Are All Bug Bounties Created Equal?
Hiring a professional exterminator can be a costly ordeal and typically requires multiple applications of strong chemicals in your home. They know their bugs and the chemicals and application techniques that are most effective. A typical exterminator treatment falls between $300 and $500 whereas, “cyber exterminators” are paid an average of $294 per reported bug submission as indicated in Bugcrowd’s State of Bug Bounty 2nd annual report. This new average payout represents a 47% increase over 2015’s averages. But don’t let these meager averages fool you. As of lately, bug bounties for hackers and security experts have begun to offer some serious bank but are all bug bounties created equal?
In the world cybersecurity, there is a real need for these “cyber exterminators” to report bugs they discover on websites and software applications and how a potential hacker might exploit these vulnerabilities. Since 1996, companies like Netscape have encouraged their own employees to find weaknesses in their software. Since then, bug bounties have expanded to include entire ecosystems and live events surrounding the exploits of talented hackers. Opportunities for IT professionals, both ethical & non-ethical hackers, and security research professionals to profit and gain credibility within their respective communities have surfaced. With sessions entitled “Screw becoming a pen tester. When I grow up I want to become a bug bounty hunter!” as part of DEFCON’s highly anticipated lineup, bug bounties have become the hot new thing for the security crowd.
Established bug bounty programs provide monetary compensation and recognition when an individual discovers and shares vulnerabilities. Bugs can be difficult to discover, especially by internal IT staff and software programmers as they are sometimes too close to the code to objectively discover their own security flaws. In the corporate sector, major players in the tech industry (Google, Facebook, Microsoft) were first to embrace bug bounties but the playing field has widened significantly to encompass numerous companies outside the tech space to virtually every vertical.
Google Pixel Bug Bounty
Perhaps the best Android Smartphone to date, Google’s Pixel is the considered to be a solid competitor and nearly as secure as Apple’s iPhone. In an effort to avoid a repeat of last year’s widespread Stagefright security flaw in over 950 million Android devices, Google has thrown their hat into the bug bounty ring. A white hat hacking team from China called Qihoo 360 answered Google’s challenge by successfully hacking the Google Pixel in under 60 seconds. The team was awarded a bug bounty of $120,000; not a bad pay off considering how little time they were able to spend with the brand new device. But these were no amateurs. Two years prior, they pulled off a similar hack on a Tesla Model S. After they successfully demonstrated the Pixel hack, they sent details to Google who immediately began work on a security patch.
One Million Mile Bug Bounty
It can take years to rack up enough mileage to earn a free trip from any airline. United Airlines recently began ‘Hacking for Bounty’, a program which rewards hackers for notifying United Airlines regarding vulnerabilities and security issues within their computer networks. At only 19 years old, Olivier Beg from the Netherlands, was awarded 1 million frequent flyer miles for his discovery. Beg has reported a total of 20 separate security flaws to United Airlines to date. Currently, United Airlines is the only airline that has publicly instituted a bug bounty program. They reward hackers 50,000 miles for reporting low security issues, 250,000 miles for medium severity bugs, and 1 million miles for remote code execution.
What’s a Bug Worth to Apple?
At a recent Black Hat conference, Apple announced their own invite-only bug bounty program worth up to $200,000. This program also offers a hefty $100,000 for a single vulnerability identified with the Secure Enclave but only for security researchers who have previously worked with Apple. You may wonder why Apple chose to close the bug bounty off to hackers in general. In an effort to dissuade unethical hackers from bidding up the $200k award, Apple chose not to work with unvetted sources. But only a week after they announced their bug bounty, Texas-based firm, Exodus Intelligence, announced that they would pay up to $500,000 for any iPhone zero-day exploits. To date, no one has reportedly claimed a prize from either Apple nor Exodus Intelligence but these events raised some eyebrows in the security community. It’s not too difficult to envision a day when valuable network and device security exploits will fetch orders of magnitude higher than their creators are willing to pay out for bug bounties. At some point, even Apple, the richest company in the world, will be outbid by hackers across the Dark Web.
Bug bounties continue to be an important method for identifying security vulnerabilities and will continue to grow throughout many industries. Bugs may be an enemy to an exterminator, but they are a friend to a hacker.
This blog also contributed on SecureWorld.