What are bug bounty hunters? Imagine a globally recognized SaaS company putting out an invitation to the world for strangers to hack their websites or software. It may sound crazy but that is exactly what some of the biggest corporate names today such as Microsoft, Facebook and Walmart do in order to find critical security vulnerabilities and flaws that can be exploited by malicious hackers. They are called bug bounty hunters, white hat hackers that use their hacking and cyber skills in a way that benefits organizations.
Companies such as Google post regular bounties for the discovery of vulnerabilities. For the most part these bounties come in the form of monetary rewards that normally range between a $200 and $5,000. Sometimes rewards are in the form of honorary mentions in some type of “hall of fame” list or may mean free stuff. Bounties can be either set at a fixed cost or fluctuate depending upon the severity of the discovered defect. Sometimes the awards can become quite substantial. Microsoft back in 2012 awarded a Columbia University PhD student a reward of $200K while United Airlines awarded two hunters a million miles of flight credit each.
Netscape first implemented the practice twenty-one years ago back in 1995 for its launch of the Netscape Navigator 2.0 beta versions in which researchers were awarded cash and formal credit for the discovery of bugs. In subsequent years, a few other companies such as Mozilla would implement their own programs but the practice never caught on until Google adapted the approach for their chrome browser in 2010. Since then, Google has grown their program and has since awarded nine million dollars to buy bounty hunters.
A typical example of a discovered flaw was illustrated in a recent discovery of a critical vulnerability found in Facebook. When a Facebook account is reset, a 6-digit PIN is sent to the account member’s phone at which point the user then must type in the PIN. Facebook only allows a set number of attempts to input the correct PIN and then locks the account. A security researcher named Anand Prakash found that the policy was absent on its beta site. Facebook hosts a beta version of their site (beta.facebook.com) in which new features are introduced on a trial basis. Anand found that he could take unlimited guesses, allowing him to eventually break into any account. After reviewing his finding, Facebook awarded him $15,000.
The premise behind bug bounties is simple. Every web application has bugs of some type and eventually, they will be exposed. Better to have them found discovered by an ethical hacker than a person with malevolent intentions. While large companies could attempt this process in house, they can incorporate the efforts of far more professionals than they could ever hire through bug bounty invitations. They also obtain a large swath of backgrounds and skill sets. The more eyes that are scanning, the better the results. Bug bounty hunters are many times more in tune with the latest hacking techniques and tools as well.
There are also very big financial benefits for companies that issue bug bounties. Paying a few thousand dollars for the discovery of a critical vulnerability can be far cheaper than enduring the many costs associated with the aftermath of a data breach. However, it’s not just the matter of evading the PR damage and possible litigation costs of a breach makes bug bounty programs so popular. The traditional method of conducting a vulnerability analysis is a penetration test conducted by a third party cybersecurity firm. These tests are performed according to a formal contract, usually based on an hourly fee. Although it is certainly good news if a test confirms a clean bill of health or at worst, finds only one or two vulnerabilities, the customer is charged the same regardless if a single minor flaw is found or a litany of critical vulnerabilities. Using bug bounties, the company only pays for flaws, period.
In 2016, the US Department of Defense announced a bug bounty program for a thirty-day period. Participants in the program had to pass a stringent background test and sign a number of legal documents pertaining to proper protocol. In the end, 250 researchers were involved who cumulatively found 138 flaws within the DOD cyber infrastructure for which the total payout was just over $150K. Considering that a formal penetration test of that magnitude would have cost upwards of a million dollars, the DOD certainly got their money’s worth.
Implementing a bug bounty program is not for everyone. Only the largest of enterprises have the internal resources to devote to these types of endeavors and run them effectively. Obviously, there is a risk when working with strangers throughout the world who may be participating in a program for malicious reasons. It also takes a great deal of experience to sift through the signal-to-noise ratio as companies can be inundated with submissions from amateur hackers looking for a quick payout. For this reason, many companies hire third party bug bounty companies who specialize in running these types of programs and know how to vet participants and can cut through the noise to get to the real findings as efficiently as possible. Some of these companies are generating millions of dollars in bounties that they then distribute.
A growing number of companies encourage researchers to dissect their software to find cracks in the armor. That means lot more vulnerabilities are discovered and fixed, and users are more secure as a result.
Stay up to date on all the latest cybersecurity threats. Sign up to the TitanHQ newsletter below.
Sign-up for email updates...