How Bug Bounty Programs Can Turn Black Hats White
Once upon a time, computer hacking was seen as the hobby of geeks in basements. Early hacking was often done as almost a vanity project, to show the world that the hacker was a highly capable programmer, able to circumvent computer defenses. Early computer hackers even formed clubs, like the Chaos Computer Club which was founded in 1981 in Germany.
As computing progressed and the Internet brought disparate systems together, criminal elements spotted that financial opportunities could be made by hacking into computers and IT systems. The development of hacking went down two main pathways, the Black Hat and the White Hat of hacking.
Black Hat or White Hat, Which Suits You?
Let’s have a quick look at the two main hats of hacking:
Black Hat hackers: These are the bad guys who use hacking techniques to break into computer systems for harmful reasons. These reasons can be anything from financial gain to exposure of information to straightforward damage of resources.
White Hat hackers: These computer hackers are the good guys. They use hacking techniques to find vulnerabilities and security exploits within a computer system. Typically, a Penetration test would be carried out by a White hat hacker. Penetration tests look for vulnerabilities in a system, including those perpetrated by social engineering techniques. White Hat hacking is a much more in-depth challenge in many ways than Black Hat hacking as it is trying to stay a step ahead of the Black Hat hackers and look at the psychology of hacking as well as the technical aspects.
A grey Hat hacker is someone who is not a professional like a White Hat hacker. They are not, however, purposely malicious like a Black Hat. They are usually in the game of hacking to find a software vulnerability, and then draw its attention to the software vendor. Unlike a White Hat hacker, the grey Hat hacker will tend to do this publicly, rather than privately, so leaving the vulnerability open to exploit by Black Hats.
Modern-Day Bug Bounty Hunters in White Hats
A more public version of the White Hat hacker is in the form of the Bug Bounty hunter. Hacking has become rife, and web applications, in particular, are now ubiquitous and feature rich. Maintaining security and testing for potential issues is a very labour intensive task for even the largest of vendors. This fact has led to the development of Bug Bounty programs, whereby members of the general public are invited to act like White Hat hackers and find security holes and vulnerabilities in software products, often for large financial rewards.
The origin of the Bounty program was at Netscape by an engineer, Jarrett Ridlinghafer. The idea was made public on October 10, 1995, offering rewards to test Netscape Navigator 2.0 beta. There have been a number of Bug Bounty programs since, including:
- Google, who got in on the act in 2010 with their Vulnerability Rewards Program, covering Google, YouTube, and Blogger. Payments for qualifying bugs found range from $100-$31,337.
- Facebook released their Facebook Whitehat Program in 2011. It covers all of the many products under the Facebook umbrella. Rewards vary, but Facebook has paid out more than $1 million to White Hat hackers.
- Microsoft started their own Bug Bounty program in 2015. They offer rewards of up to $100,000 if you also inform them how they can defend against any vulnerability you find.
Many more companies across the globe offer rewards for vulnerability and exploit testing across Bug Bounty programs. Hackerone has compiled a comprehensive list of Bug Bounty programs.
Black Hat Hacking Made Easy
Until recently, becoming a hacker was the domain of skilled software programmers. This has all changed because the Software as a Service (SaaS) model has moved into the Dark Net. Today, anyone with a reasonable level of understanding of computers, and a good business head can become a Black Hat hacker. The term for people who ride on the backs of malicious code created by Black Hatters are known as ‘script kiddies’. Malware, in particular, ransomware, has been pushed out to the wider public using SaaS as a model. In a report by Malwarebytes, they found that of the 400 variants of ransomware in 2016, almost all were propagated using ‘Ransomware-as-a-Service’ by non-coders.
As well as ‘Malware-as-Service’ options, becoming a Black Hat hacker has been made easier by using some of the tools of the White Hat hacker. Tools such as the Rubber Ducky and Wifi Pineapple are easily and cheaply available online. The Rubber Ducky is a seemingly innocuous USB key fob which can be used to capture login credentials, whereas the Wifi Pineapple allows a person to intercept Internet communications, including the capture of login credentials if part of the site is not delivered using HTTPS.
Bug Bounty Makes Good Hats
As Bug Bounty programs proliferate, they create interesting and financially rewarding jobs for people who are drawn towards the hacker’s life. In doing so, these programs may well have an unexpected effect, that of a wider societal benefit to all. By opening up these programs to a wider general public, it may well stop people who would otherwise use easily available tools to become Black Hat hackers. Bug Bounty programs may end up preventing more than just vulnerabilities in well-known vendor applications.
Latest posts by Marion Godrix (see all)
- Cybersecurity: machine learning to be the main focus in 2018 - 26 January 2018
- Cybersecurity: Five vulnerabilities you shouldn’t ignore - 25 January 2018
- [INFOGRAPHIC] Data security: 99% of employees ignore good practice - 24 January 2018