How to make money on other people's mistakes: History Bug Bounty

The creator of Ruby on Rails David Heinemeier Hansson (David Heinemeier Hansson) once wrote an article under the heading " In the programs there are bugs. This is normal ". In the whole history of the work of a person with software (and not only with him) bugs were inevitable and sometimes expensive a companion of new and interesting solutions.
Last year, only software failures, recorded in the report Software Fail Watch, cost companies around the world at $ 1.7 trillion. Such losses are prompted by the business of increase costs for software testing. Companies hire full-time testers and more and more money is invested in automated systems.
There is another direction, which the company also has do not spare money , - programs Bug Bounty. Large technology corporations - Apple, Facebook, Google - and even governmental organizations pay remuneration " white hackers "For the search for vulnerabilities in the software. Let's look at the history of this phenomenon.
How to make money on other people's mistakes: History Bug Bounty

/Wikimedia / Alexandre Dulaunoy / CC

A Brief History of Bug Bounty

The idea of ​​finding vulnerabilities in security systems appeared long before the writing of the first programs. In the XIX century, an English company developing door locks, offered 200 gold guineas (about $ 20 thousand at the current rate) for hacking one of their goods. Then the American inventor Alfred Charles Hobbs (Alfred Charles Hobbs) accepted the challenge and coped with with the task in 25 minutes, receiving the award.
More than 100 years have passed, and the security issues that companies solve have moved into digital space. Software vulnerabilities that can be exploited by ill-wishers have become no less a problem for business than unreliable door locks.
Presumably, the first incentive program for the search for vulnerabilities in IT was ad from Hunter & Ready, dating back to 1983. The company developed the real-time operating system VRTX and offered as a reward for the bug found in her Volkswagen Beetle ("Beetle"). However, the winner could take his prize and money - gave a thousand dollars.
/Flickr / Greg Gjerdingen / CC
By the mid-90's, there were already in the world. occurred several major hacker attacks and began to form modern IT security industry. Then the first web browsers were gaining popularity - in this niche there was a confrontation between the products of Netscape and Microsoft. 1995 was particularly successful for the first - the company, taking advantage of its leading position in the market, successfully held IPO . In the same year, Netscape technical support engineer Jarrett Ridlinghafer found that many enthusiast users independently searched for bugs in the browser and laid out the fixes for them on the network. Therefore Jarrett suggested management to encourage such activities and begin to pay monetary rewards.
And on October 1? 1995 Netscape run the first program Bug Bounty. They paid users of the beta version of the browser Netscape Navigator ???r3r3308. , who found vulnerability in him and informed the company about it.
According to some information
, Ridlinhaferu allocated an initial budget of $ 50 thousand. Awarded for participants of the program served as not only money, but also goods from the Netscape store.
The first follower of Netscape in attracting users to search for bugs was the company iDefense, dealing with security issues. In 2002 it was has launched its program Bug Bounty. The amount of compensation varied depending on the type of vulnerability, the amount of information provided about it and the user's consent not to disclose information about the bug in the future. Earn on one bug so it could be up to $ 500.
In 200? the Mozilla community, which is formed natives of Netscape, also launched the Bug Bounty program for the Firefox browser. It was financed by the well-known businessman Mark Shuttleworth (Mark Shuttleworth) and the software company Linspire. For found critical vulnerabilities, participants could receive up to $ 500. And this program is acts. up to now, however the maximum remuneration for the years has grown 10 times . For 14 years, its participants were paid about $ 3 million
In one year with Mozilla in the IT security market there was a program Zero Day Initiative (ZDI), which still works. Its creators acted as a mediator between the community of "white hackers" and companies that need to find bugs in their software. Three years later ZDI financed the contest PWN2OWN . Then the hackers had to try hack into two laptops MacBook Pro, because the OS X system was considered safer than the products of competitors. In ZDI they agreed to purchase all the detected vulnerabilities in Mac OS X at a single price - $ 10 thousand
By the way, Apple at that time did not have its own program to find bugs. She is refused to go for it almost 10 years. Apple launched Bug Bounty only in 2016 and became one of the last major technology corporations to offer a reward for finding bugs. But the amount of encouragement was one of the highest in the market - it reaches $ 200 thousand

Bug Bounty today

Other major technology companies began to launch their initiatives to encourage "white hackers" in the early 2010s. From 2010 to 201? Google " distributed "Bug Bounty members $ 3 million - most of the funds were paid for exploits in Chrome and Android. Facebook in the period from 2011 to 2016 paid $ 5 million. Microsoft, GitHub, Uber, Sony and others have similar initiatives. This list continues to be replenished, for example, this month the company Valve announced , which will also pay for the vulnerabilities found.
"White hackers" today, according to the platform to search for bugs HackerOne, earn almost twice as many as its fellow software developers. Although for many hunters for vulnerabilities this activity is a hobby, 12% of them receive $ 20 thousand a year, and 3% - more than $ 100 thousand. On their choice are presented. programs from a variety of organizations: from the already listed Microsoft and Apple to MIT and the Pentagon. Most companies pay with money, but some - barter, for example, United Airlines awards IS researchers with miles.
The vulnerability search has ceased to be "purely software". After the vulnerabilities found in Tesla Model S in 201? the company Ilona Mask increased the fee for hardware bugs. Microsoft on the same step pushed the recent situation with processor vulnerabilities Meltdown and Specter. The corporation is ready to pay large, by the standards of this industry, money for found bugs - $ 250 thousand. Intel is also seeking help hunters for bugs.
In this case, the prevalence and availability of hacker programs has formed a separate direction - Bug Bounty as a service. Companies can apply to specialized platforms like the already mentioned HackerOne, as well as Bugcrowd, Synack and Cobalt. These platforms unite hackers and direct their efforts to an authorized attack of someone's site, application, service in exchange for a reward. Only HackerOne for 5 years of existence could provide of its participants $ 20 million

Problems and victories Bug Bounty

Security market experience says that Bug Bounty helps companies save time and money when searching for vulnerabilities. Last year, the team of the corporate messenger Slack summed up the results of his three-year work with hackers. She said that during this time, $ 210 thousand was paid to those participants who helped make Slack safer.
At the same time, one moment was indicative: one month before the publication of the company's report, one of the IB researchers posted the information on the network. about the bug he found in the messenger. Experts reacted to the message about the vulnerability after 33 minutes, and after 5 hours they got rid of the bug. The participant of the program received for his discovery $ 3 thousand
Another example is the US Department of Defense. HackerOne arranges for him vulnerability tests , during which hundreds of bugs are found. According to former defense minister Ashton Carter (Ash Carter), such work would cost more than $ 1 million if the Ministry relied on its own forces. For found bugs in the end paid $ 300 thousand
However, today the situation with the programs Bug Bounty not such an iridescent , as it may seem at first glance. In the industry there are conflicts connected with legal issues of "white hacking". In 201? the security expert at Synack, Wesley Weinberg, found a vulnerability with which it has access to a huge amount of Instagram dаta: source codes, SSL certificates and private keys, images uploaded by users, etc. Using this vulnerability, it was possible to impersonate any user or service employee.
Wesley reported on his discovery on Facebook, owning Instagram, hoping for a reward. But company representatives said that Weinberg went beyond, that is, he got access to personal data of company employees and users of the service. And this violates the rules of Bug Bounty company.
For his discovery, Weinberg was expelled from the program, and his boss, Jay Kaplan, CEO of Synack, received a call from Alex Stamos, an information security officer at FB, who is threatened by contacting the police if the vulnerability information is published.
This incident raises questions of balance, ethics and control over the work of "white hackers". On the one hand, companies want to solve their security problems, but on the other, it's important to protect confidential information from users and employees, preventing IT researchers from "going too far." Now in the US state a bill that allows the US National Security Ministry to launch its Bug Bounty program. Perhaps, it will establish a general legal framework for the entire market.

The future of Bug Bounty

In 201? 94% of the largest public companies from Forbes 2000 was not channels for reporting vulnerabilities. However, those companies that still have Bug Bounty programs regularly have increase payments to participants. In this case, individual platforms attract funds from investors . This may indicate that the market is expanding, and it has the potential for growth.
/Flickr / Gordon / CC
There are prerequisites for the automation of the work of researchers. Gartner predicts , that by 202? 10% of penetration tests will be carried out using machine learning algorithms (compared to 0% in 2016). This trend is confirmed by investments in the field of automated bug hunting systems. Last year in Microsoft presented the platform , which with the help of artificial intelligence identifies vulnerabilities and reports them to developers. Ubisoft has similar solution. to search for bugs in games.
This is consistent with the fact that more and more companies
solutions based on AI in corporate security systems. This approach allows you to combine the benefits of Bug Bounty with confidentiality - the less the human factor affects the process, the lower the probability of information leakage. Therefore, in the future, there may be a redistribution of funding between live and virtual "hunters for bugs".
Several materials from our corporate blog:

Meltdown and Specter: New-year CPU vulnerability
All you need to know about the principles of network neutrality is
How to ensure the security of data in the cloud
What is an SSL certificate and why should I buy it?
+ 0 -

Add comment