Hello, operator, I鈥檇 like to report a bug: Why one company is offering hackers directory assistance
Before he cofounded San Francisco-based bounty broker HackerOne three years ago, Michiel Prins hunted software bugs for a living. Yet finding a way to report flaws that could leave users vulnerable to criminal hackers was always a hassle.
Only a handful of organizations actually had a formal policy for security researchers to call in tips, and those were mostly Silicon Valley tech firms, Mr. Prins says. So he would have to go through hoops to try to tell companies about bugs 鈥 even scouring professional networking site Linkedin for the e-mail addresses of top executives to message them directly. 听鈥淯sually we would spend more time figuring out how to contact the organization and getting the issue patched than finding the security flaw,鈥 Prins says.
Now, Prins鈥檚 company wants to change that 鈥 and streamline the time-consuming process that friendly hackers still have to deal with when trying to report bugs.
HackerOne, one of a handful of organizations around today that helps researchers get paid for finding bugs, announced last week that it was adding directory assistance to a massive list it created this summer to allow hackers to look up security contacts at major companies. Now, if hackers find the company they want to reach has no official disclosure policy, HackerOne will reach out to that firm directly to help determine the best way to report bugs, and provide that information back to the researchers.
While creating the directory, the company鈥檚 Chief Technology Officer Alex Rice says, they found that 94 percent of the Forbes Global 2000 鈥 the world鈥檚 largest and most powerful companies from all sectors, including 听the cream of the crop in finance, the auto industry, healthcare, and insurance 鈥 still do not have formal channels for white hat hackers to report flaws they find to the companies. 鈥淪o if you鈥檝e found a vulnerability that you want to make sure gets fixed, the answer is, you can鈥檛, or you need to subject yourself to personal risk,鈥 Mr. Rice says, such as a lawsuit.
HackerOne鈥檚 move comes as the debate over whether 鈥 and to what extent 鈥 hackers should be able to breach systems and devices with the intent of exposing security flaws is heating up nationwide.
Fear of being targeted for lawsuits is real for many hackers, whose investigations to find security flaws can require circumventing copyright protection measures, which is a under the Digital Millennium Copyright Act (DMCA). For instance, that allowed lawyers from IOActive, which designs the Cyberlock digital access control systems, to threaten suit against researchers who said they vulnerabilities in the company鈥檚 software earlier this year.
IOActive is just one of companies who have made similar warnings: In September, cybersecurity firm FireEye obtained an injunction in Germany that prevented ERNW from releasing information about flaws that company says it found in its products (FireEye ultimately the bug and credited the researcher). Oracle鈥檚 Chief Security Officer has also publicly about researchers trying to reverse engineer their software.
It鈥檚 also an issue the US government is dealing with too: Some that President Obama鈥檚 federal hacking statute announced in this year鈥檚 State of the Union address could broaden the Computer Fraud and Abuse Act and penalties for hackers.
So, as Rice says, having a known intermediary such as HackerOne reach out to companies can help assuage researchers鈥 fears of reprisal. 鈥淭he worst outcome is not knowing what the outcome is going to be,鈥 he says. 鈥淣ot knowing if finding and testing a security vulnerability because you happen to stumble upon is going to land you in jail.鈥
Others think directory assistance will do little to change HackerOne鈥檚 policy of recruiting researchers off of the open Internet, which they view as irresponsible. 鈥淵ou鈥檙e giving the entire world an open invitation to hack their stuff,鈥 says Jay Kaplan, chief executive officer of Synack, another vulnerability-spotting company based in Redwood City, Calif. 鈥淩esearchers just need to realize that some of these organizations won鈥檛 ever feel comfortable with that.鈥
Synack differs from HackerOne, Kaplan says, because it operates on a proprietary platform that requires researchers to undergo strict vetting procedures before they can log on. (A spokesperson for HackerOne says the company does not restrict hackers from registering for the site, but maintains a reputation system that rewards users that accurately report bugs.)
Despite the challenges, there are some signs that companies and policymakers both are increasingly recognizing the value of researchers and easing the legal restrictions. Last month, the Librarian of Congress the ban on hacking car software under the DMCA, and the Department of Commerce is a program that could allow for safe and legal vulnerability disclosures. What鈥檚 more, an increasing number of companies outside of the tech world also have adopted responsible disclosure policies that give researchers amnesty to come forward with flaws.
Since the Internet is growing up 鈥 with some 50 billion devices to be connected to the Internet by 2020, including in people鈥檚 homes and on their bodies 鈥 some in the tech world think it鈥檚 time for businesses to grow up along with it, and support developing formal processes for hackers to get in touch responsibly. 听
鈥淭here鈥檚 a whole new wave of technology that鈥檚 being connected and exposed to a dynamic threat environment,鈥 says Eric Wenger, Director of Cybersecurity and Privacy Policy at Cisco Systems. 鈥淭hose companies are going to have to go through the same sort of maturity process, when you start to engage with security researchers and start to have security researchers inside your company.鈥
听
