Although a lot of unflattering virtual ink has been consumed to characterize hackers and many alarming things have been said about their skills, it is however incontestable that these people are extremely gifted, IT-wise. Turning the hackers’ talent toward law-abiding activities can prove a very useful move. One of the methods employed by companies to put to a good use the abilities of hackers-to-be or former hackers consists of the bug bounty programs that motivate bug hunting.
A bug bounty deal translates into software developer companies offering financial compensation and recognition for the individuals that manage to mimic attacks on their to-be-released products and to uncover flaws, vulnerabilities and bugs, as well as resolve the bugs in some cases, thus preventing bigger post-launching troubles for the software producers.
The incentives in turning hackers gray
If usual hacking is black, security researchers and hackers that prompt vulnerabilities to the vendor in order to solve them qualify as white hackers, hackers that go from being criminals to cooperating with the industry developers in order to correct software flaws are considered grey hackers.
According to the classification above, the bug bounty programs’ winners could very well be gray hackers, as well as white hackers – the competition is generally open and the motivational factors are pretty strong.
For example, recently Fiat Chrysler launched a bug bounty program with a $1.5K payout cap, with a payable sum of as much as $1,500 per bug, and this is a company that previously received criticism in relation with its low bounty payouts. Nevertheless, since researchers have demonstrated many times that vulnerabilities in transportation vehicles’ software are extremely alarming (holding the potential of being life-threatening flaws), the value of resolving zero-day issues via such a method is extremely high. The same source mentions Tesla’s bounty values, as well as Instagram or Uber’s – as high as $10,000 per bug. Bug hunting can pay very well.
The rewards are usually consistent, in order to motivate the best at hacking to enter these bug hunting competitions and deliver the most accurate results for the companies to build their software tuning upon. Whether the top “villains” in cyber-security do enter these competitions or not is a mystery to the public, but these programs may stop others from becoming full-on cyber-criminals by offering an alternate source of revenue. In turn, tech companies may test their products and fix their bugs before they turn into liabilities.
The abundance of bug bounty programs
Of course not all software developers afford to offer important financial rewards for the most relentless hackers to enter their programs, but there are also other incentives besides the money that attract participants. The competitors build their portfolio by participating in these competitions and ease their transition into grey or white hacking. Those who already have established their fame target only the most important and financially rewarding bug bounty programs, while countless others test their skills in various such competitions out of sheer interest, curiosity or just to see themselves entering the hall of fame.
Here you can see a list of bug bounty programs, with links to the respective bug hunting pages, (which unfortunately don’t all work). Nevertheless, it is a illustrative example on how many bug hunting programs are active at a moment in time.
Another big actor on the bug chasing competition market is Google, whose Vulnerability Reward Program broadened its spectrum in 2013 to include a selection of “high-risk free software applications and libraries” – with open submissions ranging from $500 rewards to $3133.70 rewards.
How does the life of a bug hunting look like?
Business Insider featured an article in which they descried how the co-founder of the hot startup HackerOne progressed from breaking into computers to counseling software vendors on the vulnerabilities in their programs and how they should address them, as well as co-founding a vulnerability coordination and bug bounty platform of his own that prides itself to have solved 25,822 bugs fixed so far. Using your skills and knowledge for the best, while doing the right thing can prove extremely satisfactory – at least that is what pervades through this Business Insider article.
Basically, a white or gray hacker performs a similar activity to the one of a developer, only that they test the software programs from the enemy’s angle. They work on various projects, and companies pay bug bounty hunters once they have tracked down the bugs, flaws or vulnerabilities. The bigger the issues uncovered, the higher the rewards are – since in fact companies save quite a lot this way. Future liabilities, brand reputation, contracts and partnerships may be safeguarded in advance, therefore these re-purposed hackers and their activity are valuable to a great extent when new software products launch on the market.
Therefore, the life of a bug bounty can be an equally exciting and financially secure one, as long as the individuals taking on these challenges are truly passionate, willing to continuously learn, and remain connected to the communities that disseminate the competition announcements, the latest developments, as well as the specific information needed to keep in touch with the latest trends, research results and all software-related things .
Depending on which side they are on, the same persons, having the same skills and the same drive for technical knowledge, can be either software heroes or a software villains. Since black hacking unfortunately still pays off (huge sums of money), turning usual hackers (criminals) into helpful gray hackers takes less usual and in many instances very attractive deals.
