Ethical hackers in the service of business

They are a night­mare to busi­nesses, steal iden­tit­ies, para­lyse organ­isa­tions and break into crypto­cur­rency centres. Two-thirds of com­pan­ies world­wide are repor­ted to have suffered a cyber­at­tack in 2020, which rep­res­ents a loss of more than USD$1 tril­lon; approx­im­ately 1% of glob­al GDP ¹.

To com­bat secur­ity vul­ner­ab­il­it­ies, com­pan­ies are increas­ingly turn­ing to so-called bug bounty pro­grams. The premise is simple: com­pan­ies allow hack­ers to explore their pro­grams, web­sites or apps, in the search of to secur­ity weak­nesses that they report. Whilst there are many advant­ages for com­pan­ies in doing so, the primary bene­fit is fin­an­cial. Unlike tra­di­tion­al cyber­se­cur­ity audit­ing, which is expens­ive and must be car­ried out often, in a bug bounty the com­pany only pays up if a new weak­ness is detected. 

A pop­u­lar phenomenon

Plat­forms con­nect­ing com­pan­ies and eth­ic­al hack­ers first cropped up at the end of 2013 and since then the mar­ket has seen rap­id expan­sion. For instance, Hack­er­One, the mar­ket lead­er, has registered more than 7,000 com­pan­ies using its ser­vices. This rep­res­ents more than USD$100 mil­lion in boun­ties between 2013 and May 2020, and an aver­age annu­al growth of 86% of the total amount of com­pens­a­tion delivered by the companies.

In the begin­ning, the use of bug bounty pro­grams was lim­ited to web and tech indus­tries (Nets­cape, Moz­illa, Google, Face­book, Microsoft), as well as com­pan­ies spe­cial­ised in cyber­se­cur­ity. How­ever, bug bounty pro­grams are now used by both the private sec­tor (United Air­lines, BNP Pari­bas) and the pub­lic sec­tor (the European Com­mis­sion, Anti­Cov­id app), in com­pan­ies out­side the Web industry (Star­bucks, Hyatt, Gen­er­al Motors) or oth­ers more reluct­ant to share con­fid­en­tial inform­a­tion (defence, mil­it­ary). Devel­op­ment in bug bounty plat­forms shows that they have now become essen­tial and widely used by all organisations.

An altern­at­ive to the black market?

At first, one might think that this type of plat­form could divert hack­ers from illeg­al trade on the dark web. For a hack­er, there might be no point in selling a secur­ity breach on the dark web when it is pos­sible to get a bounty by report­ing the vul­ner­ab­il­ity dir­ectly – and leg­ally – to the com­pany in question.

How­ever, things are more com­plex in real­ity. Bug bounty pro­grams and the dark web con­tin­ue to co-exist. The motiv­a­tions and activ­it­ies of hack­ers in bug bounty pro­grams and the dark web seem rel­at­ively dif­fer­ent. On the dark web, the object­ive is not to find a secur­ity flaw and cor­rect it. Rather the goal is to design a tool cap­able of exploit­ing the flaw in order to carry out mali­cious attacks, such as insert­ing mal­ware or spy­ware to steal con­fid­en­tial data. On the con­trary, for “eth­ic­al” hack­ers (or “white-hats”) bug bounty pro­grams are an oppor­tun­ity to per­form good deeds for soci­ety, whilst hon­ing their skills towards becom­ing secur­ity experts ².

A wide range of pro­grams and tasks 

Man­aging a bug bounty pro­gram might seem rel­at­ively stand­ard­ised. How­ever, search­ing for bugs can actu­ally cov­er vari­ous tasks and activ­it­ies. In some cases, the search for secur­ity flaws can be sim­il­ar to mind­less work ³, it involves a low level of expert­ise and a rather routine activ­ity. On oth­er occa­sions, the work offers more free­dom, and requires more advanced skills, espe­cially when the object­ive is to browse oper­at­ing sys­tems in search of “zero-day” vul­ner­ab­il­it­ies ⁴.

This is the case for the fam­ous com­puter hack­ing con­test Pwn2Own, which mainly tar­gets web browsers, vir­tu­al machines or con­nec­ted cars. Hack­ers are invited to take con­trol of a sys­tem by com­bin­ing sev­er­al attacks. The dif­fi­culty of the task is high­lighted by the prize. The more an unknown vul­ner­ab­il­ity is crit­ic­al, com­plex and well-doc­u­mented with recom­mend­a­tions to resolve it, the big­ger the com­pens­a­tion. Google thus offers a USD$100,000 reward to the per­son who can demon­strate a live secur­ity breach in Chrome’s “sand­box” ⁵.

A plat­form, school and recruit­ment agency

For young hack­ers inter­ested in cyber­se­cur­ity, bug bounty pro­grams are also an excel­lent way of learn­ing on-the-job. The plat­form allows them to work on real web­sites and applic­a­tions, in a leg­al man­ner. Both the hack­er com­munity and the plat­form itself play an import­ant part in the dis­sem­in­a­tion and exchange of know­ledge. The plat­form pub­lishes “exem­plary” reports, organ­ises meet­ings between hack­ers, or offers online train­ing courses to pro­mote exchanges and learning.

The plat­form also acts as a show­case for hack­ers who can demon­strate their tal­ents, receive recog­ni­tion and so build up a “CV” for com­pan­ies. Every hack­er has a pro­file, vis­ible to all, show­ing the stat­ist­ics of his/her past exper­i­ences and per­form­ance level. Dif­fer­ent incent­ives to encour­age com­pet­i­tion are imple­men­ted, such as award cere­mon­ies, badges, or rank­ings of the best hack­ers ⁶. It is not sur­pris­ing that these plat­forms are also used by com­pan­ies to recruit com­pet­ent indi­vidu­als in cyber­se­cur­ity, as they are often con­fron­ted with the prob­lem of short­ages on the mar­ket ⁷.

For com­pan­ies, in the long run, bug boun­ties can bring even more sig­ni­fic­ant bene­fits than the simple out­sourcing of cyber­se­cur­ity work. The diversity of back­grounds and their extern­al per­spect­ive are a con­sid­er­able added value. How­ever, the com­pany must be able to quickly assim­il­ate the acquired inform­a­tion to cor­rect the vul­ner­ab­il­it­ies and take this oppor­tun­ity to devel­op the skills of their intern­al teams to avoid rely­ing solely on the tech­nic­al expert­ise of a hand­ful of people out­side the company.

Fur­ther­more, one of the chal­lenges is to find a com­mon lan­guage between the com­pany and the par­tic­u­lar cul­ture of hack­ers so that their cooper­a­tion can be as pro­duct­ive as possible. 

Mod­ern-day pir­ates or cyber-experts of tomorrow?

Bug bounty pro­grams are both digit­al tools and the fer­tile ground for a new form of hack­ing. They par­ti­cip­ate in the devel­op­ment of future cyber-experts. Nev­er­the­less, the devel­op­ment of this phe­nomen­on raises a great deal of organ­isa­tion­al chal­lenges for com­pan­ies since they are not used to work­ing with “the crowd” yet, espe­cially on such sens­it­ive issues as secur­ity. These plat­forms offer import­ant learn­ing oppor­tun­it­ies for hack­ers but also for com­pan­ies. Firms can cap­it­al­ise on these exchanges to trans­fer know­ledge and skills in the field of cybersecurity.