Bounty hacking – what you need to know about white hat rewards
Ethical hacking for the greater good – what’s it worth and why is it done? We delve into the details to uncover what it is about bounty hacking that attracts the most talented and committed white hats around.
The modern day bounty hunter paints a different picture to the cowboys and mercenaries of yesteryear. However, cash still plays a major role in the bounty business, especially when it comes to tech.
Bounty hacking, or white hat hacking, is a practice engaged by many companies as an means of finding security flaws in software. Would-be hackers and coders are offered a cash reward for uncovering flaws in systems and protocols. Depending on the company, the flaw they’re looking to uncover can vary in size and scope.
Often, the aim of the game is improving security. Even the companies considered the most secure of all are constantly on the hunt (hah) for talented hackers to expose their bugs and pitfalls. If you’re good enough at it, being a white hat could literally be your full-time, cash-money job.
Who is looking and what do they want?
Mozilla pioneered the bounty program phenomenon when they launched theirs in 2004. Google, Facebook and Microsoft also offer bounty programs, with each company’s focus differing slightly from the next.
Facebook’s bounty hunter’s guide offers detailed instructions about how they expect white hats to find, test and report a bug. Submissions are expected to describe the bug, reproduce it and then explain the impact it would have. White hat test accounts must also be made for said purpose, with a reminder in place about testing in a disruptive or malicious manner.
And how do their rewards work?
The biggest factor in our decisions about reward amounts is impact. If there is a bigger theoretical risk to people using Facebook or Facebook itself, the reward will be higher. What this means is that if you and someone else find bugs with similar severities, we will pay roughly the same amount for both issues with minor allowances given to the cleverness of the issue and clarity of the report.
As with the focus, the reward schemes of these programs differ from one to the next, with United Airways choosing to offer Award Miles as a bug bounty payment. A lot of companies choose to operate on a first come, first serve basis too. Staying with United for a moment, here’s an idea of their bug prize rankings:
The quest for bug bounties is now so popular, companies can legitimately “crowd fund” their flaws via websites such as Bugcrowd which aim to “help level the vulnerability assessment playing field”.
With their offer of a proprietary vulnerability reporting platform together with the largest crowd of security researchers on the planet, companies such as Tesla, Drupal, and Freelancer.com have all registered with the service in order to capitalise on the white hat community’s time in the limelight.
The same goes for HackerOne, also in the cybersecurity market and competitor to the likes of Bugcrowd. HackerOne’s list of clients features Yahoo, Adobe and Dropbox, and the site boasts an impressive 9,395 bugs fixed and $3.09M in bounties paid.
Making the big bucks
While flight miles and smaller cash rewards might appeal to some, there are definitely bigger fish in the hacker sea. Telegram, a cloud-based mobile and desktop messaging app, is famous for its security and encryption. It’s also known for its round of Crypto Contests, which serves one purpose: crack their secret chats.
Their most recent contest at the time of writing offered a $300,000 prize for deciphering intercepted Telegram messages. The contest description provided incredibly detailed protocols to follow, including handing over control of Telegram’s servers and bypassing basic MTProto encryption.
A bonus objective was also put in place, with a $100,000 reward, to the first person who could make their specially created bot for the contest accept a ciphertext message. This means the first person to send a message using MSG [A|B] bytes and receive the result ‘OK’, provided that that ciphertext deciphers to a plaintext that was never encrypted by the bot itself within the session.
Governments are also on the lookout for white hats to solve their cybersecurity woes and are also willing to pay big for the effort. However, while the popularity of the bounty hacking for bigger corporations is still present, nation-states are plugging into the bounty business for more sinister reasons.
Flaws and cyberweapons
ReVuln is a company that employs hackers to sell technical details of vulnerabilities to countries that want to break into the computer systems of their foreign adversaries. Located in Malta and Belize and operating worldwide, ReVuln describe the benefits of discovering flaws in systems to be beneficial for the both the “defensive and offensive side”:
We provide information and technology for our private undisclosed 0-day security vulnerabilities affecting a wide range of products: both vastly used software like web browsers and office applications for desktop and mobile, and specific products like SCADA/HMI.
We perform also on-demand research for targets not currently covered by our research and for custom software, even on-site when necessary. Our research is available on both exclusive and non-exclusive plans, depending by your needs and resources. These services are available for selected companies and governments worldwide.
The “zero-day” security vulnerabilities mentioned above derive their name from the number of days a susceptible company has to fix the issue before hackers are able to take advantage of said flaw. For governments looking to exploit these bugs, that’s a pretty amazing stat.
The tide of hackers looking to sell flaws rather than report them has forced the hand of the original bounty program companies to up their reward payouts. The sheer amount of money available in the cybersecurity market is merely the tip of the proverbial white hat iceberg.
Google and Yahoo have upped their maximum award payment to $20,000, while Facebook has no pre-determined maximum payout. Smaller programs such as GitHub‘s are offering payouts of up to $5,000.