Bug hunters: Big bucks paid to keep ahead of hackers

By Dave Lee and Lucy Hooker
BBC News

Image caption,
Finding a bug can mean big money from either companies or criminals

You've found it. A way in. A gap in the fence; a chink in the armour. The needle in the... stack of needles.

But now what? Do you do the good thing? Tell the owner you've rumbled their security, help them fix it and get a well-meant pat on the back?

Or do you take your new weapon out into the wild and sell it to the bad guys for thousands upon thousands of pounds?

In life, they say what you don't know can't hurt you - unless, that is, you're a major technology company with potentially costly security vulnerabilities lurking deep within your products.

It could be a piece of badly written code, or an unforeseen consequence of launching a new feature.

And so companies are increasingly going to great lengths to make sure they get details of security holes before the bad guys - and they're willing to pay serious cash for it.

Criminally minded

They're called bug bounties, and they're designed to tempt an ethically conflicted hacker away from the lure of the black market, and safely to security teams residing in tech companies the world over.

The most recent major scheme, set up by Microsoft, dwarfs those that came before it. If you can find a serious bug, and a way to fix it, $150,000 (£100,000) is yours.

"It's really about finding the hackers, who want to do the right thing, a way to make some money at the same time," says Katie Moussouris, senior security strategist at Microsoft.

She says the challenge is to bring "new and interesting ways to attract those researchers before they go to other buyers".

For the criminally minded, there are plenty of takers for their work.

"The hacking industry, the criminal hacking industry, is actually the largest criminal activity in the world," says Oliver Crofton, a security researcher whose business protects important individuals from hack attempts.

"It generates more money for criminals than any other type of drugs or arms dealing, or anything like that. It's an enormous industry."

With a few deft Google search queries, he demonstrates to the BBC quite how simple it is to find marketplaces for those who have bug vulnerabilities to sell - and that's before we delve into the dark web, anonymous browsing services such as the Tor network and others like it.

"Like any business transaction, it's a negotiation," Mr Crofton says.

"[You look at] what the benefit is to the third party that wanted to use that vulnerability to determine the price that someone wants to pay for it."

Prices being commanded today run into the "tens of thousands of dollars upwards", he says.

'Technical excitement'

One of the higher-profile bug bounty recipients of recent times was Jack Whitton, a "white hat" hacker - one of the good guys - from the UK.

He found what one security expert described as a "gaping" hole that used a flaw in Facebook's text messaging system to expose member phone numbers.

He told Facebook, and they paid him $20,000 (£13,000).

In doing so, Mr Whitton joined the couple of hundred or so ethical hackers who have helped Facebook keep things secure. The company lists them under a "thanks" section on the website.

For many, this recognition is enough.

"There are many people out there who are motivated primarily by the technical excitement of finding something out in the security world that's previously undiscovered - like discovering a new creature or a new plant for biologists," says Richard Allan, Facebook's director of policy for Europe, Middle East and Africa.

"Of course there is another community out there who are looking to do this for malicious reasons.

"They typically don't come forward to us, but we do also have people in our security team who monitor what's going on amongst those people who perhaps have malicious intent."

Plugging the gap

Their bug bounty is there as an added thanks, he says, and not as a motivation for doing the right thing. To qualify, hackers must submit information about the vulnerability immediately. It can't be held for a ransom.

"We should be very clear that responsible disclosure, as operated by Facebook and other companies, means that the individual should disclose the vulnerability as soon as they become aware for it, without worrying about the reward. The two are disconnected.

"Responsible disclosure means, 'I'm going to tell the company affected in order for them to be able to plug the gap. If they give me a reward I'm delighted, but it's not conditional'."

But for Robert Kugler, a German teenager who has made more than £5,000 from bug bounties, the promise of money is an important component if companies such as Facebook want to show they take security seriously.

"It's not just 15 minutes of hard work. You need to spend many hours working on it to get paid." he tells the BBC.

"Bug bounties are positive. If you don't pay people you can't motivate them to spend their time finding bugs for you."

More on this story