Ethical hackers in the service of business

They are a night­mare to busi­nesses, steal iden­ti­ties, para­lyse orga­ni­sa­tions and break into cryp­to­cur­ren­cy centres. Two-thirds of com­pa­nies world­wide are repor­ted to have suf­fe­red a cybe­rat­tack in 2020, which repre­sents a loss of more than USD$1 trillon ; approxi­ma­te­ly 1% of glo­bal GDP ¹.

To com­bat secu­ri­ty vul­ne­ra­bi­li­ties, com­pa­nies are increa­sin­gly tur­ning to so-cal­led bug boun­ty pro­grams. The pre­mise is simple : com­pa­nies allow hackers to explore their pro­grams, web­sites or apps, in the search of to secu­ri­ty weak­nesses that they report. Whil­st there are many advan­tages for com­pa­nies in doing so, the pri­ma­ry bene­fit is finan­cial. Unlike tra­di­tio­nal cyber­se­cu­ri­ty audi­ting, which is expen­sive and must be car­ried out often, in a bug boun­ty the com­pa­ny only pays up if a new weak­ness is detected. 

A popu­lar phenomenon

Plat­forms connec­ting com­pa­nies and ethi­cal hackers first crop­ped up at the end of 2013 and since then the mar­ket has seen rapid expan­sion. For ins­tance, Hacke­rOne, the mar­ket lea­der, has regis­te­red more than 7,000 com­pa­nies using its ser­vices. This repre­sents more than USD$100 mil­lion in boun­ties bet­ween 2013 and May 2020, and an ave­rage annual growth of 86% of the total amount of com­pen­sa­tion deli­ve­red by the companies.

In the begin­ning, the use of bug boun­ty pro­grams was limi­ted to web and tech indus­tries (Nets­cape, Mozilla, Google, Face­book, Micro­soft), as well as com­pa­nies spe­cia­li­sed in cyber­se­cu­ri­ty. Howe­ver, bug boun­ty pro­grams are now used by both the pri­vate sec­tor (Uni­ted Air­lines, BNP Pari­bas) and the public sec­tor (the Euro­pean Com­mis­sion, Anti­Co­vid app), in com­pa­nies out­side the Web indus­try (Star­bucks, Hyatt, Gene­ral Motors) or others more reluc­tant to share confi­den­tial infor­ma­tion (defence, mili­ta­ry). Deve­lop­ment in bug boun­ty plat­forms shows that they have now become essen­tial and wide­ly used by all organisations.

An alter­na­tive to the black market ?

At first, one might think that this type of plat­form could divert hackers from ille­gal trade on the dark web. For a hacker, there might be no point in sel­ling a secu­ri­ty breach on the dark web when it is pos­sible to get a boun­ty by repor­ting the vul­ne­ra­bi­li­ty direct­ly – and legal­ly – to the com­pa­ny in question.

Howe­ver, things are more com­plex in rea­li­ty. Bug boun­ty pro­grams and the dark web conti­nue to co-exist. The moti­va­tions and acti­vi­ties of hackers in bug boun­ty pro­grams and the dark web seem rela­ti­ve­ly dif­ferent. On the dark web, the objec­tive is not to find a secu­ri­ty flaw and cor­rect it. Rather the goal is to desi­gn a tool capable of exploi­ting the flaw in order to car­ry out mali­cious attacks, such as inser­ting mal­ware or spy­ware to steal confi­den­tial data. On the contra­ry, for “ethi­cal” hackers (or “white-hats”) bug boun­ty pro­grams are an oppor­tu­ni­ty to per­form good deeds for socie­ty, whil­st honing their skills towards beco­ming secu­ri­ty experts ².

A wide range of pro­grams and tasks 

Mana­ging a bug boun­ty pro­gram might seem rela­ti­ve­ly stan­dar­di­sed. Howe­ver, sear­ching for bugs can actual­ly cover various tasks and acti­vi­ties. In some cases, the search for secu­ri­ty flaws can be simi­lar to mind­less work ³, it involves a low level of exper­tise and a rather rou­tine acti­vi­ty. On other occa­sions, the work offers more free­dom, and requires more advan­ced skills, espe­cial­ly when the objec­tive is to browse ope­ra­ting sys­tems in search of “zero-day” vul­ne­ra­bi­li­ties ⁴.

This is the case for the famous com­pu­ter hacking contest Pwn2Own, which main­ly tar­gets web brow­sers, vir­tual machines or connec­ted cars. Hackers are invi­ted to take control of a sys­tem by com­bi­ning seve­ral attacks. The dif­fi­cul­ty of the task is high­ligh­ted by the prize. The more an unk­nown vul­ne­ra­bi­li­ty is cri­ti­cal, com­plex and well-docu­men­ted with recom­men­da­tions to resolve it, the big­ger the com­pen­sa­tion. Google thus offers a USD$100,000 reward to the per­son who can demons­trate a live secu­ri­ty breach in Chrome’s “sand­box” ⁵.

A plat­form, school and recruit­ment agency

For young hackers inter­es­ted in cyber­se­cu­ri­ty, bug boun­ty pro­grams are also an excellent way of lear­ning on-the-job. The plat­form allows them to work on real web­sites and appli­ca­tions, in a legal man­ner. Both the hacker com­mu­ni­ty and the plat­form itself play an impor­tant part in the dis­se­mi­na­tion and exchange of know­ledge. The plat­form publishes “exem­pla­ry” reports, orga­nises mee­tings bet­ween hackers, or offers online trai­ning courses to pro­mote exchanges and learning.

The plat­form also acts as a show­case for hackers who can demons­trate their talents, receive recog­ni­tion and so build up a “CV” for com­pa­nies. Eve­ry hacker has a pro­file, visible to all, sho­wing the sta­tis­tics of his/her past expe­riences and per­for­mance level. Dif­ferent incen­tives to encou­rage com­pe­ti­tion are imple­men­ted, such as award cere­mo­nies, badges, or ran­kings of the best hackers ⁶. It is not sur­pri­sing that these plat­forms are also used by com­pa­nies to recruit com­petent indi­vi­duals in cyber­se­cu­ri­ty, as they are often confron­ted with the pro­blem of shor­tages on the mar­ket ⁷.

For com­pa­nies, in the long run, bug boun­ties can bring even more signi­fi­cant bene­fits than the simple out­sour­cing of cyber­se­cu­ri­ty work. The diver­si­ty of back­grounds and their exter­nal pers­pec­tive are a consi­de­rable added value. Howe­ver, the com­pa­ny must be able to qui­ck­ly assi­mi­late the acqui­red infor­ma­tion to cor­rect the vul­ne­ra­bi­li­ties and take this oppor­tu­ni­ty to deve­lop the skills of their inter­nal teams to avoid relying sole­ly on the tech­ni­cal exper­tise of a hand­ful of people out­side the company.

Fur­ther­more, one of the chal­lenges is to find a com­mon lan­guage bet­ween the com­pa­ny and the par­ti­cu­lar culture of hackers so that their coope­ra­tion can be as pro­duc­tive as possible. 

Modern-day pirates or cyber-experts of tomorrow ?

Bug boun­ty pro­grams are both digi­tal tools and the fer­tile ground for a new form of hacking. They par­ti­ci­pate in the deve­lop­ment of future cyber-experts. Never­the­less, the deve­lop­ment of this phe­no­me­non raises a great deal of orga­ni­sa­tio­nal chal­lenges for com­pa­nies since they are not used to wor­king with “the crowd” yet, espe­cial­ly on such sen­si­tive issues as secu­ri­ty. These plat­forms offer impor­tant lear­ning oppor­tu­ni­ties for hackers but also for com­pa­nies. Firms can capi­ta­lise on these exchanges to trans­fer know­ledge and skills in the field of cybersecurity.