The World Of Ethical Hackers And Bug Bounties
The fact that big tech companies are willing to pay big bucks in ‘bug bounties’ is one of the main reasons why becoming an ethical hacker / ethical security tester is increasingly attractive to many people with a variety of technical skills.
What Is An Ethical Hacker?
An ethical hacker / white hat hacker/ ethical security tester is someone who is employed by an organisation and given permission by that organisation to penetrate their computer system, network or computing resource in order to find (and fix) security vulnerabilities before real hackers have the opportunity use those vulnerabilities as a way in.
In the US, for example, a person can obtain a Certified Ethical Hacker (CEH) qualification by using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a system. CEH exams test a candidate’s skills in applying techniques and using penetration ('pen') testing tools to compromise various simulated systems within a virtual environment.
Ethical hackers can find work, for example, with organisations that run bug bounty programmes on behalf of companies e.g. Hacker One, Bug Crowd, Synack, or they can choose to work freelance.
What Are Bug Bounties?
Bug bounties are monetary rewards offered to those who have identified errors or vulnerabilities in a computer program or system. Companies like HackerOne, for example, offer guidance as to the amounts to set as bug bounties e.g. anywhere from $150 to $1000 for low severity vulnerabilities, and anywhere from $2000 to $10,000 for critical severity vulnerabilities.
Examples of bug bounties include:
The ‘Hack The Pentagon’ three-year initiative run by HackerOne which has so far (since 2016) paid $75,000 to those who have found software vulnerabilities in the Defence Department’s public facing websites.
Google’s ongoing VRB program which offers varying rewards ranging from $100 to $31,337 depending on the type of vulnerabilities found.
Facebook’s Whitehat program, running since 2011, and offering a minimum reward of $500 with over $1 million paid out so far. The largest single reward is reported to be $20,000.
Money is often not the only motivation for those involved in ethical hacking. Many are interested in the challenge of solving the problems, getting into the industry, and getting recognition from their peers.
The UK has a tech skills shortage, but some schemes do exist to help the next generation of cyber-security experts gain their knowledge and skills. One example is the UK’s Cyber Discovery scheme which had more than 25,000 school children take part in its first year. The scheme turns finding security loopholes into engaging games while getting children familiar with the tools that many cyber-pros use. Top performers can then attend residential courses to help them hone their skills further.
What Does This Mean For Your Business?
Ethical hackers play an important penetration testing role in ensuring that systems and networks are as secure as possible against the known methods employed by real hackers. It is not uncommon, particularly for large companies that are popular hacking targets, to offer ongoing bug bounty programs as a way to keep testing for vulnerabilities and the rewards paid to the ethical hackers are well worth it when you consider the damage that is done to companies and their customers when a breach takes place.
Running government programs such as Cyber Discovery could, therefore, be an important way to encourage, spot, and help develop a home-grown army of cyber-security professionals which is a win/win for companies wanting to improve their security, individuals looking for careers in the cyber-security and tech industries, and filling a skills gap in the UK.