Bug hunters: Big bucks paid to keep ahead of hackers

A 'hacker' Finding a bug can mean big money from either companies or criminals

Related Stories

You've found it. A way in. A gap in the fence; a chink in the armour. The needle in the... stack of needles.

But now what? Do you do the good thing? Tell the owner you've rumbled their security, help them fix it and get a well-meant pat on the back?

Or do you take your new weapon out into the wild and sell it to the bad guys for thousands upon thousands of pounds?

In life, they say what you don't know can't hurt you - unless, that is, you're a major technology company with potentially costly security vulnerabilities lurking deep within your products.

It could be a piece of badly written code, or an unforeseen consequence of launching a new feature.

And so companies are increasingly going to great lengths to make sure they get details of security holes before the bad guys - and they're willing to pay serious cash for it.

Criminally minded

They're called bug bounties, and they're designed to tempt an ethically conflicted hacker away from the lure of the black market, and safely to security teams residing in tech companies the world over.

The most recent major scheme, set up by Microsoft, dwarfs those that came before it. If you can find a serious bug, and a way to fix it, $150,000 (£100,000) is yours.

Start Quote

Like any business transaction, it's a negotiation. [You look at] what the benefit is to the third party that wanted to use that vulnerability to determine the price that someone wants to pay for it”

End Quote Oliver Crofton Security researcher

"It's really about finding the hackers, who want to do the right thing, a way to make some money at the same time," says Katie Moussouris, senior security strategist at Microsoft.

She says the challenge is to bring "new and interesting ways to attract those researchers before they go to other buyers".

For the criminally minded, there are plenty of takers for their work.

"The hacking industry, the criminal hacking industry, is actually the largest criminal activity in the world," says Oliver Crofton, a security researcher whose business protects important individuals from hack attempts.

"It generates more money for criminals than any other type of drugs or arms dealing, or anything like that. It's an enormous industry."

With a few deft Google search queries, he demonstrates to the BBC quite how simple it is to find marketplaces for those who have bug vulnerabilities to sell - and that's before we delve into the dark web, anonymous browsing services such as the Tor network and others like it.

"Like any business transaction, it's a negotiation," Mr Crofton says.

"[You look at] what the benefit is to the third party that wanted to use that vulnerability to determine the price that someone wants to pay for it."

Prices being commanded today run into the "tens of thousands of dollars upwards", he says.

'Technical excitement'

One of the higher-profile bug bounty recipients of recent times was Jack Whitton, a "white hat" hacker - one of the good guys - from the UK.

How the top firms compare

Microsoft

There's serious cash to be made from finding faults with Microsoft products. $100,000 for spotting a flaw within Windows 8.1 -- with $50,000 on top if you can fix it.

Facebook

The amount dished out by Facebook since it launched its bug bounty programme has surpassed $1m. The company says its paid 329 people in 51 countries - with the youngest recipient being just 13 years old.

Google

Google separates its most important services - like Gmail and Google Wallet - in their own category, with bugs found here earning the most. Here, $20,000 is the most you can earn in one sitting. If you decide to donate your bug bounty to charity, Google will match your donation.

Apple

Apple doesn't run any bug bounty schemes for any of its products - something which may have seen them left a little red-faced after a "hack" on its developers forum left it down for more than four days. A London-based Turkish hacker said he was responsible for discovering the bug - but that he actually wanted to report it to the company, not launch an attack.

Paypal

The payments company offers up to $10,000 for serious flaws, but its scheme was brought into slight disrepute earlier this year when a 17-year-old hacker said he wasn't given the reward he deserved for finding a hole. Paypal, in its defence, said his bug discovery was invalid - because someone else had already got there first.

He found what one security expert described as a "gaping" hole that used a flaw in Facebook's text messaging system to expose member phone numbers.

He told Facebook, and they paid him $20,000 (£13,000).

In doing so, Mr Whitton joined the couple of hundred or so ethical hackers who have helped Facebook keep things secure. The company lists them under a "thanks" section on the website.

For many, this recognition is enough.

"There are many people out there who are motivated primarily by the technical excitement of finding something out in the security world that's previously undiscovered - like discovering a new creature or a new plant for biologists," says Richard Allan, Facebook's director of policy for Europe, Middle East and Africa.

"Of course there is another community out there who are looking to do this for malicious reasons.

"They typically don't come forward to us, but we do also have people in our security team who monitor what's going on amongst those people who perhaps have malicious intent."

Plugging the gap

Their bug bounty is there as an added thanks, he says, and not as a motivation for doing the right thing. To qualify, hackers must submit information about the vulnerability immediately. It can't be held for a ransom.

"We should be very clear that responsible disclosure, as operated by Facebook and other companies, means that the individual should disclose the vulnerability as soon as they become aware for it, without worrying about the reward. The two are disconnected.

"Responsible disclosure means, 'I'm going to tell the company affected in order for them to be able to plug the gap. If they give me a reward I'm delighted, but it's not conditional'."

But for Robert Kugler, a German teenager who has made more than £5,000 from bug bounties, the promise of money is an important component if companies such as Facebook want to show they take security seriously.

"It's not just 15 minutes of hard work. You need to spend many hours working on it to get paid." he tells the BBC.

"Bug bounties are positive. If you don't pay people you can't motivate them to spend their time finding bugs for you."

More on This Story

Related Stories

More Technology stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

‘I will be frozen when I die’

The gruesome way cryopreservation works Read more...

Programmes

  • A bird of prey in a Tokyo animal cafeThe Travel Show Watch

    From cats to rabbits and birds of prey – Tokyo’s flourishing animal cafe scene

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.