Software bugs have been with us since the dawn of the computer age and they continue to be targeted by criminal hackers seeking to breach security controls. To incentivise the discovery of bugs before the criminals do, a growing number of companies have set up “bug bounty” programmes, which pay financial rewards to users who discover serious flaws in their software.
Bug bounty programmes have existed for many years – back in 1995, Netscape launched what is considered to be the first and in recent years the number of organisations running similar programs has grown significantly, along with the size of the bounty on offer. Bugcrowd, a firm that manages bug bounty programmes for businesses, currently lists 95 such programmes on its website.
Oath, the company that owns Yahoo, AOL and other media services, paid out $5m in bug bounties in 2018, five times more than it paid out in the previous year. Facebook has been running bug bounty programmes since 2011 and it paid out a total of $1.1m in 2018 to various bug hunters – its largest annual payout to date.
Even Google, which employs 85,000 people and some of the smartest software engineers on the planet, uses outside help to help squash bugs. Last year, Google paid a computer engineering student from Uruguay more than $36,000 for discovering a security flaw in the Google App Engine, used by developers to create and host applications in Google’s data centres.
No matter how exhaustively software companies test their products, bugs continue to emerge, creating security risks that can be exploited by hackers.
To find these vulnerabilities, software companies are increasingly turning to external bug hunters or “ethical hackers”, who are typically students or professional threat researchers.
Thinking like a hacker
The main driver behind using outsiders to hunt for bugs is that software developers are not particularly good at finding vulnerabilities in software they have developed themselves – their expertise is in writing code that meets their customers’ functional requirements and they do not necessarily “think like a hacker” and consider the security vulnerabilities they might be creating.
By contrast, ethical hackers are experts in penetrating websites and applications that are either misconfigured or have major underlying security weaknesses. A common technique is to input invalid data – typing non-numeric characters when a form asks for your date of birth, for example – to see if the software “traps” the error successfully or maybe does something unexpected.
Bug bounty programmes are on the rise because software is getting more complex and, therefore, more time-consuming to test. It is often quicker and more cost-effective to use external bounty hunters, who are only paid if they find a bug, rather than have in-house staff spend valuable time trying to find elusive bugs instead of working on further product development.
Most of the big tech companies run bug bounty programmes to supplement their own internal testing efforts for the products they develop.
Not just for tech giants
There is now a growing trend for companies that are not in the business of developing software to run bounty programmes. That’s because in the digital age, any business is vulnerable to a cyberattack, and for a small business the impact might be terminal.
This is particularly true for businesses that handle customer orders and payments online, since customer data, and worst-case credit card details, may be accessible to a determined hacker.
Ikea, the furniture retailing giant, openly encourages ethical hackers to report vulnerabilities they find on its website. Ikea’s bug bounty programme is handled by Zerocopter, another firm that specialises in running bug bounty services for other companies.
Hotel chain Hyatt has just launched a bug bounty programme, recognising that the hotel sector has become a tempting target for hackers. Last year, rival chain Marriott had its guest reservation system hacked, potentially compromising data on about 500m customers.
Hyatt will pay ethical hackers from $300 for low-risk bugs up to $4000 for critical flaws. As well as finding bugs on Hyatt’s main websites and mobile apps, the hotel chain will pay out if ethical hackers find hotel data on cloud storage services. But it will not pay for hackers who attempt to hack the network infrastructure of its hotel properties.
Hackers who want to participate in a bug bounty programme need to tread carefully. The small print of the programme will explain which hacking activities are “in scope” meaning they are covered by the programme and so are eligible for a possible reward, and those that are not and could land an overenthusiastic ethical hacker in trouble.
Out-of-scope activities for Hyatt’s program include collecting personally identifiable information, authentication data or credit card details from hotel guests.
It is possible for successful ethical hackers to make a reasonable living from the bounties on offer, given payouts have increased significantly in recent years. Furthermore, there is potential for hackers to be recruited permanently by companies once they have demonstrated their skills via a bounty bug program.
Keep the bounty coming
Bug bounty programmes are an important tool in the fight against cybercrime, but they cannot be relied upon by organisations as the sole-means for ensuring security over internet facing applications.
Businesses need to develop software with security in mind, and they must stay vigilant and employ a variety of standard security practices including network penetration tests or network security monitoring.