Glitches to riches: The hackers who make a killing off software flaws
A decade ago, anyone who uncovered a vital flaw in software might be rewarded with a pat on the back from their boss or a thankful e-mail from听the software vendor. They鈥檇 earn bragging rights听on Internet discussion boards and听among their techie friends. But finding bugs rarely resulted in paydays.
Today is different. In the past decade, a growing, global marketplace for software vulnerabilities has transformed a talent for sniffing out security holes in software from a resume bullet point to something akin to Stephen Curry鈥檚 jump shot or Novak Djokovic鈥檚 serve: a rare skill that commands a high price.听But with everything from software publishers to spy agencies and shadowy cyberarms dealers competing for prized vulnerabilities, experts warn that there are both risks and rewards for both society and the economy in what is quickly becoming a Gold Rush for the Digital Age.
The bug kings
"It鈥檚 like finding a gold nugget," says Mark Litchfield, a security researcher who has become one of the most successful and celebrated discoverers of software vulnerabilities. "Sometimes it鈥檚 like finding my own gold mine."
Mr. Litchfield hit pay dirt last September when he found 48 vulnerabilities affecting a leading website (Litchfield declined to describe the nature of the security holes, citing the terms of a nondisclosure agreement).
The collection of bugs netted him more than $63,000 in payouts through the company鈥檚 legitimate bug bounty program, with payments ranging from $50 for less serious holes to $15,000 each for critical and remotely exploitable vulnerabilities.听
The company paid those rewards through HackerOne, one of a handful of startups with online marketplaces that connect companies in search of security talent with independent researchers in search of payouts.听
HackerOne and similar sites act as middlemen, providing an easy-to-use platform for soliciting information on vulnerabilities and paying researchers for what they find, then taking a small cut. They also help foster a sense of rivalry among the research community, whose work often keeps them isolated. But, perhaps most notably, these new bug payment platforms are helping coalesce the growing cadre of vulnerability seekers.
Litchfield is the site's top-ranked vulnerability researcher and听a fitting poster boy for a fast-evolving profession. With a close-cropped, military style haircut, he favors torn jeans and rock-n-roll T-shirts. He keeps himself well stocked with Marlboro Reds, an anathema in Silicon Valley where smoking is an express ticket to social Siberia.听But Litchfield can afford to buck convention, having collected more than $300,000 in bounties through that firm since the company launched its bounty platform in 2013.
He鈥檚 no newbie, either. With his brother David, Mark started Next Generation Security from their home in Surrey, England, in 2001. NGS was an early security research and consulting firm, launching at a time when independent research to find software vulnerabilities was seen as meddlesome and the tech industry viewed security consultants with deep suspicion.
Back then, the Litchfield brothers and a handful of others started to make a name for themselves by pointing out security problems in software by such giants as Oracle and Microsoft.听Over time, the Litchfield brothers expanded their research and developed specialized penetration testing tools to aid them in their work. Still, Mark Litchfield recalls, at the time, a bug hunting business was a hard sell to investors who could fund the business. They ended up selling the company to NCC Group in 2008 for a reported $10 million.
These days, Mark Litchfield prefers the desert of Las Vegas as his base of operations over global business hub of London or the tech epicenter San Francisco. It's a decision driven by practicality 鈥 Las Vegas is more affordable than either of those cities.听Using听Vegas as a home base also underscores Litchfield's core belief: Researchers like him are the 鈥渢alent" in an industry that gives those skilled and crafty enough to sniff out the flaws in commercial technology the freedom to set their own terms.
So far, his theory is holding up. Litchfield鈥檚 ability to interrogate software applications and find his way around the protections built听into them has netted him hundreds of thousands of dollars in bounty payments paid by firms including Yahoo, Shopify, Dropbox, Vimeo, and PayPal. And he isn't alone.
It wasn't always so.听When the Litchfield brothers听first started working on vulnerability research, their efforts didn't make them many friends among tech executives.听Often, they would download free or demonstration versions of software from firms like Sybase, Oracle and IBM, then go to work breaking it.听听
But companies had little experience听working with independent researchers听and听often reacted with hostility when Litchfield and his brother, David, came to them with their findings. In just one example, the database security firm Sybase the brothers after they reported information on dozens of exploitable holes they discovered in the company's software in 2005.
These days, however, companies of all stripes see value in working with vulnerability researchers through company-sponsored bug bounty programs and bounty platforms. At the same time, startups such as HackerOne, SynAck, and Bugcrowd have made the job of creating a bounty program easier and helped those companies navigate the peculiarities of working with the vulnerability researcher community.
The website Bugsheet lists 369 bug bounty programs hosted by companies ranging from Adobe to Zynga. Less than half (153) offer paid bounties, with most (Including Adobe) simply rewarding researchers with public acknowledgment or swag. But that list is almost certainly too short, as it doesn't include the many, lucrative private bounty programs that sites like HackerOne host.听
HackerOne has 350 customers in total and hosts "hundreds of programs in invitation-only mode," according to Katie听Moussouris, the chief policy officer at HackerOne.听To date, the company's platform has reported more than 10,000 vulnerabilities to sponsor companies, she said.
听
Finding the flaws
Top bug hunters often describe an approach to finding vulnerabilities that is straightforward if not exactly regimented.听鈥淢ost of my testing is manual,鈥 Litchfield says. After being invited to a bounty program and asked to assess the security of a Web property, Litchfield says he often 鈥渏umps around from place to place鈥 within a site until he finds features that he鈥檚 never seen before. That can happen even on well-established Web properties where one might think all the low hanging fruit had been picked.
鈥淚f you look at Yahoo Mail, that鈥檚 been looked at by thousands of pairs of eyes,鈥 he said. 鈥淏ut the code changes all the time. New features are added. So I鈥檒l go back to see what鈥檚 changed.鈥澨
New functionality means new code, and new code invariably means vulnerabilities, Litchfield explains. But, just as often, it is legacy code that is often rife with exploitable holes.听And for researchers working on bounty programs, holes mean money. 听
The new platforms are also pulling in a talented new crop of researchers and helping fund new security-focused ventures such as听Detectify, an听automated testing platform cofounded by Frans Rosen, a researcher based in Sweden who is a relative newcomer to the听hunting game.
Mr. Rosen has quickly risen among his peers, ranking听second on HackerOne鈥檚 leader board and earning some听$285,000听in bounties. That sum includes $150,000 in the past year alone 鈥 his best year yet. He won $25,000 for finding just one security hole during an invite-only hackathon at this year鈥檚 DEF CON hacking conference in Las Vegas.
Finding pay dirt is often a matter of intuition, he said. 鈥淪ometimes you can just feel that something on this site just feels vulnerable,鈥 Rosen said. 鈥淚 can鈥檛 put a finger on what it is, but if you鈥檝e been testing thousands of platforms, you can just feel when something feels鈥ot good."听听
The fourth-highest ranked bounty hunter on HackerOne, North Carolina-based security researcher Sean "Meals" Melia, says he's earned听close to $150,000听from bounties 鈥 and he just started听participating in public bounty programs last December and does it as a side project while working a full-time job.
His big paydays听have been met with healthy doses of disbelief from family and loved ones. Mr. Melia said he had to hire a tax expert to make sure he鈥檚 managing the tax implications of his bounty income. 鈥淥riginally, I didn鈥檛 expect to make more than $1,000,鈥 he said.听鈥淣ow I have to talk to an accountant and get their advice," he said.听
While many top researchers are cashing in, bug hunting is inherently unpredictable and often time consuming and taxing work.听鈥淪ometimes you can find something in less than an hour. Other times it takes a couple days. Sometimes you might binge and report 20 things in one day,鈥 says Melia.听"People only develop applications with flaws,鈥 he said. "The more applications that come out, the more flaws."
"He generally works on finding vulnerabilities after his day job is done 鈥 between听midnight and 3 a.m.听And, more often than not, those stints end in frustration. 鈥淪o many people听are听doing the bounty programs, its hard to find things others are not finding." What's more, he said, companies fail to respond to听his听vulnerability reports, or fix a specific issue but fail to appreciate a more general condition that must be addressed to really solve the problem.
One of the biggest barriers for newcomers to vulnerability research are听private bounty programs that are operated by firms such as HackerOne, Bugcrowd, and Synack.听The programs are highly sought-after by experienced researchers, as they greatly increase their chances of success. But they also shut the vast majority of researchers out from the richest targets, something that Mark Litchfield worries will discourage others from joining the ranks. "I know plenty of researchers who say, 鈥業鈥檓 not going to leave my day job until they change that.' "
He's hoping to change that through a new venture he's founded called听Bug Bounty HQ 鈥 effectively a bounty startup seeded with bug bounties.听The new site aims to treat researchers as the talent instead of just "the help," he said. The site will only award cash, not points for vulnerabilities discovered in invite-only private bounty programs, helping to level the playing field between veteran and newer researchers.
Bug, bounties, and bad guys
But while the global software vulnerability marketplace may be one in which 鈥渆veryone鈥檚 making money,鈥澨齛s Litchfield puts it, is not immune to controversy. Not least among them: black and grey markets for exploitable software holes that are frequented by government intelligence services, wealthy corporations, and possibly even cybercriminals.
The greater acceptance of bounty programs and the emergence of new platforms like HackerOne and Bug Bounty HQ has merely greased the wheels of commerce 鈥 connecting talent with those willing to pay for it.
But like most marketplaces, the software vulnerability market is amoral. For every company willing to pay $15,000 through a bounty program for a remotely exploitable vulnerability in a common platform, there are individuals, governments, and the middlemen who serve them who might pay five or ten times as much 鈥 no questions asked.
The contrast between those two markets came into stark contrast this summer, when the US firm Zerodium offered $1 million bounties for working exploits of Apple's latest mobile operating system. The offer from the firm, which admits to having Western intelligence agencies among its customers, drew immediate criticism from civil rights and privacy advocates, who worried that any exploit sold to Zerodium might be used for unlawful surveillance or other means.
But Chaouki Bekrar, Zerodium's founder, dismisses those criticisms and says that his firm's $1 million bounty is simply the going rate for a working, remote exploit of what many consider one of the world's most hack-proof operating systems 鈥 work that will likely require the discovery and linking of multiple exploits in iOS or other components.
"Existing bug bounty programs offer lower rewards which are mostly听adapted for proof-of-concept exploits on which a researcher has spent a听few hours or days," he wrote in an e-mail. Zerodium and other firms like it are targeting the high end of the market: Weaponized exploits that are sophisticated and reliable, that might require many weeks of work to develop, he said.听
Global talent market
Despite flaws, vulnerability markets will tend to benefit society, rather than harm it, argue many experts and practitioners in the space.听听"The proliferation of bug bounty programs is good for security," said Moussouris of HackerOne. "This is about the globalization and democratization of security talent."
While the market isn't perfect, Moussouris said that, over time, the industry will regulate itself 鈥 determining who the best players are, what market niches exist and what prices to pay. "It will be interesting to see how it all plays out. But you don鈥檛 have a true business or marketplaces if you don't have competition."
Editor's note: This story was updated after publication to correctly characterize听Bug Bounty HQ's policy on awarding points to researchers who find software vulnerabilities.
听
