Come on, White Hats: Hack into our system, find a bug — and make it an interesting one!
This seems to be the resounding message that major online businesses are spreading.
With US spending on cybercrime security estimated to exceed $23 billion this year, according to the research company Gartner, online businesses are onto the fact that cybercrime is a very real threat.
But instead of hiring more and more full-time security researchers, sites like Google pay freelance security researchers like Ben Hayak, who earned a “whopping” $1,337 for discovering a high-severity, widespread bug. Finding other, “lesser” bugs might earn $100 to $500.
According to Facebook spokesman Frederic Wollens, “We really do have some of the best-trained, more skilled [staffed research department], but there’s always more people on the outside than the inside. You can always do a better job with more eyes on the outside.”
Businesses like Facebook, Google, Mozilla, Adobe, Microsoft and, as of June, PayPal, have developed “Bug Bounty” programs to recruit savvy security researchers like Hayak to help fight the good fight against cybercrime.
These security researchers, known as “white hats,” are benevolent hackers offered monetary rewards in return for responsibly disclosing security issues they discover in the site coding.
Ed Skoudis, founder of Counter Hack Challenges, says that there’s an “increasing sophistication of the bad guys in launching attacks. . . . The bad guys are getting better, even faster.”
Skoudis acknowledges that “some people worry that by establishing bug-bounty programs, companies are starting a bidding process for vulnerabilities that could cause real bad guys (organized crime, terrorists) to bid higher.
“But that market is there anyway,” Skoudis points out. “The bug bounty at least tries to draw a part of that market into alignment with improving security,”
While the maximum rewards are pretty hefty sums — Facebook, which has paid out $400,000 in rewards to date, said it would award a $1 million prize if a vulnerability report was worthy — the reality is that even bugs that earn white hats mere “pocket change” could have major security repercussions for users.
For example, Hayak found one that allowed him to completely hack into Gmail — and its stashes of chats, payment confirmations, passwords, business information, and the like.
For such feats, Hayak, a security researcher based in Israel, has made more than $10,000 in bounties this year and is recognized on the “Thank You” pages of Google, Facebook, Twitter, eBay, Adobe and DropBox.
When asked what the primary motive is for freelance security researching, Hayak says, “It’s fame. You get your fame as a [white hat]. It’s a win-win situation. Everyone gets their thank you.”