Bug bounty hunters track security loopholes – and get paid for it. ‘Good hackers’ thus help companies improve their IT security. However, it’s not just about the money.
Text: Andreas Heer, Images: Adobe Stock, 25 n
Companies invest a significant proportion of their IT budget in security measures to protect data, applications and systems. But does this protection actually work, and how resistant is the infrastructure to cyber attacks? Security tests are an efficient way to check. With targeted and planned attacks on your own infrastructure, you can find out how secure it really is – before cyber-criminals strike.
But it’s not just the in-house security experts who can carry out these attacks. The available expertise and thus the wide range of attack possibilities that such penetration tests offer can be considerably expanded if external specialists also come into play. This is the purpose of ‘bug bounty programmes’ – real competitions with cash prizes for the successful uncovering of security loopholes.
Of course, these attacks must be carried out within a contractually controlled framework. This both legitimises the attacks and protects participants. In addition, the company under attack will require time to close any gaps in security. The bug bounty hunters are rewarded with payments, the extent of which may depend on the work involved in the attack and the severity of the security loophole. ‘Bug bounties help us find and eliminate vulnerabilities which may still exist despite all our security measures,’ explains Florian Badertscher, who is responsible for the Swisscom bug bounty programme.
Badertscher had to dip his hand in his pocket several times last year, paying out around CHF 350,000 to participants. In turn, they managed to close around 400 gaps in security. It was money well spent. After all, the costs and reputational damage resulting from a successful attack by cyber-criminals could be many times higher.
But who are these bug bounty hunters, often known as ‘good hackers’ or ‘white hats’? And what motivates them to take part in such programmes? Two participants of the Swisscom Bug Bounty provide some answers. One of them doesn’t really fit the image that society has of hackers (a common view when talking to these people). He’s an 18-year-old student from Hungary called Patrik Fábián who arrived for the interview with short hair and a collared shirt. But appearances can be deceptive; last year he used his expertise to uncover vulnerabilities at Swisscom and earned over a third of the whole bounty sum. Naturally money is an incentive, but it’s not his entire motivation. ‘I can help companies better protect their customer data – which is becoming increasingly important.’ In addition, Fábián voluntarily helps with open-source projects that make the software more secure.
Raphaël Arrouas sees it much the same way. ‘I can help increase the security of a company. When it comes to Swisscom, this also involves our own data.’ Arrouas began his career as a professional penetration tester, but now works full-time as an independent bug bounty hunter.
Another aspect resonates for them both: the appeal of a challenge and the curiosity of finding loopholes. Or, as Fábián explains it: ‘I love finding new areas of attack that no one has taken advantage of before.’
For Fábián, uncovering security loopholes and the subsequent communication with the person responsible is his favourite part of a bug bounty programme. This exchange is key in fostering trust between participants and organisers and thus significant for the success and acceptance of such a programme. ‘I expect those responsible to respond quickly and on equal terms’, says Arrouas.
He also appreciates it when the material reward reflects not just the severity of the loophole but also the amount of work involved in uncovering it. And, of course, he wants to be recognised as the one who uncovered the loophole. ‘This helps to strengthen my reputation.’ Arrouas doesn’t use an alias for bug bounties. ‘Even for white hats, anonymity used to be mandatory to reduce the risks of prosecution. Today, it remains important for privacy reasons, but an important part of the community now prefers to publish articles and vulnerabilities under their real names, to convey trust and reputation.’
Penetrating external computer systems is a criminal offence. Under Article 143bis of the Swiss Criminal Code, the punishment could be up to three years in prison. So providing legal protection for bug bounty programmes is crucial in protecting participants from prosecution, as Arrouas emphasises. ‘Since Swiss regulations are so restrictive, a protection clause in the contract provides the necessary security and trust.’ Potential participants could otherwise be scared off. Most importantly, this type of clause protects the good guys, adds Arrouas: ‘Cyber criminals will try to penetrate the systems either way.’
This type of protection will also protect participants in the event of any unwanted side effects – for example, if systems crash. In any case, Arrouas is cautious when it comes to bug bounty programmes. ‘I carry out attack attempts manually rather than through automation,’ he says. ‘I wouldn’t want personal data to be accidentally leaked.’
Both Arrouas and Fábián are convinced of the benefits of such bug bounty programmes for organisers. ‘This type of crowdsourcing in IT security provides better protection and strengthens customer trust.’ A bug bounty programme is also a good sign that a company takes its IT security seriously.
Raphaël Arrouas has been involved in cyber security and hacking since his youth. During his studies, he deepened his specialist knowledge and subsequently began working as a penetration tester. He recently turned his career focus to freelance bug bounty hunting.
Fábián has been using computers since early childhood. He acquired his knowledge through online programmes and YouTube videos of proofs of concept (which demonstrate how security loopholes can be exploited) during his free time. Once he completes his education, he would like to continue working in the field of cyber security, and to start his own web security company.
More on the topic