The tech titans offering millions in rewards for users who hunt bugs

Matthew Field

Updated Sun, Mar 4, 2018, 1:00 AM

In 2013, an unusual post appeared on Mark Zuckerberg’s Facebook page. It was from a user called Khalil Shreateh.

“Dear Mark Zuckerberg,” Shreateh wrote, “Sorry for breaking your privacy, I had no other choice to make after all the reports I sent to Facebook.”

Shreateh, a security researcher from Palestine, had discovered a critical bug in Facebook’s software that allowed anyone to post directly on to any user’s wall. After he was ignored by the company’s security team, he took the direct approach to demonstrating the bug – hacking Mark Zuckerberg’s own page. While the incident showed the difficulties of getting cyber reporting right, Facebook has since become something of a pioneer in the growing field of “bug bounty” programmes.

Bug bounties pay freelance hackers to find flaws in software, and the potential rewards are only increasing.

High-profile hacks

Although some industries remain suspicious of so-called “white hat” hackers, bug bounties offer a way for companies to reward freelancers, review their research and deal with the problem safely. Inside companies there is a growing realisation that thinking like an attacker is the best defence against a real hack, and many are becoming more open to inviting them to test their systems.

“In some cases, researchers were running up against a brick wall trying to do the right thing,” says James Chappell, chief technology officer of UK cybersecurity company Digital Shadows, “a bug bounty programme takes the guesswork out.”

Bug bounties are almost as old as the internet itself and can be traced to Netscape in 1995. At Netscape, engineers proposed to executives the “Netscape Bugs Bounty Programme”, offering to reward the small army of Netscape fans publicly posting repairs and recommendations to fix problems with its browser.

But only recently have tech giants started budgeting millions of dollars to pay to be hacked. Facebook received 12,000 submissions from researchers in 2017, paying out $880,000 (£640,000). The company has now paid out a total of $6.3m to hackers since it started its programme in 2011.

Mark Zuckerberg - Credit: STEPHEN LAM — Facebook, which is run by Mark Zuckerberg, received 12,000 submissions from researchers in 2017, paying out $880,000 (£640,000) Credit: STEPHEN LAM

The average reward also increased, growing to $1,900 from $1,675. While this is nothing to the company it is no small change to a freelancer, and it can help avoid embarrassing bugs that the in-house team might miss.

Google has also expanded its bug bounty programme significantly. Both Google and Facebook are unusually open about the work of their hacking community, in a world where many data breaches are hastily covered up.

Google has paid out $12m in rewards to hackers since 2010, paying $2.7m in 2017. Its biggest reward in 2017 was $112,500 to someone who exploited its Pixel smartphone. Following the recent Spectre and Meltdown bugs in its chips, Intel too has upped its top rewards to $250,000.

“Organisations that have good bug bounty programmes have benefited immensely,” says Jérôme Segura, lead analyst at MalwareBytes. “But touchy issues remain around the bounty itself – what is considered in scope and the time vendors require before public disclosure.”

The system is not without its flaws, as shown by the Zuckerberg profile hack. Several companies have been criticised for their paltry rewards for major vulnerability finds, others for their slow or non-existent responses. In one case, a white hat hacker published a fake game, called “Watch Paint Dry”, on to the front page of video game marketplace Steam after its security team repeatedly ignored his warnings about a flaw.

Apple only launched a bug bounty programme in 2016. But so valuable are bugs in its high-security software, with several secretive private companies offering up to $1.5m for a high-level attack, that some in the hacking community have suggested that Apple’s own payments, which range from $25,000 to $200,000 are simply not high enough.

Uber - Credit: WILL OLIVER — Uber has run into issues with its bug bounty after a cyber leak revealed the details of 57m customers Credit: WILL OLIVER

Uber has run into issues with its bug bounty after a cyber leak revealed the details of 57m customers. The breach was attributed to a bug bounty hunter, which executives tried to hush up with a $100,000 payment while hiding the issue from regulators.

It is only in the last five years or so that bug bounties have grown beyond a loose freelance community. An increasing number of well-funded start-ups are focusing solely on the bug bounty market. Start-ups like HackerOne and BugCrowd have raised tens of millions of dollars in venture funding.

It is a small market, but with a handful of start-ups vying to harness the hacker community, it is unlikely to stay that way, according to Mårten Mickos, chief executive of HackerOne. “In the grand scheme of things it is still relatively small,” Mickos says. “But given the benefits of hacker-powered security, the market is likely to keep growing. We believe the only way to stop a criminal hacker is with an ethical hacker.”

With firms willing to lift payments to get a team of the best hackers to test their systems, there is more money than ever available to bounty hunters. “Data breaches are expensive,” says Troy Hunt, a security researcher at Microsoft. “Organisations are simply getting better at realising the actual value of bugs.”

Terms

and

Your Privacy Choices

Utah Privacy Notice

News

Life

Entertainment

Finance

Sports

New on Yahoo

Yahoo Finance

The tech titans offering millions in rewards for users who hunt bugs

Recommended Stories