In an age of digital insecurity, paying bug bounties becomes the norm
| Las Vegas
Twenty-nine floors above the Las Vegas strip in an MGM Grand suite, more than 30 hackers furiously hunted for security flaws in the payroll software company听Zenefits' corporate networks.
It's an attractive target.听On the digital black market, criminals would pay handsomely for the company's database of customers' personal and financial information.听
But these hackers weren't after that kind of data. Instead, they hunted for flaws in Zenefits' software to help bolster the company's networks against prying thieves.
"If I had just one awesome hacker in my company that would make me really happy,鈥 said听Justin Calmus, Zenefits' chief information officer. "Instead, I have all these people."
At last week's hacker conferences Black Hat and DEF CON, the company hosted a contest for people to win as much as $125,000 in prizes for uncovering digital doorways that could let malicious hackers into their systems. For eight hours, they examined code while listening to rap music and pounding energy drinks.
While so called听bug bounty programs were rarities just a few years ago, they have recently proliferated听among tech firms, carmakers, big banks, and even at the Pentagon as effective ways to find and fix security vulnerabilities. In perhaps the biggest boost for bug bounty programs yet, Apple announced last week that it would begin paying independent听researchers as much as $200,000 if they find serious vulnerabilities in the company's products.听
"Bug bounty programs are exploding," said Chris Wysopal, chief technology officer at the cybersecurity company Veracode. 鈥淚t鈥檚 completely legitimate now. And why wouldn鈥檛 it be? People are going to hack your stuff anyway."
As bounty programs have proliferated, firms such as听HackerOne and听Bugcrowd have emerged as conduits between corporations and the security research community. For the听Zenefits bug bounty hackathon,听HackerOne helped corral hackers听from as far away as听Argentina and Morocco.听
HackerOne also set up hackathons for Snapchat and Panasonic during the Vegas cons, but spokesperson Lauren Koszarek听declined to say how much those companies actually paid their hacker volunteers, other than to say more than six figures was paid out in bounties across all three nights, because the results are still being听finalized.听
Still, it's clear bug bounty hunting is an increasingly lucrative business for those involved.听
"I鈥檝e probably made $8,000 since I started looking for bugs a year ago," said one hacker who asked to be identified by his internet handle听ZephrFish.
The 20-something hacker has a day job in the cybersecurity industry and like many of his peers at the MGM Grand hackathon moonlights as a bug bounty hunter. His biggest bounty so far: a $2,500 flaw on an adult website that could have exposed the personal information on all the site's users.
Another hacker听who identified himself only as 听estimated he鈥檇 earned $65,000 since he started hacking nine years ago at age 15. 鈥淚鈥檝e never had a real job. It鈥檚 just fun breaking people鈥檚 stuff," he said.
Bug bounty firms such as HackerOne and Bugscrowd serve as something of a buffer 鈥 and also as translators 鈥 between the sometime rebellious hacker community and corporations.
"We鈥檙e getting two groups together that historically don鈥檛 like each other,"听said Bugcrowd founder Casey Ellis.听"We just need to make sure hackers aren鈥檛 scaring people who are taught to be scared of them."
For many industries, there's a moment when they realize they're听more vulnerable they realized, Mr. Ellis said. That听moment came for automakers last year after security researchers听听they could remotely take over a Jeep Cherokee, he said. Now, Bugcrowd counts Fiat Chrysler and Tesla Motors among its clients.
To remain successful, bug bounty firms must inspire trust among their corporate clients by ensuring hackers honor nondisclosure agreements and by preventing researchers from going听public with their findings before the companies can fix their systems.
鈥淚f you鈥檙e a bad guy you would never sign up for this because the only way to get a reward is by doing the right thing," said听Marten Mickos, chief executive officer of HackerOne. Still, he said, "for companies, it鈥檚 just a shift in mindset.鈥
听
