Tech & Science

The Rise of White Hat Hackers and the Bug Bounty Ecosystem

02_12_WhiteHatHackers_01
02/12/16
In the Magazine
Cybersecurity firms are turning to hackers to expose and document bugs. Gallery Stock

Updated | When Jack Whitton hacked Facebook in 2013, the company thanked him and sent him a check for $20,000.

At the time, it was the largest single “bug bounty” payout by Facebook. Facebook had invited the public to break into its website and seek out vulnerabilities that malicious hackers could exploit to attack the company or its users. Whitton got paid for finding a bug that would have let any talented hacker with a phone take over your Facebook account.

Bug bounty programs grew out of the idea that well-meaning hackers shouldn’t be punished for finding and reporting security flaws. Netscape started the first program in 1995, but bounties didn’t become a major part of the security industry until the past few years. It took so long because it hasn’t always been easy to tell the good guys (the tinkerers who explore the Web because of a genuine interest in how it works and a desire to make it a better place) from the bad guys (the criminals who want to harvest user data or blackmail companies). But a new crop of companies is trying to solve that problem by standardizing the process of reporting bugs and communicating with the vast and varied community of hackers.

HackerOne, which runs bug bounty programs for big companies like Yahoo and Twitter, started in the Netherlands, where Michiel Prins and Jobert Abma grew up playing video games together. The urge to cheat led them to tweak the code of their favorite games, and once they figured out how to do that, they started hacking each other for fun. Eventually, both ended up with careers in online security. In 2011, the two came up with a challenge for themselves: Ahead of a trip to Silicon Valley, they made a list of the top 100 tech companies and proceeded to hack them one by one. “We’d go to the website and find a vulnerability. We spent five to 15 minutes on each,” Prins says. They then approached the companies with their findings—and were shocked at how hard it was to get them to listen to potentially critical information.

“A third never got back to us. Despite our efforts, it never reached the right people. A third did get back to us—they were thankful, but it was awkward [for them] to communicate with hackers. They fixed the problem but weren't open to talking to us. As a result, we often found a way around the fix,” Prins says. The final third were “extremely open” to the bug reports. Prins says he was invited to a lot of barbecues.

Alex Rice, then the product security lead at Facebook, was one of those who welcomed the information. In fact, he was so impressed by the project that he eventually signed on to help make bug bounties more palatable to large organizations. They named the new company HackerOne as a way to take back the word hacker, which they say the media has misused as a way to describe only criminals. There is an “incredibly diverse set of people who pay homage to the [Massachusetts Institute of Technology] definition of a hacker, who is someone into the intellectual challenge. It’s academics, students, hobbyists and penetration professionals,” Rice says.

In security-world jargon, hackers are either “white hats” or “black hats”—derived from old Western movies, where you knew who the good guy was based on the color of his hat. Bounties are about creating communities of white hat hackers to keep the Web safe. Max Justicz, a junior at MIT studying computer science and electrical engineering, is a white hat. When he’s bored, he fires up his Linux computer in his dorm room and wades through the Internet, looking for bugs. “If I have a spare evening, I’ll look for bugs. It's what I do to procrastinate now.”

Justicz says the process is rarely what it looks like in movies. First, he scans through all the information being passed between parts of a Web page. He then starts tweaking that information to see if the website lets him do something it shouldn't. For instance, maybe a bank website doesn’t check an account number every time the user goes to a new page. That creates an opportunity for a black hat hacker to create software to trick the website by spoofing account numbers to give access to other people’s accounts.

Justicz says in the early days of experimenting, he contacted a company with a severe bug. The company thanked him but said it had noticed his intrusion, found out who he was and was about to contact his employer. It was a wakeup call—now he sticks to companies with clear bug disclosure policies that help ensure well-intentioned hacking is distinguished from malicious hacking. U.S. law defines hacking so generally that almost anything can be considered “unauthorized access” to a computer system and, therefore, a federal crime. Bug bounties solve this by establishing rules that, if followed, mean the company won’t press charges for poking around.

Justicz’s biggest bounty so far was $7,500 for locating a critical bug that allowed access to a password folder, and he estimates he’s already made $20,000 to $30,000 finding bugs. “I eat out more than I would have otherwise,” Justicz says of the windfall. “I'm pretty stupidly fortunate that I've come across a new industry, and I'm in the right place at the right time.” There is some real money in the white hat hacking game; as of January 20, HackerOne has brokered fixes for almost 17,000 bugs and payments of $5.84 million. That may be just a sliver of a cybersecurity industry that’s worth $75 billion, but it’s an important and growing part of the ecosystem.

Justicz often spends time working on bugs he knows have no financial payoff. “Sometimes, I just get a T-shirt,” he says. His ultimate goal isn’t dinner money but a long-term career in security. He’s well on the way, having already gotten several internships as a result of his hacking. Computer security is a career with zero percent unemployment, Rice says, so the real-world training could be invaluable. Facebook ended up hiring one of its best bug hunters, Reginaldo Silva, a Brazilian engineer who got a $33,500 payout in 2014. For other hackers, it’s about keeping their skills sharp. Even Prins says he still goes on bug hunts from time to time.

Internet security is a young field filled with young talent. When I tell HackerOne CEO Marten Mickos that I spoke to a hacker who is a junior in college, he laughs, “So you found an old one.” Mickos compares what the company does to the Boy Scouts, which helps kids channel their energy and curiosity into something productive—one hacker on his platform is a 14-year-old in the Philippines who uses the bounty program to pay his tuition.

Mickos used to be the CEO of open source software company MySQL AB. He remembers that there was once an industry-wide fear that open source (which allows anyone to make changes to a program’s core code) would give hackers more opportunities to meddle with critical functions—but it turned out that a lot of open source software is safer than proprietary software, because it has so many programmers looking for vulnerabilities. Now open source is widely accepted and even celebrated. Mickos sees a similar shift in attitude toward white hat hackers; his cybersecurity customers, he says, are “now seeing the power of openness and collaboration.”

Bug bounties may be spreading, but there’s a lot of work to be done. According to Mickos, 94 percent of the Forbes 2,000 world's biggest public companies still don’t have a way to report bugs. Mickos thinks this is irresponsible. If you create something on the Web, “the final step is you say, ‘Come and hack this.’”

Correction: A previous version of this article said that a $20,000 bug bounty was the biggest ever paid at the time. It was the biggest paid by Facebook.