back to article Like my new wheels? All I did was squash a bug, and they gave me $72k

Vuln hunters brought home the bacon last year, according to figures released today by bug bounty platform HackerOne. The Hacker-Powered Security Report is a biannual study of vulnerability disclosure ecosystems. It found that organisations resolved 27,000 vulnerabilities, earning ethical hackers $11.7m in 2017 alone. The …

Silver badge
Thumb Up

Good on them!

I'd much prefer these to be discovered, the finder paid $lots (which would essentially come out of what other customers and I are paying in licences) and potentially save me and my business $lotsmore in downtime and data compromise.

15
0
Silver badge

Re: Good on them!

At these rates of reward, (which seem to be beginning to reflect the severity of the exploit, the effort needed to find the hole and develop a proof of concept exploit) it must be coming more remunerative for blackhats to report the exploits they find...

9
1
Silver badge

Re: Good on them!

... it must be coming more remunerative for blackhats to report the exploits they find

Which is good thing. Better that they go gray hat or white hat than use the exploit and create headaches for everyone.

12
0
Silver badge

Re: Good on them!

"it must be coming more remunerative for blackhats to report the exploits they find."

Or just becoming remunerative, easier and with less risk than going for the bigger rewards of exploiting it. It doesn't mean there aren't any taking the latter route.

3
0
Silver badge

Re: Good on them!

> It doesn't mean there aren't any taking the latter route.

I expect them to be doing both!

Find and develop exploit, create malware package, as 'blackhat' sell malware package, wait for money to reach bank account, as 'whitehat' report exploit, wait for money to reach bank account...

So this method provides plenty of carrot to report exploits and a decent stick for software authors to take note and release fixes...

4
1
SVV
Silver badge

Massively in favour of this idea

For the big websites / standalone software companies, this is going to have to become the norm. Nothing so far has been able to shift the mindset from the "just ship it, got to be first to market no matter how poor or rushed it is" mentality, and now there's a mechanism developing that can truly make a difference.

For any big players in any market, not doing so could ultimitely become a big red "AVOID!" flag for customers if it becomes a big thing, and there will truly be an incentive to clamp down on the cheap and nasty practices that have been too prevalent up til now, as the market can then weed the cheapskates out.

As far as making it a profession goes, it's probably very risky right now unless you have the inside knowledge to exploit it at this early stage, but I can forsee huge success awaiting the people who truly get the big "eureka" moments and push this forward with innovations that nobody will dare to be without as regards making money off it. Could this be the way software development can reach the next stage of maturity, rather than all the other hopes and dreams that have so far failed? After all, I've never seen a fundamental approach that starts off by saying as a first point of principle : "All software and systems have bugs and vulnerabilities, and even planned tests will never catch the truly clever ways to exploit and uncover them".

9
0
Silver badge

Re: Massively in favour of this idea

There are probably more than a few dead companies that have on their tombstone: "Our customers stopped testing our software.".

5
0
Silver badge
Thumb Up

Re: Massively in favour of this idea

It's essentially outsourcing the security testing to an external contractor, with the difference that you don't have to go to the trouble to engage anyone, mess about with contracts etc. From the point of view of software companies, even offering massive bounties is probably still much more cost-effective than to hire someone directly. The largest bounty was $75k, which might have taken months of research by a highly skilled hacker (ahem, security researcher). Hiring such a person directly would take a salary (if they even would agree to be employed, they might not like the idea anyway) at least double that at a cost to the company of close to a quarter-million a year. For a large, or even medium-sized, vendor, keeping a bounty pot of say half a million a year is peanuts.

Also keep in mind that anyone whether employee or contractor can to a greater or lesser extent be sucked in to office politics that can affect how and what they are reporting. It's probably better practice to have the bug-hunting done by total outsiders with no connection to the company.

6
0
Headmaster

@jmch ".......a greater or lesser extent be sucked in to office politics......."

Indeed. It is of course often very risky for an ordinary employee to report this kind of thing. A fairly large proportion of middle managers react in a very hostile way to something they perceive of as an attempt to make them look bad in the eyes of senior management. They certainly do not see it as the "shop floor prol" doing what might be a very considerable service for the company.

7
0
Devil

Hahahaha

And then they release another version and it all starts again

WAYTOGO {cheers}, {more cheers}

4
0
Silver badge

Governments are leading the way in adopting crowdsourced security testing not bothering with security until one of the people who found an error reports it.

FTFY

3
0
Silver badge

To put that into perspective...

... finding a high value bug in a product that has been moderately picked clean can take as much as a year with no guarentee of finding one. So $72k is not _that_ much.

4
0
Silver badge
Childcatcher

Important Information

The article left out some arguably important information. How many hackers earned a piece of that $11.7m pie? How many folks are able to make a living from this kind of work? How many are just earning a little extra on the side? It's certainly good news that this bit of the economy is growing, but is it made up of a bunch of part-timers or well-paid workers? We have a good idea of who the customers are but not of the providers.

Which workers were winning welcome wages?

3
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018