Bug bounty programs and white hat hackers
In a bid to keep their systems and data safer, big Silicon Valley technology companies like Facebook, Google and Microsoft are encouraging people to hack them. That may sound counter intuitive, but bug bounty programs ensure that if there are any faults or flaws in the system, then they are found by someone with strictly good intentions. Well… good intentions and bills to pay.
It’s a profitable enterprise. As long as the company has an established ‘bug bounty program’ that effectively makes it legal for them to be hacked, white hat hackers can search for bugs, notify the company and can be rewarded not just with that sense of self-worth that comes with doing a good deed, but financially as well. Depending on the severity of the flaw uncovered, reward money for the good Samaritans can range from anywhere between $500 and $100,000.
System flaws that could lead to data breaches/leaks may be rewarded with a high five-figure sum, but something as comparatively insignificant as a bug that allowed Instagram comments to be deleted remotely rewarded a ten year old Finnish boy with a $10,000 reward cheque from Facebook.
The boy, who is the youngest to ever receive a reward from Facebook’s bug bounty program, has always had an interest in coding and computers and uncovered the bug whilst checking to see if Instagram comments could handle harmful scripts – which it can’t. Well, it couldn’t until the boy emailed Facebook informing them of the bug. They quickly patched it, and sent him his $10,000 reward.
That’s a hefty fee – especially for a ten year old – but the logic is that the reward money is insignificant compared to the amount of damage a hacker with more nefarious intentions than the young Finn could cause by exploiting the same bug. Since 2011 Facebook has paid out over $4.3m to white hat hackers who find and point out bugs in its systems and products.
It’s also an encouragement to the skilled hackers to use their talents for good, and to be rewarded for it. Of course there are some groups who just hack to cause a nuisance, but the prospect of a legitimate financial reward for the hack goes a long way to persuade the hacker to look away from the black market as a source of selling the information.
Before bug bounty programs were introduced there wasn’t as much of an incentive to seek out these bugs. If the hacker informed the company of the vulnerability they might get a gift voucher or a shout-out in the patch notes, but if they wanted to make financial gain from their discovery they’d have to look towards darker, more illegal markets.
These bug bounty programs are set up to benefit both parties. The company gets alerted to a fault that they were previously unaware of, and the hacker gets a pay-out for providing the information. White hat hacking is only legal if the company has an established and advertised bug bounty program in place. The vast majority of companies (including Fasthosts) do not operate these types of programs, and hacking into a company’s private data is illegal under UK law.