Modern field guide to security and privacy

Hello, operator, I’d like to report a bug: Why one company is offering hackers directory assistance

HackerOne, one of the leading bounty firms, is creating a system that will connect computer vulnerability hunters with companies that may not have formal disclosure policies.

Reuters / Yuya Shino
Women holding their mobile phones are silhouetted as they walk on an overpass at a business district in Tokyo, Japan, November 5, 2015.

Before he cofounded San Francisco-based bounty broker HackerOne three years ago, Michiel Prins hunted software bugs for a living. Yet finding a way to report flaws that could leave users vulnerable to criminal hackers was always a hassle.

Only a handful of organizations actually had a formal policy for security researchers to call in tips, and those were mostly Silicon Valley tech firms, Mr. Prins says. So he would have to go through hoops to try to tell companies about bugs – even scouring professional networking site Linkedin for the e-mail addresses of top executives to message them directly.  “Usually we would spend more time figuring out how to contact the organization and getting the issue patched than finding the security flaw,” Prins says.

Now, Prins’s company wants to change that – and streamline the time-consuming process that friendly hackers still have to deal with when trying to report bugs.

HackerOne, one of a handful of organizations around today that helps researchers get paid for finding bugs, announced last week that it was adding directory assistance to a massive list it created this summer to allow hackers to look up security contacts at major companies. Now, if hackers find the company they want to reach has no official disclosure policy, HackerOne will reach out to that firm directly to help determine the best way to report bugs, and provide that information back to the researchers.

While creating the directory, the company’s Chief Technology Officer Alex Rice says, they found that 94 percent of the Forbes Global 2000 – the world’s largest and most powerful companies from all sectors, including  the cream of the crop in finance, the auto industry, healthcare, and insurance – still do not have formal channels for white hat hackers to report flaws they find to the companies. “So if you’ve found a vulnerability that you want to make sure gets fixed, the answer is, you can’t, or you need to subject yourself to personal risk,” Mr. Rice says, such as a lawsuit.

HackerOne’s move comes as the debate over whether – and to what extent – hackers should be able to breach systems and devices with the intent of exposing security flaws is heating up nationwide.

Fear of being targeted for lawsuits is real for many hackers, whose investigations to find security flaws can require circumventing copyright protection measures, which is a felony under the Digital Millennium Copyright Act (DMCA). For instance, that provision allowed lawyers from IOActive, which designs the Cyberlock digital access control systems, to threaten suit against researchers who said they found vulnerabilities in the company’s software earlier this year.

IOActive is just one of several companies who have made similar warnings: In September, cybersecurity firm FireEye obtained an injunction in Germany that prevented ERNW from releasing information about flaws that company says it found in its products (FireEye ultimately patched the bug and credited the researcher). Oracle’s Chief Security Officer has also publicly complained about researchers trying to reverse engineer their software.

It’s also an issue the US government is dealing with too: Some worry that President Obama’s proposed federal hacking statute announced in this year’s State of the Union address could broaden the Computer Fraud and Abuse Act and toughen penalties for hackers.

So, as Rice says, having a known intermediary such as HackerOne reach out to companies can help assuage researchers’ fears of reprisal. “The worst outcome is not knowing what the outcome is going to be,” he says. “Not knowing if finding and testing a security vulnerability because you happen to stumble upon is going to land you in jail.”

Others think directory assistance will do little to change HackerOne’s policy of recruiting researchers off of the open Internet, which they view as irresponsible. “You’re giving the entire world an open invitation to hack their stuff,” says Jay Kaplan, chief executive officer of Synack, another vulnerability-spotting company based in Redwood City, Calif. “Researchers just need to realize that some of these organizations won’t ever feel comfortable with that.”

Synack differs from HackerOne, Kaplan says, because it operates on a proprietary platform that requires researchers to undergo strict vetting procedures before they can log on. (A spokesperson for HackerOne says the company does not restrict hackers from registering for the site, but maintains a reputation system that rewards users that accurately report bugs.)

Despite the challenges, there are some signs that companies and policymakers both are increasingly recognizing the value of researchers and easing the legal restrictions. Last month, the Librarian of Congress lifted the ban on hacking car software under the DMCA, and the Department of Commerce is pursuing a program that could allow for safe and legal vulnerability disclosures. What’s more, an increasing number of companies outside of the tech world also have adopted responsible disclosure policies that give researchers amnesty to come forward with flaws.

Since the Internet is growing up – with some 50 billion devices estimated to be connected to the Internet by 2020, including in people’s homes and on their bodies – some in the tech world think it’s time for businesses to grow up along with it, and support developing formal processes for hackers to get in touch responsibly.  

“There’s a whole new wave of technology that’s being connected and exposed to a dynamic threat environment,” says Eric Wenger, Director of Cybersecurity and Privacy Policy at Cisco Systems. “Those companies are going to have to go through the same sort of maturity process, when you start to engage with security researchers and start to have security researchers inside your company.”

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.