Bug Bounty Programs (BBPs) actively encourage hackers to explore a company’s systems and report back on any vulnerability they discover. Often, pre-determined financial incentives are offered to the “security researcher” in return for their findings. The attraction of this process is obvious; rather than suffering a cyber incident that could – and for many organisations has – cost millions of dollars and resulted in reputational damage, companies can instead make a comparatively small payment to ethical “white hat” hackers with the intention of pre-empting an incident.
But what happens when BBPs go wrong? In November 2016, Uber was extorted by two opportunistic hackers who downloaded a cache of sensitive archived data stored on Uber’s private Amazon Web Services cloud. The data contained the names, email addresses and phone numbers of 57million users as well as the drivers licence numbers of over 600,000 US drivers. Neither consumers nor law enforcement bodies were notified at the time by Uber. Instead Uber paid the hackers ten times the company’s listed $10,000 reward to keep the hackers quiet and delete the data. Uber has since publically apologised for its botched data breach response.
Companies can take practical steps to strategically design and manage their BBP, such as creating a ‘scope of acceptable conduct’ (whereby the distinction between accessing and acquiring/downloading data is clearly drawn), set criteria for what proof is required to confirm a ‘successful’ hack and offer non-monetary incentives to ethical hackers such as giving them public credit or increased exposure to job opportunities.
The problem is once the hacker breaches your systems temptation lies open before them, at which point that ‘white hat’ can tend to look a little…well black! The lesson perhaps is to make the bounty large enough to make the hacker want to stay honest and collect it.