Uber was recently in the headlines when a hacker was able to exploit a vulnerability in Uber’s code and get rides for free. Probably illegal, right? Not in this case. The hacker was actually a security researcher who discovered the bug and reported it through Uber’s bug bounty program.
Bug bounty programs have sprung up in numerous tech companies and even the government as a way to reward security researchers for finding and reporting vulnerabilities that might otherwise go unpatched. Rewards for finding bugs can range from a hacker’s name being listed in a “hall of fame”, to cash ranging from $100 to tens of thousands of dollars, depending on the nature of the vulnerability.
Last fall, the US Department of Defense announced a new security initiative called “Hack the Pentagon”, in an effort to increase the security of government owned websites and certain computer systems. Similar to bug bounty programs in the private sector, bounties can be paid out for up to $15,000.
Securing websites and computer networks often turns into a race against the clock. Malicious hackers create increasingly clever ways of breaking into computers, while security engineers try to fix every hole and patch every leak in very complex systems. Using hackers as independent security reviewers enables those who are enterprising and creative to legitimately earn money to find vulnerabilities, while giving companies a leg up on securing their systems, before vulnerabilities are exploited.
Bug bounties are just one aspect of a growing field called ethical penetration testing. Enterprising college students participate in capture the flag competitions, using knowledge of computer systems to exploit vulnerabilities and rack up points. Some teams are so elite, the NSA actively recruits their members. Advances in artificial intelligence could mean computers will find and patch their own vulnerabilities in the future, but in the meantime, companies will rely on human expertise to secure their systems. What better way than a bug bounty?