Site icon Archer

Harnessing bug hunters for safety & profit

A cybersecurity expert explains how to motivate hackers to work for you, rather than against you.

They are “external security enthusiasts,” according to Google. Hackers, who constantly explore the cyber world, trying open doors that seem locked.

And they can work for you, a cybersecurity expert says, if you create an environment that works for them.

“What happens when someone comes to try and tell you about a security vulnerability?” asked Katie Moussouris with HackerOne, at S4X16, a cybersecurity conference in Miami. 

In a survey of Fortune 2000 companies, 94% of the companies did not have a published way to contact them about security vulnerabilities, Moussouris said.

“There are vulnerabilities in every single one of those companies,” said Alex Rice with HackerOne in an article in Ars Technica. “Having no process for dealing with them is doing everyone a disservice.”

Bug bounties

Hackers will not stop hacking just because companies don’t have a way to report vulnerabilities.

Some companies pay bounties for the discovery of these “bugs.” Google calls it a “rewards program,” and offers $100 to $20,000 for the reporting of security vulnerabilities, saying it wants to “honor all the cutting-edge external contributions that help us keep our users safe.”

Riot Games says it has paid out more than $100,000 to researchers who have found 75 different bugs, vulnerabilities and exploits in their systems.

“We know that smart people all over the world poke at our software, websites, and infrastructure, looking for weaknesses. Some will successfully find security vulnerabilities. When this happens, it’s critical that we become aware of the vulnerability ASAP so that we can fix it before it’s widely abused,” Riot Games said on its website.

“If we’re not listening, it can frustrate researchers with good intentions and lead them to post their exploits online in order to get our attention. That’s not great for the researcher and could cause confusion and pain for players,” the site also said.

Make your own

You can create a system for reporting vulnerabilities for your company, Moussouris said.

A basic system would have an easy-to-find door for reporting vulnerabilities, she added.

Some companies have reporting forms on their websites, like Google and Riot Games.

Also, you should clearly state you would not pursue legal action against someone if they come to you to report a vulnerability, she said.

“Unfortunately, researchers have received legal threats from vendors and government agencies seeking to stop publication of vulnerability information or ‘proof of concept’ code demonstrating the flaw,” said the Electronic Frontier Foundation on its site.

Finally, Moussouris said, you would thank the person for reporting the vulnerabilities and encourage them to come forward.

“There is risk for a reporter coming forward to let you know they’ve found something,” said Moussouris. “How many hackers will continue to report vulnerabilities for free if, at the basic level, they are not being recognized for their work, or if they’re concerned they’re potentially going to go to jail?”

Not just money prizes

Moussouris said she created the bug bounty program at Microsoft. But she said, before paying out money, the company provided other incentives.

The company sent Xboxes or special download codes giving reporting hackers virtual rewards in games, she said. They also thanked the hackers who found vulnerabilities in a special bulletin.

“Show that you’re actually going to give thanks,” she explained. “Think about ways that you can thank them that are unique to you.”

Google says it has a public credits page, as well as a hall of fame page for the “external security researchers” who have provided the most vulnerability reports.

The Electronic Frontier Foundation offers public acknowledgement, as well as T-shirts, stickers, hats, and even a chance to tour the company office and meet with staff, among other rewards for vulnerability reporting

Staying silent

Some companies make the mistake of not communicating with the person who reported the vulnerability, Moussouris said.

“They’re preferring to keep things quiet. They’re preferring to keep things under wraps and not give public acknowledgement,” she said.

Lack of communication can frustrate the person reporting. Researchers at Rapid7 said they tried to contact Comcast about a security flaw in its home security alarm system, but did not hear back. Ultimately, Rapid7 published the security flaw on its web site.

“Periodically, you have to give updates to the person who reported the issue. You can’t be silent,” Moussouris said.

Bug repair process

Companies need to actually track, analyze, process and repair the vulnerabilities as well, Moussouris advised.

General Motors just launched a bug bounty program in coordination with HackerOne.

GM set up a list of rules for hacking their cars, according to the article in ArsTechnica.

The company said hackers must not violate any criminal law, must not cause harm to GM, customers, or others, and must not compromise the privacy or safety of customers and the operation of services.

It said hackers must also “provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability).”

Also, hackers cannot live in Cuba, Iran, North Korea, Sudan, Syria or Crimea, and can’t be on the US Department of the Treasury’s Specially Designated Nationals List, according to the list.

Another rule says that hackers must “publicly disclose vulnerability details only after GM confirms completed remediation of the vulnerability and not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained.”

“If a major, older company, a traditional manufacturing company like General Motors, can handle at least the basic steps,

then my question for all of you is, ‘Are you ready to wake up and hear from outside world about your vulnerabilities?’” Moussouris asked.

Exit mobile version