got hacked – or whenever you’re shopping for a new phone or computer. Does the company let hackers have a go? Is it open about its approach to security? You can’t protect against everything, admits Rice, but at least some have made a start.
WIRED Security is a new one-day event from WIRED, curated to explore, explain and predict new trends, threats and defences in cyber security. To find out more and to book tickets, click here.
This article was originally published by WIRED UK
