A bug bounty is a reward paid to someone by a company or agency who identifies software vulnerabilities that the company or agency’s internal research teams have failed to do. Bug bounties are a bit of ethical quicksand because sometimes the lines are blurred between white hat hackers (doing their thing for the good of society) and black hat hackers (such as those furthering or participating in criminal activity).
For example, if a company contracts Hacker A and she finds a bug that there is no present fix for, if the bounty is $5,000.00 than they should report and collect, right? However, what if she decides to float this “find” around on the open market where she could sell it for ten times as much? While it is clear that this is almost certainly a breach of contract and illegal on the part of the hacker, the ethical issue becomes how much vetting can a company reasonably do of someone who hangs out in shadowy parts of cyberspace? What is the duty to their customers?
Another odd scenario is when a hacker finds a bug in which there is no known fix for and offers to sell the information to the company or software manufacturer. Does this become a ransom of sorts or is the hacker in the right with this behavior? This is not to be mistaken with what Uber did several years ago – calling a ransom a bug bounty after the fact. While white hat hackers have a certain ethical code, it is sometimes a moving target depending on who the software vendor is. Over the past several years groups such as HackerOne and Bugcrowd have grown in popularity. These companies, who have a multitude of heavy hitting software developers, government agencies, and other internet giants as clients, use a crowdsourced network of independent contractors to work with them in finding bugs. They have extensive confidentiality agreements they require the contracted hacker to sign, but as one knows, higher bidders sometimes form in nefarious places.
Hacking for Ukraine
Bug bounty crowdsourcing has made the news recently with a group similar to HackerOne and BugCrowd formed in Ukraine. The group HackenProof, who was initially engaged in a mission to find flaws in Russian software, has scaled back a bit and is now focused on defending Ukranian assets.
DHS recently expanded their pilot bug bounty program to be more permanent. It will vet cybersecurity researchers to perform assessments of departmental systems, in hopes that a model will be created for other federal agencies. Hack DHS is occuring in three phases throughout 2022, and leverages a platform created by the agency’s Cybersecurity and Infrastructure Security Agency (CISA).
Bug bounties are a large part of cybersecurity. For dedicated and gifted hackers, they can be a way to supplement or even be a primary source of income. Whether it’s joining the Ukraine cyber war effort or helping the DHS identify its vulnerabilities, it’s clear a key part of preventing cyber attacks is finding cyber vulnerabilities. Professionals with the skills to identify them are in demand everywhere. Many companies are increasingly willing to try bug bounties in the effort to attract those skilled players – and simply hope they channel their skills for good versus evil.