Bug hunting: the rise of the ethical hacker in search of big bounties
As HackerOne reaches the milestone of $100m paid out in bug bounties, EGR delves into the potentially lucrative world of ethical hacking and hears how Kindred Group and Sky Bet use their bug bounty programmes to pinpoint and repair vulnerabilities
Just before last Christmas, Apple opened its bug bounty programme to all security researchers – or ethical/white hat hackers – with rewards totalling an eye-popping $1m for those able to uncover major vulnerabilities in its operating systems, including iOS, macOS and watchOS. The Cupertino, California-based tech titan revealed that bypassing a device’s lock screen could result in a pay-out of between $25,000 and $100,000, while extracting sensitive data from a locked device – a so-called ‘zero click’ hack – could net between $100,000 and $250,000. Furthermore, a 50% bonus payment was up for grabs for anyone who discovered a flaw in beta mode.
Four months later, in April 2020, Forbes reported how former Amazon Web Services (AWS) engineer Ryan Pickren partially hit the jackpot with a $75,000 ‘prize’ for discovering seven vulnerabilities in Apple’s Safari browser, three of which enabled him to hijack an iPhone’s camera and microphone. Apple subsequently patched the minor vulnerabilities, fixed the more critical camera/microphone exploit and paid Pickren his five-figure score, his first-ever bounty from the Nasdaq-listed company. “A bug like this shows why users should never feel totally confident that their camera is secure,” he told Forbes.
Get with the programme
All the big tech companies, including the likes of Microsoft, Facebook, Twitter, Intel, Uber, Netflix and Google, have bug bounty programmes. In fact, Google revealed in January that its Vulnerability Rewards Program awarded $6.5m in bounties in 2019, doubling the sum the company previously paid out in a single year. The biggest single reward was $210,000, while Google has shelled out more than $21m in rewards since 2010. Indeed, bug bounty programmes are nothing new (Netscape offered cash for defects found in its Navigator 2.0 browser way back in 1995), yet the money on offer has swelled exponentially in recent years in parallel with the rise of mobile devices and the emergence of the Internet of Things (IoT).
Google’s top prize for a full chain remote code execution exploit relating to the Titan M secure element on Pixel devices is now $1m. Anyone who achieves this exploit on a specific developer preview version of Android receives a 50% bonus, taking the potential haul to a whopping $1.5m. Secondly, companies are increasingly opening up their private bug bounty programmes to everyone, from seasoned security professionals to bedroom hackers. Indeed, Apple’s programme was private from its launch in 2016 until it was opened up to the general public six months ago and Pickren put his curiosity and hacking skills to work.
In the world of online gambling, Kindred Group, which is behind brands like Unibet, Maria Casino and 32Red, performed a similar move by opening its programme in February after more than two years behind closed doors. Starting life in November 2017 with 20-30 security researchers, the initial aim was for the perfect amount of scope, or ‘lagom scope’ (lagom means ‘just the right amount’ in Swedish), for bug bounty researchers by focusing on Unibet.com and its subdomains. Six days after the private programme’s launch, the first valid finding was submitted.
The programme went on to receive 140 valid reports and expand its scope by 1,300% by including more Kindred brands and native apps. Bounty pay-outs rose 70% and the number of invitees eventually swelled to over 800. “The end goal has always been to go public because we will then get more people with more skills,” Jacob Mattsson, the company’s cybersecurity team lead, tells EGR on a phone call from Stockholm. “Everyone has their unique way of finding vulnerabilities and their own methodologies. So, it is about getting as much knowledge and expertise as possible, and that is what you get with a public programme. You will always be a little bit limited with a private one.”
Jacob Mattsson, Kindred
Can you hack it?
The two main hacking platforms that act as middlemen between organisations and ethical hackers are HackerOne and Bugcrowd, although the former is the market leader and most well-known in the industry. Founded in 2012 by two Dutch programmers, the San Francisco-headquartered platform reached the milestone in May of $100m paid out to ethical hackers to date. Almost $40m of that $100m was awarded in 2019 alone, underlining the rewards that still can be achieved from this activity.
Today, there are 750,000 registered users on the platform (84 new hackers sign up every hour), while more than 170,000 valid vulnerability reports in nearly 2,000 customer programmes have been identified to date. When Kindred went public four months ago on HackerOne, the four-person team in Stockholm who handle the programme initially experienced a rush in tickets into the platform’s triage service (there have been almost 240 in the last 90 days at the time of writing). But that is to be expected when a programme is opened up, Mattsson insists.
Discussing the process of how reports are handled, he says: “HackerOne will perform an initial triage and make sure it is a valid finding and once it has been validated, HackerOne will forward the report to us. When we get the report; we know it is a valid finding and something we need to take action on, so we then create our own internal tickets and grade it for the correct severity – if it is a medium security vulnerability it should be prioritised in that way. It is then placed with the team who will need to fix it.”
The majority of the reports lodged with HackerOne’s triage services for Kindred fall into two main categories: either a bug inadvertently introduced to the code by the company’s developers or an underlying issue that hasn’t been patched. However, the whole process so far has been an eye-opening experience. “Some of the people who are reporting these are really clever and have found ways that you didn’t even imagine an application would work in,” Mattsson says. “A lot of them have been head-scratchers and hard to understand why it is happening. It’s been a lot of fun receiving these reports.”
Blue-sky thinking
Sky Betting & Gaming (SBG) launched its own bug bounty programme back in 2016. However, the Flutter-owned operator has deliberately chosen to keep it private ever since, working instead with a small pool of carefully vetted researchers and undertaking its own triage rather than relying on a third-party platform. SBG is also quite unusual in the way its own employees are allowed to apply to join the programme, although they can’t receive bounties on services they have previously worked on. They must also carry out research in their own time.
Furthermore, certain aspects of the business are off-limits to all researchers, such as anything that may impact negatively on other customers’ experience or privacy, while the programme only accepts reports on vulnerabilities using the public internet. SBG’s deputy CISO, Greg Knell, says: “Given we have multiple layers of mitigation, and we only accept vulnerabilities that can be exploited from the public internet, this means the vast majority of findings we get are bugs like cross-site scripting [XSS] where the researcher had managed to find a new avoidance technique for our upstream stream protection. It’s very rare we get reports much deeper into our platform.”
SBG’s bug bounties range from $200 to around $2,000 depending on the severity of the vulnerability (SBG worked with leading ethical hackers on a publicly disclosed formula that offers greater rewards for higher-risk issues). Plus, bug hunters are paid at the triage stage rather than after a bug is fixed, as most programmes do. On the decision to allow staff to partake, Knell continues: “Welcoming select staff to join the programme has meant that some people with access to things like source code and design documents have been able to do ingenious attacks that make use of multiple flaws, that only when combined have resulted in an exploitable vulnerability and gained them our maximum pay-out of a single vulnerability [around $2,000] a few times.”
Sky Betting & Gaming launched its own bug bounty programme back in 2016
For the Yorkshire-based firm’s security vulnerability manager, Glenn Pegden, a bug bounty programme provides an additional, and cost-effective, safety net. “If you have a mature software development lifecycle [SDLC] with some strong controls around it, backed up with multiple layers of protection, then a bug bounty ends up being a very cost effective way of gaining extra pairs of eyes for those obscure things that somehow slipped past code reviews, SAST and DAST tooling, vulnerability scans and penetration tests as well as your web app firewalls and filters, especially as you don’t pay for the time spent where the researcher is unsuccessful.”
However, he offers these words of caution: “Without that mature SDLC and strong controls you inevitably end up not fixing the underlying issues – be that developer knowledge, missing tooling or unsuitable technology – so you end up paying out time and time again for the same types of low-hanging fruit. With bounty hunters heading more towards automation, it can become a very expensive game of whack-a-mole if every hole you pay to find out about is replaced by two new ones.”
Rich pickings
SBG’s programme boasts one of the security research community’s leading lights in the shape of Tom Hudson, AKA TomNomNom, from Bradford. In fact, Hudson cut hit hacking teeth on SBG’s programme and in the space of a few years has gone from a software architect who never previously considered taking part in a bug bounty programme to being flown all over the world to attend HackerOne’s private hackathons. He also has a loyal following on social media, including his own YouTube channel, and his instructional videos and some of his tools have become standard in the industry. “We’ve seen how somebody with the right mindset can really make it in this industry,” Knell says.
For those at the upper echelons of the ethical hacking scene – the Lionel Messi’s and Cristiano Ronaldo’s of the sphere if you like – the rewards can be life-changing. The first bug bounty millionaire was 19-year-old Santiago Lopez, a self-taught hacker from Argentina who was inspired as a kid by the 1995 film Hackers and only earned his first bounty ($40) in 2016 when he was just 16. And last year, HackerOne announced five others on its platform had joined Lopez in the seven-figure club: a Brit, a Swede, an American and a Hong Kong national. By the end of May 2020, 13 more had hit $500,000 in lifetime earnings and 146 hackers had pocketed $100,000, up from 50 last year.
“I would say [ethical hacking] has exploded in the past three or four years and we are up to seven or eight millionaires,” says Mattsson. “Before if you were an ethical hacker and you try to report something to a company you never really knew whether they would respond. In some cases, they would have threatened lawsuits and the whole shebang, so that doesn’t actually encourage someone who wants to do something good. That is where the bug bounty platforms come in and will help the researcher and the companies to do it in an organised way.” He adds: “By having a bug bounty programme, we get access to some of the most talented security researchers in the world who can help identify security vulnerabilities in our assets.”
Eyes on the prize
While the idea of finding security flaws in tech giants’ websites and apps and being rewarded handsomely for your skills sounds like a dream job for many cybersecurity enthusiasts and wannabe hackers, the reality is most won’t earn serious cash. For many it will be a steep learning curve slogging away at the lower funds of the bounty ladder, although there is still money to be made from programmes that pay a couple of hundred dollars per valid report. Little and often can be more profitable than the occasional big score. Indeed, SBG’s Pegden says every day companies are creating a “conveyor belt” of relatively easy-to-find vulnerabilities. “Those not capable of going after the big bucks can still make some decent money.”
That said, Pegden does habour concerns about the future of the scene. “I do worry about the long-term viability of the industry,” he states. “We’re already seeing a stratification on the labour force where a very small percentage of hackers are responsible for claiming a very significant percentage of all the pay-outs, and it’s a sad fact that the quality of the reports soon tail off as you start to descend the ranks of hunters. Unless you’re looking to make use of the huge and growing pool of entry-level hackers who all compete for the same low-hanging fruit, then you really have to start working on attracting high quality hackers, who will often realise that there is easier money to be made on less well-secure programmes.”
Others, perhaps unsurprisingly, are more bullish about the industry’s outlook. HackerOne CEO Marten Mickos penned a blog post recently in which he suggested ethical hackers will have earned a combined $1bn in bug bounties within the next five years. He also estimated there to be “100 million security vulnerabilities still out in the wild”, which, if even half true, still translates into an abundance of opportunities for security researchers, ethical hackers and bounty hunters.
And with governments and federal agencies increasingly turning to bug bounty programmes in this era of cyberwarfare and cyberespionage, this is a part of the space with great growth potential. “I think more governments are seeing the value of having ethical hackers,” says Mattsson. Even HackerOne isn’t immune to the threats out there. Last December, the platform suffered the ignominy of being hacked itself by one of its community members. Yet, as you might expect, HackerOne opened its wallet and rewarded the user with the handle haxta4ok00 for exposing the flaw; a cool $20,000.