Hacking for Fun and Even More Profits
The notion of hacking has had a colorful history. In the past, the term hacker was mainly taken to mean a person who enjoys programming and likes to quickly “hack” together code to make computers do things for fun and experimentation. Nowadays the term has become more synonymous with the idea of hacking into or gaining access to, or control of, computers and systems without permission — the latter point being key. To this day, hacking still has a bit of an image problem with many people thinking that hackers are generally criminals, which is why the typical picture of a hacker is a person in a dark hooded top and a balaclava hunched over a keyboard.
It’s hacking Jim, but not as we know it
With the advent of bug bounty programs, a new form of ethical, bounty backed, hacking came along that has really captured the hearts and minds of hackers worldwide. Over the years this type of hacking has shown incredible growth. Talented folks have always been interested in hacking but without such reward programs in place, hackers are faced with few choices. They could attempt to report the issue to the organization, which is usually unprepared for such information, and struggle thanklessly through a non-existent disclosure process which may or may not offer reward or acknowledgement at the end, or they could potentially exploit it themselves by using it directly or selling the information on the underground market.
Thankfully bug bounty programs are now well-established and offer hackers another better, and hopefully more fulfilling, avenue to travel.
An explosive growth industry
From humble beginnings, bug bounty as a service has grown into a serious force in the infosec and high-tech industry as a whole. Several significant players now dominate the landscape, such as BugCrowd, HackerOne, Intigriti, Zerodium, ZDI, and Open Bug Bounty.
These programs have grown massively because they work and work very well. They provide a vital bridge between the hackers and the hacked. They coordinate and facilitate the responsible flow of highly sensitive information. They offer rewards and help to ensure that recognition is given where it is wanted. By providing these services, they address two of the biggest grievances that are often heard from responsible hackers, namely the lack of rewards and even more importantly — lack of respect or acknowledgment for their efforts. Another important aspect of these programs is that they clear up what was a legal gray area in the past, by establishing a clear framework from which the hackers can operate safe in the knowledge that if they stay within the terms of the program, they should be safe from any legal sanctions on their activities.
How much has this industry grown over the years? A cursory glance at various annual reports by the big players like HackerOne and BugCrowd shows year-on-year growth along a number of benchmarks. These include the number of issues reported, the total rewards paid, and the number of people signing up for their programs. The 2018 State of Bug Bounty report by BugCrowd noted a 36 percent increase in total payout for issues reported, which stood at over $6 million. The more recent HackerOne 2019 report noted a total 2018 payout of over $42 million, compared with $23.5 million in 2017, showing an explosive growth.
Participant numbers are up greatly with BugCrowd reporting a 71 percent growth in members and HackerOne claiming to have over 600 sign-ups each day. Ethical hackers are undoubtedly seeing the growing attractions of this new bug economy and are eager to take part.
Why the crowd?
The software development industry has changed greatly over the years. In the past, there was always a running joke that end users are those who pay organizations for the privilege to do the real product testing for them. Modern development practices like Agile development, with continuous integration and automated testing, have done a great job of weeding out potential bugs before they hit customers, but software testing and quality is an infinite problem and no in-house team has the unlimited time and resources required to test everything before shipping. With limited time and resources in-house teams can only do so much and this is where crowd sourcing can really shine.
By using a bug bounty program, an organization can leverage the skills of a global pool of top talent to focus their energies on finding security holes that the in-house teams have missed. And let’s face it, nobody’s perfect, and there’s always bugs to be found in software if you dig deep enough. The beauty of these programs for organizations is that they can access a massive talent pool on a relatively low-cost basis. Ten people to test your product for security not enough? How about a hundred or a thousand? These kinds are numbers are achievable via crowd-sourced bug bounty programs with the right kind of reward scheme.
An added benefit for organizations is that these programs do not lock them in with high on-going cost commitments like staff salaries, benefits, and employment contracts — bug bounty programs only pay out upon successful discovery and acceptance of a reported bug. It doesn’t matter how skilled or how much time the hacker took to discover the bug, the price of the bug is predetermined and is a stand alone transaction.
How much can hackers earn?
While learning, taking on a challenge, and recognition continue to feature highly as motivating factors for hackers, money unsurprisingly remains one of the top motivating factors for them. After all, a hacker must eat and have shelter… as well as flash sports cars, holidays, and fancy clothes.
So just how much can a hacker earn? The rewards per bug can vary greatly but generally, the more prevalent the software and the more serious the bug, the higher the payout. Serious bugs are usually the type that can have the biggest impact, for example remote code execution that can be exploited by an attacker would be a pretty serious issue due to potential scope of damage. Serious bugs can command serious prizes on HackerOne, many projects offer prizes in the region of $10,000 for critical bugs.
For example, last year during the launch of the EOS blockchain software by Block.one, the company ran a bug bounty program through HackerOne and one individual known as yukichen made off with 16 rewards for critical bugs in the EOS software. These issues paid out a sum of $10,000 apiece, bringing the total haul to over $160,000. What’s even more remarkable about this haul is that many of the prizes were achieved in the space of a couple of weeks. For Block.one, and their EOS blockchain project that benefited from the discovery of these issues, the payout is good value considering that had these bugs been discovered and used by a malicious actor, the resulting losses could potentially have been catastrophic for users.
Democratizing security
An important feature of bug bounty programs is that they help to open up and democratize the security testing process — everyone is judged by their results no matter where they come from, what university they went to, or how much they charge per hour in their day jobs. There are also few restrictions on who can take part. This and the internet has made the activity truly global. As a result, both BugCrowd and HackerOne report participants from all over the world. In general, countries with abundant IT talent tend to feature highly, with India and the U.S. being top source countries for participants.
The bug bounty rewards, as a multiple of average engineering salaries in a country, is also an indicator of how attractive bug hunting is in different countries. For example, in Argentina the multiple is over 40x and in India it’s over 17x. In the U.S., the multiple is still a respectable 6.4x.
Many people who take part in this activity only do it on a part-time basis. According to the HackerOne report, 35 percent of the hackers spent up to 10 hours a week bug hunting, while with BugCrowd, 66 percent of its participants spent up to 10 hours per week hunting. A large proportion of participants are in full-time employment too, making this their side hustle. The implications of this is that they could be lacking the challenges and an outlet for this potential in their workplace or just wish to pursue additional earnings beyond what they bring home from regular work.
The flexibility of this business model works both ways. For participants, it can open the opportunity to go traveling for example, and working on the go. Some may remember the images of stock traders working from the beach, well now hackers can play that game too.
We’ve seen in recent years the rise of the so-called gig economy, which has made a huge impact on many service sector businesses such as those in the delivery and transportation sectors. The gig economy approach breaks down customer/supplier transactions to the smallest unit by offering customers and suppliers a pay-per-use economic model and cuts out overheads and costs. While the approach has been popular, it is not without its critics, especially for accusations of exploitation of labor.
Where is this going?
Given the nature of the software industry and the way business is evolving, it’s hard to see these bug bounty programs going away anytime soon. Sure, security as a practice in the industry will level up over time as awareness, regulation, and education get bedded in, but the problem of software security vulnerabilities is unlikely to ever go away.
For that reason, bug bounty programs look more and more likely to grow in popularity and become another branch of the software quality and security assurance process. The evidence for this is the ever-growing list of organizations who take part in these programs.
For now, they seem to offer the most efficient way for organizations to tap into the international pool of security talent to help them achieve their security goals. It provides rewarding opportunities for participants globally on an equal footing and the result is better and more secure software for everyone to use.
You want to be a hacker?
If after reading all this you want to try your hand at becoming a hacker, you can check out some of the bug bounty platforms listed here:
· BugCrowd
· Zerodium
You can also try your hand at hacking contests at virtually every security conference. A great example is the annual PwnToOwn contest happening at the CanSecWest conference on March 20, 2019, but be warned, you will be competing with the best of the best.
