Ethical hackers in the service of business

They are a night­mare to busi­ness­es, steal iden­ti­ties, paral­yse organ­i­sa­tions and break into cryp­tocur­ren­cy cen­tres. Two-thirds of com­pa­nies world­wide are report­ed to have suf­fered a cyber­at­tack in 2020, which rep­re­sents a loss of more than USD$1 tril­lon; approx­i­mate­ly 1% of glob­al GDP ¹.

To com­bat secu­ri­ty vul­ner­a­bil­i­ties, com­pa­nies are increas­ing­ly turn­ing to so-called bug boun­ty pro­grams. The premise is sim­ple: com­pa­nies allow hack­ers to explore their pro­grams, web­sites or apps, in the search of to secu­ri­ty weak­ness­es that they report. Whilst there are many advan­tages for com­pa­nies in doing so, the pri­ma­ry ben­e­fit is finan­cial. Unlike tra­di­tion­al cyber­se­cu­ri­ty audit­ing, which is expen­sive and must be car­ried out often, in a bug boun­ty the com­pa­ny only pays up if a new weak­ness is detected. 

A pop­u­lar phenomenon

Plat­forms con­nect­ing com­pa­nies and eth­i­cal hack­ers first cropped up at the end of 2013 and since then the mar­ket has seen rapid expan­sion. For instance, HackerOne, the mar­ket leader, has reg­is­tered more than 7,000 com­pa­nies using its ser­vices. This rep­re­sents more than USD$100 mil­lion in boun­ties between 2013 and May 2020, and an aver­age annu­al growth of 86% of the total amount of com­pen­sa­tion deliv­ered by the companies.

In the begin­ning, the use of bug boun­ty pro­grams was lim­it­ed to web and tech indus­tries (Netscape, Mozil­la, Google, Face­book, Microsoft), as well as com­pa­nies spe­cialised in cyber­se­cu­ri­ty. How­ev­er, bug boun­ty pro­grams are now used by both the pri­vate sec­tor (Unit­ed Air­lines, BNP Paribas) and the pub­lic sec­tor (the Euro­pean Com­mis­sion, Anti­Covid app), in com­pa­nies out­side the Web indus­try (Star­bucks, Hyatt, Gen­er­al Motors) or oth­ers more reluc­tant to share con­fi­den­tial infor­ma­tion (defence, mil­i­tary). Devel­op­ment in bug boun­ty plat­forms shows that they have now become essen­tial and wide­ly used by all organisations.

An alter­na­tive to the black market?

At first, one might think that this type of plat­form could divert hack­ers from ille­gal trade on the dark web. For a hack­er, there might be no point in sell­ing a secu­ri­ty breach on the dark web when it is pos­si­ble to get a boun­ty by report­ing the vul­ner­a­bil­i­ty direct­ly – and legal­ly – to the com­pa­ny in question.

How­ev­er, things are more com­plex in real­i­ty. Bug boun­ty pro­grams and the dark web con­tin­ue to co-exist. The moti­va­tions and activ­i­ties of hack­ers in bug boun­ty pro­grams and the dark web seem rel­a­tive­ly dif­fer­ent. On the dark web, the objec­tive is not to find a secu­ri­ty flaw and cor­rect it. Rather the goal is to design a tool capa­ble of exploit­ing the flaw in order to car­ry out mali­cious attacks, such as insert­ing mal­ware or spy­ware to steal con­fi­den­tial data. On the con­trary, for “eth­i­cal” hack­ers (or “white-hats”) bug boun­ty pro­grams are an oppor­tu­ni­ty to per­form good deeds for soci­ety, whilst hon­ing their skills towards becom­ing secu­ri­ty experts ².

A wide range of pro­grams and tasks 

Man­ag­ing a bug boun­ty pro­gram might seem rel­a­tive­ly stan­dard­ised. How­ev­er, search­ing for bugs can actu­al­ly cov­er var­i­ous tasks and activ­i­ties. In some cas­es, the search for secu­ri­ty flaws can be sim­i­lar to mind­less work ³, it involves a low lev­el of exper­tise and a rather rou­tine activ­i­ty. On oth­er occa­sions, the work offers more free­dom, and requires more advanced skills, espe­cial­ly when the objec­tive is to browse oper­at­ing sys­tems in search of “zero-day” vul­ner­a­bil­i­ties ⁴.

This is the case for the famous com­put­er hack­ing con­test Pwn2Own, which main­ly tar­gets web browsers, vir­tu­al machines or con­nect­ed cars. Hack­ers are invit­ed to take con­trol of a sys­tem by com­bin­ing sev­er­al attacks. The dif­fi­cul­ty of the task is high­light­ed by the prize. The more an unknown vul­ner­a­bil­i­ty is crit­i­cal, com­plex and well-doc­u­ment­ed with rec­om­men­da­tions to resolve it, the big­ger the com­pen­sa­tion. Google thus offers a USD$100,000 reward to the per­son who can demon­strate a live secu­ri­ty breach in Chrome’s “sand­box” ⁵.

A plat­form, school and recruit­ment agency

For young hack­ers inter­est­ed in cyber­se­cu­ri­ty, bug boun­ty pro­grams are also an excel­lent way of learn­ing on-the-job. The plat­form allows them to work on real web­sites and appli­ca­tions, in a legal man­ner. Both the hack­er com­mu­ni­ty and the plat­form itself play an impor­tant part in the dis­sem­i­na­tion and exchange of knowl­edge. The plat­form pub­lish­es “exem­plary” reports, organ­is­es meet­ings between hack­ers, or offers online train­ing cours­es to pro­mote exchanges and learning.

The plat­form also acts as a show­case for hack­ers who can demon­strate their tal­ents, receive recog­ni­tion and so build up a “CV” for com­pa­nies. Every hack­er has a pro­file, vis­i­ble to all, show­ing the sta­tis­tics of his/her past expe­ri­ences and per­for­mance lev­el. Dif­fer­ent incen­tives to encour­age com­pe­ti­tion are imple­ment­ed, such as award cer­e­monies, badges, or rank­ings of the best hack­ers ⁶. It is not sur­pris­ing that these plat­forms are also used by com­pa­nies to recruit com­pe­tent indi­vid­u­als in cyber­se­cu­ri­ty, as they are often con­front­ed with the prob­lem of short­ages on the mar­ket ⁷.

For com­pa­nies, in the long run, bug boun­ties can bring even more sig­nif­i­cant ben­e­fits than the sim­ple out­sourc­ing of cyber­se­cu­ri­ty work. The diver­si­ty of back­grounds and their exter­nal per­spec­tive are a con­sid­er­able added val­ue. How­ev­er, the com­pa­ny must be able to quick­ly assim­i­late the acquired infor­ma­tion to cor­rect the vul­ner­a­bil­i­ties and take this oppor­tu­ni­ty to devel­op the skills of their inter­nal teams to avoid rely­ing sole­ly on the tech­ni­cal exper­tise of a hand­ful of peo­ple out­side the company.

Fur­ther­more, one of the chal­lenges is to find a com­mon lan­guage between the com­pa­ny and the par­tic­u­lar cul­ture of hack­ers so that their coop­er­a­tion can be as pro­duc­tive as possible. 

Mod­ern-day pirates or cyber-experts of tomorrow?

Bug boun­ty pro­grams are both dig­i­tal tools and the fer­tile ground for a new form of hack­ing. They par­tic­i­pate in the devel­op­ment of future cyber-experts. Nev­er­the­less, the devel­op­ment of this phe­nom­e­non rais­es a great deal of organ­i­sa­tion­al chal­lenges for com­pa­nies since they are not used to work­ing with “the crowd” yet, espe­cial­ly on such sen­si­tive issues as secu­ri­ty. These plat­forms offer impor­tant learn­ing oppor­tu­ni­ties for hack­ers but also for com­pa­nies. Firms can cap­i­talise on these exchanges to trans­fer knowl­edge and skills in the field of cybersecurity.