X
AH Tech Talk: Know How To Hack? Technology Companies Pay Out Bounty Fo

AH Tech Talk: Know How To Hack? Technology Companies Pay Out Bounty For Security Flaws

Pictured: David Steele
By David Steele
January 03, 2015
Featured image for AH Tech Talk: Know How To Hack? Technology Companies Pay Out Bounty For Security Flaws

These days, the term “poacher turned gamekeeper” is used to describe how somebody who used to operate on the dark side of the law, but who has converted to work on the light side. Perhaps the most famous example is Frank Abagnale, who was portrayed in the movie, “Catch Me If You Can,” and once the US authorities caught up with him he was employed to help prevent similar incidents from happening in the future. The same term may be used to describe a computer hacker getting a job protecting systems. And for the hacker willing to take a cheque from a technology company, there a lot of money to be made. Let me put some numbers into the equation: earlier this week a Polish security research team were paid $50,000 from Google for discovering a number of holes in the App Engine cloud system via the “Vulnerability Reward Program,” also known as the “bug bounty” programming. I’d liken it to a software bug bounty hunt where the cash prizes are at least partially representative of the stakes. When a bug is found, if a hacker doesn’t disclose the issue to the relevant technology company, their choice is to either try to exploit the vulnerability or sell the discovery on to those who will.

Google makes use of similar schemes: it set aside $2.71828 million for its fourth annual Pwnium (the number is the mathematical constant “E,” an important concept to understand when writing algorithms). Pwnium is a regular contest where hackers try to break into Chrome. $150,000 of this was set aside for the hack to take control of a Chrome OS machine after a reboot and Google have confirmed that they did pay out the money to a hacker who accomplished this feat using a HP Chromebook 11. Furthermore, Google isn’t alone: we understand that Microsoft gave out two $100,000 prizes in 2013 and an undisclosed amount in 2014, which was at least $100,000. Prospective bug bounty hunters can use the services of businesses such as Bugcrowd, a startup that helps people locate bug bounties (and earn prizes). Bugcrowd currently lists dozens of bounty hunter programs with prices from $1,000 to $5,000 per bug discovered.

There were many breaking stories of security flaws, such as Snapchat, iCloud, North Korea and Sony (once or twice). It’s the hacking stories that claim the headline column inches whereas the security flaw discoveries tend to be glossed over by the media. And there’s a certain charm to knowing that systems are made safer by the very people who cut their teeth figuring out how to break into them.