The average person has probably never heard of a bug bounty program. For the uninitiated, it might sound like an entomology collective or something, but it's actually not about insects. However, it is about bugs, those errors, flaws, failures and/or faults in a computer program that can have dire consequences.
A bug bounty program is a deal offered by a website or company wherein people who are tech-savvy can receive compensation for bringing bugs to the attention of the company in question, particularly if the bugs leave the company or website vulnerable to cyberattacks.
The idea for a bug bounty program first emerged in 1995 when a Netscape technical support engineer by the name of Jarrett Ridlinghafer discovered that many of the company's biggest enthusiasts were software engineers themselves and had been solving Netscape products' bugs and publishing the workarounds on their own.
Ridlinghafer decided that this kind of self-help collaboration could be a big boon for Netscape Communications Corporation and swiftly drew up a proposal for the Netscape Bugs Bounty Program. The proposal was reviewed at the company's next executive team meeting and was almost unanimously approved by the company's higher-ups.
Ridlinghafer was given an initial $50,000 budget with which to implement the new program. It was so successful that it continues to be mentioned in books on the subject today.
In the past, Facebook utilized a bug bounty program to detect exploits and vulnerabilities. Those “ethical hackers” who uncovered these vulnerabilities were issued “white hat” debit cards on which funds were loaded when a bug was reported.
Although Facebook stopped issuing these debit cards in 2014, this month they announced their intention to expand their bug bounty program to include issues of app developers misusing users' data. While this may be a case of the social media giant saving face after the Onavo VPN controversy, it is also a direct response to the data misuse that has made national headlines.
According to their director of product partnerships, Facebook will be reviewing “all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access.”
Other companies are also expanding their bug bounty programs; Intel is broadening its own program by providing better incentives for coordinated response and disclosure. They are offering up to $250,000 to any researcher who detects and reports side-channel vulnerabilities.
Such programs have become more and more common as virtualization secures enterprise organizations against zero-days and unknown threats. Last year, Bromium partnered with Bugcrowd to launch a private bug bounty program to perform advanced penetration testing.
Via application isolation and control, they contain threats to the endpoint and offer real-time threat intelligence so that an ethical hacker can see what is occurring without the risk of an actual breach.
Some have questioned the legitimacy of such programs. In 2017, a researcher who found “an incredible screw-up” worth $30,000 allegedly received threats instead of a bounty when he reported the screw-up to DJI, the firm whose drones were discontinued by the U.S. Army due to security issues. Instead of being rewarded for his efforts, the researcher claims that he received extortionate threats.
Kevin Finisterre, the researcher who detected the drone manufacturer's SSL certificates and firmware encryption keys exposed in code on Github, exchanged 130 emails with them in which they made a range of demands of him before ultimately insinuating that he would be guilty of violating the Computer Fraud and Abuse Act if he didn't do what they asked.
Although the case of DJI suggests that companies with bug bounty programs could fail to stand by their promise to pay ethical hackers for their work, Mr. Finesterre's report also underscores the benefit of businesses setting up such a program.
The comprehensive report showed that flight logs, ID cards, passports, and driver's licenses were all unencrypted. This is but one example of how important it is for companies to utilize a wide range of privacy tools and to seek outside help when necessary.
On March 21, Netflix launched a public bug bounty program that will reward its researchers $15,000. The streaming service's vulnerability responsible disclosure framework will award thousands to researchers who detect P1-rated flaws, such as SQL injections, broken cryptography, and sensitive data exposure.
In-scope applications include the U.S. entertainment company's API, its main domain (www.netflix.com) and its mobile apps for Android and iOS.
The idea of inviting strangers to find flaws in one's system might sound like an insane idea, but there are many reasons why it is advantageous to businesses. For starters, these programs result in a lot more people looking out for the integrity of one's computer system than a company could ever afford to hire.
Our information is increasingly susceptible to sophisticated attacks and no one is truly safe. With a whopping total of 3.74 billion global Internet users, we're all vulnerable to attack. Data breaches of the U.S. government have even occurred in recent years. If criminals can hack the Pentagon, they can hack pretty much anything.
Most major companies seem to be aware of the ineffectiveness of internal cybersecurity. This makes the solution fairly obvious. It's high time that all companies open themselves up to external assistance.
Sam Bocetta is a defense contractor for the U.S. Navy, a defense analyst, and a freelance journalist. He specializes in finding radical — and often heretical — solutions to "impossible" ballistics problems. Through Lakeview Capital, he also cultivates funding for projects — usually naval, defense, and UAV startups. He writes about naval engineering, mechanical engineering, electrical engineering, marine ops, program management, defense contracting, export control, international commerce, patents, InfoSec, cryptography, cyberwarfare, and cyberdefense. To read more of his reports — Click Here Now.
© 2022 Newsmax. All rights reserved.