In an age of digital insecurity, paying bug bounties becomes the norm
From Apple to Airbnb, companies are increasingly turning to outside hackers to find – and eventually fix – their software security vulnerabilities.
Las Vegas — Twenty-nine floors above the Las Vegas strip in an MGM Grand suite, more than 30 hackers furiously hunted for security flaws in the payroll software company Zenefits' corporate networks.
It's an attractive target. On the digital black market, criminals would pay handsomely for the company's database of customers' personal and financial information.
But these hackers weren't after that kind of data. Instead, they hunted for flaws in Zenefits' software to help bolster the company's networks against prying thieves.
"If I had just one awesome hacker in my company that would make me really happy,” said Justin Calmus, Zenefits' chief information officer. "Instead, I have all these people."
At last week's hacker conferences Black Hat and DEF CON, the company hosted a contest for people to win as much as $125,000 in prizes for uncovering digital doorways that could let malicious hackers into their systems. For eight hours, they examined code while listening to rap music and pounding energy drinks.
While so called bug bounty programs were rarities just a few years ago, they have recently proliferated among tech firms, carmakers, big banks, and even at the Pentagon as effective ways to find and fix security vulnerabilities. In perhaps the biggest boost for bug bounty programs yet, Apple announced last week that it would begin paying independent researchers as much as $200,000 if they find serious vulnerabilities in the company's products.
"Bug bounty programs are exploding," said Chris Wysopal, chief technology officer at the cybersecurity company Veracode. “It’s completely legitimate now. And why wouldn’t it be? People are going to hack your stuff anyway."
As bounty programs have proliferated, firms such as HackerOne and Bugcrowd have emerged as conduits between corporations and the security research community. For the Zenefits bug bounty hackathon, HackerOne helped corral hackers from as far away as Argentina and Morocco.
HackerOne also set up hackathons for Snapchat and Panasonic during the Vegas cons, but spokesperson Lauren Koszarek declined to say how much those companies actually paid their hacker volunteers, other than to say more than six figures was paid out in bounties across all three nights, because the results are still being finalized.
Still, it's clear bug bounty hunting is an increasingly lucrative business for those involved.
"I’ve probably made $8,000 since I started looking for bugs a year ago," said one hacker who asked to be identified by his internet handle ZephrFish.
The 20-something hacker has a day job in the cybersecurity industry and like many of his peers at the MGM Grand hackathon moonlights as a bug bounty hunter. His biggest bounty so far: a $2,500 flaw on an adult website that could have exposed the personal information on all the site's users.
Another hacker who identified himself only as zseano estimated he’d earned $65,000 since he started hacking nine years ago at age 15. “I’ve never had a real job. It’s just fun breaking people’s stuff," he said.
Bug bounty firms such as HackerOne and Bugscrowd serve as something of a buffer – and also as translators – between the sometime rebellious hacker community and corporations.
"We’re getting two groups together that historically don’t like each other," said Bugcrowd founder Casey Ellis. "We just need to make sure hackers aren’t scaring people who are taught to be scared of them."
For many industries, there's a moment when they realize they're more vulnerable they realized, Mr. Ellis said. That moment came for automakers last year after security researchers demonstrated to a Wired magazine reporter they could remotely take over a Jeep Cherokee, he said. Now, Bugcrowd counts Fiat Chrysler and Tesla Motors among its clients.
To remain successful, bug bounty firms must inspire trust among their corporate clients by ensuring hackers honor nondisclosure agreements and by preventing researchers from going public with their findings before the companies can fix their systems.
“If you’re a bad guy you would never sign up for this because the only way to get a reward is by doing the right thing," said Marten Mickos, chief executive officer of HackerOne. Still, he said, "for companies, it’s just a shift in mindset.”