Why companies offer a hacking bounty -- and why there are challenges

Want to make a cool $20,000? All you have to do is hack the Nintendo 3DS, a handheld console that’s been out for a few years already. A listing on HackerOne spells everything out. There’s a range for this, of course -- some discoveries will pay $100. Also, anyone who files a report must follow the exact template.

Want to make a cool $20,000?

All you have to do is hack the Nintendo 3DS, a handheld console that’s been out for a few years already. A listing on HackerOne spells everything out: Hackers will receive a cash payment for discovering a vulnerability in the system, which does let gamers make purchases and stores private information like your age and gender. There’s a range for this, of course -- some discoveries will pay $100. Also, anyone who files a report must follow the exact template.

It makes you wonder -- why would a major Japanese corporation offer a reward like this? Why is it even worth the expense, especially when you know they have internal security researchers?

Many companies, including Apple, Uber, and Yelp, regularly offer bounties. One report said Apple would pay as much as $200,000 if you find an exploit in the new iPhone. The expense is obviously worth it or the bounty programs -- and sites like HackerOne -- wouldn’t exist.

[ ALSO ON CSO: 7 steps to start a bug bounty program ]

“The main advantage is that you get researchers that think like a hacker and will try to find vulnerabilities like a hacker,” says Alvaro Hoyos, the CSO at OneLogin, an identity and access management company. “This helps you identify issues that either your internal or external penetration testing teams might miss, not just because of that hacker frame of mind, but also because you have a greater quantity of researchers constantly testing your systems.”

Chris Roberts, the chief security architect at Acalvio Technologies, an endpoint protection company, says the rise of hacking bounties is due to how the community has become more organized and helpful. Sites like BugCrowd and BugSheet have made it easier for larger firms to post a bounty, accept research findings, and pay the researcher.

He tells CSO that he has been paid about $3,000 to $5,000 to find a vulnerability, although in some cases the company only gives him a warm thanks. In some cases, a bounty for his team has run as high as $25,000 to find a bug a hacker could expose.

Challenges in offering a bounty

Roberts noted that companies are not always prepared to offer a bounty or set up the bounty program. One big challenge is finding the right bounty amount to match the vulnerability.

“This can lead to some unpleasant exchanges with researchers,” he says. “You will have to properly manage the input, the responses and the findings -- even though you are now hoping that your IT security budget is lower. You will have to staff up to work through the submitted results or risk the wrath of people getting fed up not getting a response.”

In some cases, hackers will not want to be identified and may not want to work with a corporate legal team once a bug is discovered, he says. Not all researchers want to read through a complex reporting template that spells out every detail. And, if the program is not configured properly (say, having a test environment only for the researchers), real attacks might be hard to discern.

[ RELATED: Risk vs reward: how to talk about bug bounty programs ]

Hoyos says one potential challenge to a bounty is that it can call attention to the new service, gadget, or app. It could alert a criminal hacker that a company like Apple or Uber knows there could be a vulnerability, even if that’s not necessarily true.

“If your company lacks the resources to close out bugs being reported in a timely manner, you are, in theory, letting more and more third parties know an exploitable bug exists,” says Hoyos. “Chances that none of those third parties will disclose that bug to a malicious actor or abuse it themselves goes up as more of them become aware. This of course is assuming the worst possible outcome and knowing what you don't know is still extremely valuable.”

Paul Innella, the CEO of TDI, a cybersecurity company, says some bounty programs go awry -- hackers discover an exploit, and instead of letting the company know and collecting the reward, the sell the discovery on the Dark Web. The bounty program created a new problem.

What to expect from both sides

Offering a bounty -- or being the researcher who looks for the exploits -- is also challenging because in many ways the temptation is to offer a bounty instead of hiring security professionals, running your own penetration tests, and setting up a security infrastructure.

“If you’re using this methodology because you don’t understand your corporate defenses, meaning you’re not equipped to detect attacks and act upon them, then offering a bounty is not for you,” says Innella. “Bounty programs should be used by companies with robust cyber defenses and considered a part of regimental cybersecurity testing, essentially in an outsourced capacity.”

Jumping into ethical hacking to find exploits is not something to take lightly, according to Nathan Wenzler, a security architect at AsTech Consulting. One important point he made: While there is a rise in the number of hacking bounties, there’s also a trend in offering lower amounts. Uber, for example, has paid a total of $819,085 since launching a bounty with a top range of $5,000 to $10,000, but the average is more like $750 to $1,000 per exploit.

Still, Paul Calatayud, the CTO at FireMon, a firewall management company, says finding a zero-day exploit for a large enterprise can pay much higher -- into the seven-figure amount.

That’s a pretty good pay day.

Show Comments