TUESDAY, MAR 14, 2017 09:00 AM PDT
Internet security expert Justin Calmus explains why bug bounty programs are so important
As the world around us becomes more connected to the internet, the number of ways that hackers can infiltrate our lives becomes increasingly multifarious. Today data breaches are taking place in ways that were unheard of just a decade ago — from remotely hacking cars to infiltrating “smart” teddy bears.
The threats have grown so quickly that companies are overwhelmed by the increasing number of attacks, security experts say. This is not just because of the growing number of opportunities to infiltrate a network or device, but also because these attacks are increasingly automated and launched from low-priced computer hardware using open-source tools that require relatively low coding skills to deploy. Defending against such attacks can require well-paid and highly trained experts.
“We believe that cybersecurity is a correctable math problem that, at present, overwhelmingly favors the attackers,” Ryan M Gillis, vice president of cybersecurity strategy for enterprise security company Palo Alto Networks, said at a House Homeland Security Committee meeting last week about protecting the private sector from hacking. “Network defenders are simply losing the economics of the cybersecurity challenge.”
One increasingly popular way for a company or government agency to root out vulnerabilities is through a big bounty program, a policy that invites hackers to try to infiltrate its connected networks. Hackers receive financial compensation for identifying entry points that could be exploited for malicious purposes. The idea has been around since at least 1995, when internet browser pioneer Netscape initiated its “bugs bounty” program with a $50,000 budget. Today such programs are common among major companies, including United Airlines and Tesla Motors, and can be lucrative projects for the most talented hackers who can earn from $10 to tens of thousands of dollars depending on the severity of the vulnerability identified.
Last week Google and Microsoft increased their top rewards for people who can expose the most serious threats, like when code can be remotely injected and executed through network defenses. This underscores the growing popularity of bounty programs as companies compete for the attention of the most talented ethical hackers. Apple, which has resisted compensating people for identifying flaws, last year succumbed to the trend and now offers bounties of as much as $200,000.
Justin Calmus, vice president of hacker success for San Francisco-based HackerOne, which has a bug-bounty platform whose clients include the U.S. State Department, Uber Technologies and General Motors, spoke with Salon about the role bug bounties play in boosting network security.
Bug bounties have been around for about 20 years. Talk about the most recent innovations in the practice and where it might be headed.
I’ll start with the problem first. If we go back 15 years, companies would be able to recruit engineers because they were focused on specific technologies. You would have a few issues from most likely Python, [a high-level general-purpose programming language,] and you would have a website and some people who knew HTML, [the standard language for building websites]. Today we have so many different programming languages and we have different infrastructure components, like running in the cloud versus on premise, we have [Amazon Web Services, a widely used cloud-computing platform] and we have all these different operations.
The problem of security is getting bigger and bigger. How do you control your security? If you run a startup, how do you control your security as you build your business? That’s an even harder problem to solve because you don’t necessarily have the funding to hire tons of security resources. You have to figure out “How do I continue to stay secure while I scale?” That’s one of the problems bug bounties solve for.
For the most part, if you have a company, and it could be any company, you tell hackers, “Hey, I want you to do anything it takes to get access to our data and report it to us.” If you do that, you then have thousands of eyes looking into your specific programs to help you scale and help you secure your business.
Are there hackers that just do this as full-time jobs?
Yeah, we have a gentleman in Vegas that does this full-time, making a half a million dollars a year doing this. You can make a significant income from bug bounties. It’s a fantastic way to make extra income and to potentially go full-time.
Google and Microsoft recently announced big increases in their bug bounty rewards. Why do you think bug bounties are becoming more lucrative?
Imagine if Salon.com is trying to recruit the best reporter in the world, but that reporter must have specific knowledge about security — and it also wants a little bit of software engineering background because the reporter needs to talk technical, and it wants the reporter to be located in this area, and the reporter must be willing to travel. Suddenly you’re moving your needle so small that there might be three people in the world who fit the criteria.
Google is starting to have this problem. They’ve developed a lot of their own tools and they’ve developed their own [programming] language. It’s not easy to find a Google bug because there isn’t external training on what Google does, how they do it, all the different types of infrastructure. There are pretty good resources to figure this out, but to go deep on such a massive problem you need to spend hours and days and months getting to know the infrastructure to find a bug. So to dedicate all of your time and resources into Google you need to be very incentivized to look because at the end of the day you might not find anything.
We’re entering an era of the internet of things [that] connects cars, smart cities, toys with Wi-Fi connections. Are bug bounties being implemented for things like this?
We’re getting to the point to where the [makers of] hardware and the internet of things components are starting to be asked those very questions. As a hacker myself, I want to see them participate in bug bounty programs because I use Alexa, I use some of the apps connected to [the internet of things] and it’s my job to understand how the software and hardware that I buy works. Doing due diligence and being able to reverse engineer to take a look deep into a product, you may find issues and vulnerabilities; some of them may even give you access to other customers’ data. Companies need to be able to responsibly disclose all of that. For hackers to put in the time and effort to find some of these vulnerabilities — it would be fantastic if companies would reward the hackers so that they continue looking into their programs.
We’ve read a lot about how automakers are encouraging white hat hackers to root out these vulnerabilities. But is this happening with other makers of internet-connected products, like internet-connected home appliances or “smart” teddy bears?
It’s absolutely a slow roll. The tech companies get it. They have to deal with security issues day in and day out. The hardware companies don’t necessarily understand it as much as they need to. It’s a problem we’re solving for. We do have some hardware companies on board. We do have internet of things [companies] on board. But we do need to get the word out that security is a fundamental piece of everybody’s life. You need to be able to understand the security outcomes of making life more efficient or easier or whatever it may be. So do I think that we need to spread the word? Absolutely. Do I think they get it yet? Not 100 percent.
The Information Technology and Innovation Foundationrecently said that a significant number of federal government websites failed basic security benchmarks. Is the federal government falling behind in this effort to entice ethical hackers?
The Department of Defense has a bug bounty program and we’re starting to see efforts to secure all of our government services. Just speaking to higher-ups on the government side I hear them talking about “Hey, we need to find these hackers and reward them and incentivize them, see what we can do to continue to have them continue to look at our programs and even eventually hire them.” The U.S. has its own hiring criteria, but the [Defense Department] is open to anybody today, not just U.S. citizens looking to work for them.
HackerOne recently announced a platform for the open-source coding community, which is free. What inspired you to go in that direction?
We’re absolutely huge open-source fans. Open source powers our platform. It powers many platforms. We see the mission as making the entire internet safer and make sure that everyone is taken care of. We’re better off doing that for all of the open-source projects out there. We want to make sure we’re on top of that. This also helps us branch out to the best hackers out there. We’re able to leverage our ability find vulnerabilities [in open-source software] while we’re getting more connected to the hacker community.