Modern field guide to security and privacy

In an age of digital insecurity, paying bug bounties becomes the norm

From Apple to Airbnb, companies are increasingly turning to outside hackers to find – and eventually fix – their software security vulnerabilities.

Ann Hermes/The Christian Science Monitor
More than 30 people participated in a hackathon organized by the cybersecurity firm HackerOne during the DEF CON hacker conference in Las Vegas.

Twenty-nine floors above the Las Vegas strip in an MGM Grand suite, more than 30 hackers furiously hunted for security flaws in the payroll software company Zenefits' corporate networks.

It's an attractive target. On the digital black market, criminals would pay handsomely for the company's database of customers' personal and financial information. 

But these hackers weren't after that kind of data. Instead, they hunted for flaws in Zenefits' software to help bolster the company's networks against prying thieves.

"If I had just one awesome hacker in my company that would make me really happy,” said Justin Calmus, Zenefits' chief information officer. "Instead, I have all these people."

At last week's hacker conferences Black Hat and DEF CON, the company hosted a contest for people to win as much as $125,000 in prizes for uncovering digital doorways that could let malicious hackers into their systems. For eight hours, they examined code while listening to rap music and pounding energy drinks.

While so called bug bounty programs were rarities just a few years ago, they have recently proliferated among tech firms, carmakers, big banks, and even at the Pentagon as effective ways to find and fix security vulnerabilities. In perhaps the biggest boost for bug bounty programs yet, Apple announced last week that it would begin paying independent researchers as much as $200,000 if they find serious vulnerabilities in the company's products. 

"Bug bounty programs are exploding," said Chris Wysopal, chief technology officer at the cybersecurity company Veracode. “It’s completely legitimate now. And why wouldn’t it be? People are going to hack your stuff anyway."

As bounty programs have proliferated, firms such as HackerOne and Bugcrowd have emerged as conduits between corporations and the security research community. For the Zenefits bug bounty hackathon, HackerOne helped corral hackers from as far away as Argentina and Morocco. 

HackerOne also set up hackathons for Snapchat and Panasonic during the Vegas cons, but spokesperson Lauren Koszarek declined to say how much those companies actually paid their hacker volunteers, other than to say more than six figures was paid out in bounties across all three nights, because the results are still being finalized. 

Still, it's clear bug bounty hunting is an increasingly lucrative business for those involved. 

"I’ve probably made $8,000 since I started looking for bugs a year ago," said one hacker who asked to be identified by his internet handle ZephrFish.

The 20-something hacker has a day job in the cybersecurity industry and like many of his peers at the MGM Grand hackathon moonlights as a bug bounty hunter. His biggest bounty so far: a $2,500 flaw on an adult website that could have exposed the personal information on all the site's users.

Ann Hermes/The Christian Science Monitor
The Zenefits hackathon in Las Vegas drew more than 30 contestants hoping to win as much as $125,000 in prizes for uncovering digital flaws in the company's software.

Another hacker who identified himself only as zseano estimated he’d earned $65,000 since he started hacking nine years ago at age 15. “I’ve never had a real job. It’s just fun breaking people’s stuff," he said.

Bug bounty firms such as HackerOne and Bugscrowd serve as something of a buffer – and also as translators – between the sometime rebellious hacker community and corporations.

"We’re getting two groups together that historically don’t like each other," said Bugcrowd founder Casey Ellis. "We just need to make sure hackers aren’t scaring people who are taught to be scared of them."

For many industries, there's a moment when they realize they're more vulnerable they realized, Mr. Ellis said. That moment came for automakers last year after security researchers demonstrated to a Wired magazine reporter they could remotely take over a Jeep Cherokee, he said. Now, Bugcrowd counts Fiat Chrysler and Tesla Motors among its clients.

To remain successful, bug bounty firms must inspire trust among their corporate clients by ensuring hackers honor nondisclosure agreements and by preventing researchers from going public with their findings before the companies can fix their systems.

“If you’re a bad guy you would never sign up for this because the only way to get a reward is by doing the right thing," said Marten Mickos, chief executive officer of HackerOne. Still, he said, "for companies, it’s just a shift in mindset.”

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.