Getting Paid for Breaking Things According to the latest Software Fail Watch report released by Tricentis, companies worldwide lost $1.7 trillion due to software failures and Getting Paid for Breaking Things vulnerabilities last year. Such huge losses motivate businesses to increase spending on software testing and . Companies are augmenting their staff with professional testers and investing significant sums of money in automated testing systems.
There is one more initiative that organizations spare no expense in funding – bug bounty programs. Major high-tech corporations, including Google, Facebook and Apple, and even governments pay white hat hackers to discover vulnerabilities in their software. Let’s take a look at the history and development of this phenomenon.
History of bug bounty programs[Getting Paid for Breaking Things]
The practice of detecting loopholes in security systems emerged long before the first software was developed. In the 19th century, a British door lock manufacturer offered 200 gold guineas, which would be worth about $20,000 today, for breaking one of their products. American inventor Alfred Charles Hobbs then took up the challenge and managed to pick the lock in 25 minutes, winning the prize as promised.
More than a century later, companies’ security concerns have shifted to the digital domain. Software vulnerabilities that can be exploited by criminals have become at least as serious a problem as insecure door locks. It is believed that the first initiative in IT where enthusiasts were offered a reward for finding a vulnerability was an advertisement by Hunter & Ready. The company was developing a real-time operating system called VRTX and promised a brand new Volkswagen Beetle to anyone who could find fault with it. However, winners could optionally take home $1,000 in cash.
By the mid-1990s, there were a number of major hacker attacks and the modern IT security industry was born. At the time, the first web browsers were gaining momentum, and competition in this niche was between products from Netscape and Microsoft. 1995 shaped to be particularly fruitful for the former. The company took advantage of its leading position in the market and conducted a successful IPO (Initial Public Offering). At that point, Netscape technical support engineer Jarrett Ridlinghafer discovered that many enthusiasts were finding bugs in the browser themselves and posting the appropriate fixes online. This encouraged Jarrett to offer management to incentivize this type of activity by paying for them.
Subsequently, Netscape launched the first bug bounty program on October 10, 1995. They rewarded Netscape Navigator 2.0 beta users who found vulnerabilities in it and reported them to the company. According to some reports, Ridlinghafer’s team was given an initial budget of $50,000 for the initiative. Participants could opt for money or merchandise from the Netscape store.
Following Netscape’s move, iDefense was the first company to follow suit. In 2002, the threat intelligence company launched its own vulnerability contributor program. Payouts varied depending on the type of vulnerability found, the amount of information provided about it, and users’ agreement not to publish details of the bug in the future. Those interested could earn up to $500 for reporting a bug.
Founded by Netscape members, the Mozilla community also came up with a bug bounty program for the Firefox browser in 2004. It was funded by Mark Shuttleworth, a well-known entrepreneur, and software development company Linspire. Similar to iDefense, program participants could earn up to $500 for finding a critical vulnerability. This bug bounty is still ongoing, but the maximum rewards have increased tenfold since then. The company paid participants roughly $3 million over 14 years.
Another program called the Zero Day Initiative (ZDI) entered the IT security scene in 2005 and is still running. Its mission is to become an intermediary between the white hat hacker community and companies that need to uncover bugs in their software. Two years later, ZDI sponsored a Pwn2Own competition where white hats could attempt to exploit two MacBook Pro laptops running OS X, a platform considered more secure than competing operating systems. ZDI representatives agreed to purchase all discovered Mac OS X vulnerabilities for a fixed price of $10,000.
By the way, Apple didn’t have its own bug bounty program back then. The company rejected such tactics for almost a decade. It wasn’t until 2016 that Apple joined the growing bug bounty rush, becoming one of the last major tech companies to offer rewards for reporting vulnerabilities. However, their payouts were some of the highest, reaching up to $200,000.
Current bug bounty status
Other major technology companies began launching their initiatives to support white hat hackers in the early 2010s. From 2010 to 2017, Google spent $3 million paying out bug bounties to their participants. Much of this amount was paid for exploits discovered in Chrome and Android. Facebook paid $5 million between 2011-2016. Microsoft, Sony, GitHub, Uber and many others run similar campaigns as well. Moreover, this list is still expanding. For example, Valve Corporation has announced that they will pay for security flaws found in their code.
According to vulnerability coordination platform HackerOne, white hat hackers earn almost twice as much as software developers these days. However, bug hunting is nothing more than a hobby for many of these enthusiasts. 12% of them earn $20,000 a year and 3% earn more than $100,000. They have a huge selection of rewards from many different organizations, from the aforementioned Apple and Microsoft – to MIT and the Pentagon. Most companies pay real money, but some resort to bartering instead. For example, United Airlines provides miles for reporting errors.
Vulnerability scanning does not necessarily have to be done only at the software level. After a number of Tesla Model S vulnerabilities were reported in 2015, Elon Musk’s company increased payouts for submitting hardware bugs. Microsoft took a similar step after the Meltdown and Specter processor bugs were revealed. The corporation is willing to pay a fortune—compared to the competition—for bugs found, with sums as high as $250,000. Intel also welcomes and generously rewards the help of researchers in uncovering flaws.
Meanwhile, the abundance and availability of white hat hacking programs has given rise to a phenomenon called “bug bounties as a service”. In this regard, there are specially created bug bounty platforms available to companies such as Bugcrowd, Cobalt, Synack and HackerOne above. These platforms bring hackers together and coordinate their efforts to deploy an authorized attack on a website, app or service in exchange for a reward. HackerOne alone has earned more than $20 million in bounties over five years.
Bug bounties – wins and traps
Bug bounty programs have been proven to help companies save time and resources in finding vulnerabilities. Last year, the team behind the popular corporate messaging service Slack released a summary of their three-year collaboration with the white hats. According to the report, they paid more than $210,000 to researchers who helped make Slack more secure.
There was a rather demonstrative nuance in this story – a month before the report, one of the security researchers published details of a bug he was able to find in the messenger. The company’s employees responded to this message in 33 minutes, and it took them only five hours to fix the error. A bug bounty participant received $3,000 for this discovery.
The US Department of Defense is another customer of such platforms. HackerOne is preparing penetration tests for the Pentagon, with hundreds of vulnerabilities already found. According to former Defense Secretary Ash Carter, the Department of Defense would have spent more than $1 million if its analysts had looked for these vulnerabilities on their own. That’s a lot more than the $300,000 paid out to enthusiasts.
However, things are not as peaceful as they may seem in the bug bounty arena these days. The industry has seen conflicts over the legal issues of white hat hacking. In 2015, Synack’s chief security researcher Wesley Weinberg discovered a bug that gave him access to a huge amount of information on Instagram, including source code, SSL certificates and private keys, as well as images uploaded by users. In other words, he could use this flaw to impersonate any user or employee of the service.
Wesley reported this to Facebook, the owner of Instagram, expecting to be rewarded for his discovery. However, representatives of the social network said that he violated the terms of their bug bounty program by gaining access to the personal data of employees and users.
As a result, Weinberg was disqualified from the program. His boss, Jay Kaplan, CEO of Synack, reportedly received a call from Facebook’s chief information security officer, Alex Stamos, who said the case would go to the police if details of the vulnerability hit the headlines.
This incident raises questions of balance, ethics and control of white hacker activity. On the one hand, companies are trying to solve their security problems. On the other hand, it is important for them to keep sensitive data from their users and employees intact and thus prevent security researchers from going too far with the analysis. The US Senate recently passed a bill that would allow the Department of Homeland Security to establish its own bug bounty program. Perhaps it will contribute to the legal arrangement of the entire industry.
Moving to the future
In 2017, 94% of large public companies on the Forbes 2000 list had no channels for receiving vulnerability reports. Meanwhile, companies that have bug bounty programs regularly increase their payouts to researchers. Some platforms raise funds from investors. This means that this market is expanding and has the potential to grow further.
There are also prerequisites for automating the work of researchers. Gartner predicts that by 2020, 10% of penetration tests will be performed using machine learning algorithms, up from 0% in 2016. Growing investment in automated bug detection systems confirms this trend. Last year, Microsoft introduced its Security Risk Detection platform, which uses AI (artificial intelligence) to find vulnerabilities and report them to developers. Ubisoft has a similar tool that catches bugs in games.
These initiatives are in line with the fact that more and more organizations are integrating AI-based solutions into enterprise security systems. This tactic allows combining the benefits of bug bounty with confidentiality. Less human involvement in the process reduces the likelihood of data leakage. Therefore, in the near future we may see a redistribution of investment between real and virtual bug hunting.