The Bug Bounty Evolution: Incentivizing White Hat Hackers
I was having a discussion with a person who was upset with someone he deemed to be unpalatable and concluded that this person, in his eyes, contributed nothing to our society. I retorted that every member of our society contributes something to the fabric that makes up our society, and it’s in our best interest, even selfishly, to include them, lest we face the consequences.
If we fail to adequately weave offenders back into society then we’ll pay in the form of expensive recidivism. If we fail to address socioeconomic issues, societal strife is likely to ensue. Even though Marie Antoinette valued very little the plight of those less fortunate with whom she would seldom interact, she likely very much valued her head. Her shortsightedness, history tells us, separated her from her status as head of state and head.
There is a digital war being fought with bits and bites daily. Less cleaver and more code. Every major multinational organization has a bullseye firmly affixed on all of their servers or depositories of intelligence by competitors, hacking organizations, or sovereign nations.
These are illicit enterprises whose often sole operational use case is to penetrate systems to amass data that can be sold on the darknet to interested parties intent on using it for competitive intelligence or as leverage. Many are state-sponsored and many hundreds more are funded by institutions or oligarchs who see a return on their investment into low-cost exploits and penetration tests that yield sizable sums if the counterparty relents to the pressure of these disruptive attacks that freeze a business’ ability to operate, reflects poorly on their team’s technological competences, and embarrasses executives.
Many of these attacks offer ransoms on a sliding scale because they see the public valuation for a company, or their widely reported revenue, and isolate what represents a pain point that hurts, but is still do-able based on the financials distributed. For executives who are worried about share prices taking a plunge for a value well in excess of whatever the ransom is, many relent.
Even for individuals, many cybercriminals research the income of the region and then isolate a pain point for working Americans targeted randomly through a virus, very often $399, where people determine that if they brought in their laptop to be fixed it would cost $199 and then there’s no guarantee that it’ll actually be fixed.
I was curious to see how a top repair specialist would do with a computer that had a rootkit that for the life of me I couldn’t remove from my laptop and so I brought it in. I was told the hard drive was wiped clean several times over and Windows installed afresh and that there was no possible way that any malware existed still on the system. I proceeded to open the laptop up before him before taking it home and we both watched as the mouse began to move and started to navigate to Russian websites before our very eyes.
The repair tech’s response: oh, looks like our root kit software didn’t get it, but I wish the best of luck to you, and that’ll be $199.
The government has been deciding how to handle the massive assault on US companies in a wave of ransomeware attacks that disrupted utilities, production companies, and hospitals. I, like you, likely know many people whose elective surgeries were altogether cancelled because a hospital’s infrastructure was shut down by virtue of an attack or know nurses who had to buy pencils & pens because patient reports had to be done the old fashioned way to still keep the hospital HIPAA compliant.
This was a collective wake-up call that cybersecurity is hugely important, especially with the protections afforded organizations who do this as their sole business function. Further, many people who live in rich nations will contract out to those in these countries to do this exploits against their own citizens because they see that consequences are minimal and rewards are massive.
There either needs to be a united front to not pay ransomeware on any level in any capacity (which would be exceptionally difficult to uphold), for multinational law enforcement to coordinate across the globe a la Interpol to stop these cyberattacks (assuming they leak their authentic IP address at some point during the breadcrumb discovery process), or invest heavily into ethical hacking to create a legion of savvy coders, from the best schools and academies, to combat the scrappy criminal hackers who are pitted against them.
For those who find cybersecurity and coding interesting, there is an increasing appetite for these types of ethical hacking professionals, with salaries that can allow one to live in many regions throughout the US or abroad. Couple that with much of the work being possible to be done on a remote basis, this amounts to a promising field for new computer science graduates, or those pivoting into the space, to focus their career pursuits towards.
That being said, if you go onto a job board “cybersecurity” doesn’t pull as many results as you might think. Even if a company uses a platform that can handle DDos or low-level attacks, you really do need someone to make sure that your team is continually embracing best practices en route to the smooth operation of your business, with painstaking efforts in place to thwart attacks.
For the longest time, the call of the industry was for those with an understanding of code to take advantage of a company’s bug bounties programs. This was seen as a goodwill measure. Not every company participated and those that did sometimes would be met with a bug bounty reward that amounted to the value of dinner in the West for a mid-level exploit. This served to build-out the resume of someone who really wanted to beef up their experience and put on their CV that they’ve found a mid-level vulnerability with tech company X, but that was the extent of it. Stringing together an actual salary comparable to the typical CS grad frontend developer who was clicking through Wordpress throughout the day was exceptionally difficult.
In this clip, I talk to the founder Rex Hygate of a well-regarded watchdog group, DeFi Safety, that provides an innovative, color-coded warning system for decentralized financed projects to help users determine a platform’s vulnerability based on verified code and detailed security audits.
Rex really hits the nail on the head in that bug bounty programs have come a long way and companies are doing a much better job of offering handsome rewards for independent cybersecurity professionals who seek to beef up the security layers for companies who open these bug bounty challenges to the world.
The ImmuneFi Bug Bounty platform has done a tremendous job of introducing the type of high dollar figure bounties to the ecosystem that you would see here and there, but nowhere near the scale that you presently see with many of these DeFi projects. Platforms see it correctly as a loss mitigation risk and integral cost of doing business, and it better compensates cybersecurity professionals for the hundreds of hours they’ve poured over code to ensure that every semicolon is properly situated.
It takes a VC-backed bug bounty platform to make this push increasingly important because companies — especially small and operating with a modest budget — are hesitant to put resources into cybersecurity issues, choosing to put their collective heads in the sand until an exploit has happened and irreparable damage has already been done.
Smart coders want to go the ethical route and have a sustainable, long-term career rather than compromise their integrity, but if the honeypot is so glaringly exposed and the ethical route doesn’t offer enough even to provide a full-time employment path for them to embrace their technical talents then exasperation over their limited options afforded often sees people slip to the dark side.
There’s a hugely popular podcast called Darknet Diaries which spellbindingly displays step-by-step how cybercrimianls operate. It’s the second most popular technology podcast behind the tech rockstar Lex Fridman, which speaks volumes to the public’s fascination to cybercrime and cybersecurity issues.
The work to up the ante on bug bounties is a step in the right direction for companies collectively, but also doing more aggressive hiring on an individual company basis is important to keep nefarious elements of the internet out of the honeypot that is the treasure trove of data we store in the cloud.
If you’re interested in cybersecurity, I know and can attest to the ones at CSUSM & Duke. If you’re interested in blockchain, I’m teaching Blockchain Fundamentals in the Winter at UCLA.
Happy Holidays!
