The rise of ‘bug bounties’: how companies are encouraging hackers to be the good guys

Forget their nefarious reputation. Many hackers are actually helping to keep us safer on and offline

Def Con, one of the world’s largest hacker conventions, took place last weekend in Las Vegas. Many of us will have a preconceived idea of the kind of people who attend such an event, and the sort of things they’d get up to. Hackers are, after all, people who attack computers and digitally trespass as a hobby, right?

While many may fall into this category, the word “hacker” is not a mere synonym for cybercriminal. Those who attend Def Con include security professionals, law enforcement agencies and representatives of multinational corporations. They all share one important interest: finding loopholes in computer security.

Corporations and governments are increasingly turning to hackers for help, with the promise of cash rewards – known as bug bounties – for their work.

As much as you can do internally with your security team, you're always going to need someone who has a different perspective
Sam Curry, hacker

At the beginning of August, the UAE National Cyber Security Council launched the first phase of a National Bug Bounty Programme, encouraging security researchers to assist in efforts to bolster the country’s cybersecurity. If hackers find and report bugs or vulnerabilities in websites, applications or systems, cash rewards may await.

The UK recently paid its first bug bounties to more than 20 hackers who reported vulnerabilities to its Ministry of Defence; Iran is aiming to launch its own scheme; while the US Department of Defence recently expanded its five-year bug bounty programme to all public-facing systems. These governments are following in the steps of the world’s biggest technology companies – Apple, Microsoft, Google – which pay millions of dollars annually to independent hackers for their expertise.

Given the huge resources at the disposal of governments and rich corporations, why would such critical work need to be outsourced to a community that is widely – if incorrectly – seen as mischievous, if not outright criminal?

“As much as you can do internally with your security team, you're always going to need someone who has a different perspective on how to approach your product security,” hacker Sam Curry tells The National. “And I don't think hackers are malicious people by default. From my perspective, it’s a win-win to open it up externally.”

This embrace of hackers and their skills, rather than ignoring or threatening them, represents a huge shift in attitudes, according to Curry.

“No one likes change. It was once considered a bad idea to let someone poke at your product who you don't know, who isn't on your payroll, whose ID you don't have and who hasn’t signed a non-disclosure agreement," he says.

"But it’s almost like they’ve thrown in the towel, and now they’re saying yes, we admit there is a problem, and as embarrassing as it might be from a business perspective, we are open to working with these guys. Today, it seems that if you don't have a bug bounty programme then you're not serious about security.”

There would still seem to be a very thin line between hackers doing good and hackers doing bad. After all, malicious hackers and so-called “white hat” ethical hackers use the same techniques to find vulnerabilities in systems; the only difference is one of conscience.

The ethical hackers volunteer the information they’ve found in the hope of a reward, while the malicious ones use it for nefarious means. Curry believes, however, that bug bounty programmes help to encourage the community to do the right thing.

if the incentives to be a good guy outweigh the incentives to be a bad guy, well, that's how you win.
Sam Curry, hacker

“If you’re a 20-year-old security researcher trying to exploit a database maliciously, you need to make sure you're completely anonymous and can't be tracked. Then you have to deal with the paranoia of selling that information, which people may not even buy, on sketchy internet forums. And if you're upsetting enough people, you’re probably going to get caught.”

The transparent approach is less stressful and less dangerous, and the long-term rewards are bigger for everyone.

“Bug bounties create an environment where you win the numbers game,” says Curry. “You have more hackers who are up and ready to go.”

Organisations such as HackerOne and Bugcrowd help to connect companies and governments with hackers. HackerOne has more than a million registered hackers and has paid more than $100 million in bounties since 2012. The huge sums being paid are an indication of how critical the discovery of these vulnerabilities is – and it’s reasonable to assume that the cost of fixing them is substantially less than the losses averted.

“I don’t think we come close to being paid any significant percentage of the damage [that the vulnerability] could cause a company,” says Curry. “But with thousands of companies competing for researchers, I think it’s a competitive, open market and the amounts being paid are fair.”

Could it even be a career choice? “It could, but you’d have to have a real hustler mindset and be very competitive to do it full time," he says.

Just before the Def Con convention, Twitter announced it would seek the help of hackers by offering a bounty to improve its image-cropping algorithm, which has been criticised for favouring white faces. Putting ethics centre stage and looking to hackers for answers is an indication of how this much-maligned community has been rehabilitated.

“There are tonnes of organisations [at Def Con] interfacing with hackers and trying to best understand what motivates them,” says Curry. “And, if the incentives to be a good guy outweigh the incentives to be a bad guy, well, that's how you win.”

Updated: August 8th 2021, 10:00 AM