Hack Us and We'll Pay You: The Case for Using Bug Bounty Hunters
It sounds counterintuitive if not downright scary to some bankers: invite hackers to analyze your applications, looking for security holes, and pay out a “bounty” when they find them.
But PayPal, Western Union, Square, Simple and other financial services companies that have created or worked with so-called bug bounty programs say they’re an effective supplement for the work done by sometimes-strapped internal security folks.
In bug bounty programs – which aren’t new but are almost unheard of in banking – companies officially welcome hackers to search their websites and software applications for security issues. They offer a financial reward for every reported glitch that turns out to truly be a software problem that can be patched.
Many bankers contacted for this story didn’t know what a bug bounty program was. Others said, as they often do, that they can’t discuss security.
Outside the industry, it's become a common-enough practice that even the U.S. government launched a “Hack the Pentagon” program in March. Hackers have already found 100 vulnerabilities in Department of Defense systems and the program has paid out $15,000 to 1,400 participants.
In the absence of such a program, relations with so-called white-hat hackers can get messy. Some software companies have taken legal action against such hackers who have uncovered security weaknesses in their code. FireEye, for instance, filed an injunction last year against Felix Wilhelm, a security researcher for ERNW GmBH who found and exposed a flaw in FireEye’s software that could be exploited by attackers to compromise servers and steal data. He disclosed the flaw to FireEye, which got a court injunction blocking him from discussing the vulnerability at 44CON, a U.K. security conference. FireEye said it didn’t seek to prevent the disclosure of the vulnerability, but to prevent Wilhelm from sharing trade secrets as he presented his data.
In another case, security researcher Nadeem Douba contacted core banking software vendor Temenos about a security vulnerability he found. Because Temenos had a policy of only accepting such information from bank clients, it was three months before anyone at the company would speak to Douba. Now they are working together.
Such cases make the utility of a bug bounty program clear: pay hackers to take your side and work with you, and avoid the legal, privacy, intellectual property and cyberfraud issues that result when they go it alone.
Western Union offers a bounty for identifying and fixing security weaknesses on its platform.
“We’ll go up to $10,000 if someone finds a chink in our armor, on the website, the mobile app or any external interface and notifies us,” said David Thompson, the money transmitter's chief technology officer. “This allows us to have one more avenue of protection,” Thompson said.
Last year, Western Union received six reports of problems it needed to remediate. A third party company called BugCrowd collects and conducts due diligence on the bug reports.
Thompson, who was formerly chief information officer of security company Symantec, said he wasn’t worried about issuing an open invitation to hackers, considering there's a cadre of cybercriminals who scan the Internet for security vulnerabilities 24/7.
“One thing I found in my experience is those people are already looking for problems,” he said. “Having a system in place to notify the company before anything’s done with it, and paying for that, creates a better incentive to notify the company. You’ve got people out there who are really good technologists who find things that maybe our scanning tools or secure coding capabilities are not aware of.”
PayPal has paid out more than $2 million in bounties since it set up its program in 2012. More than 1,500 hackers have joined from 80 countries. Bounties vary from $50 to $15,000 per patched vulnerability. The company showcases the hackers’ work on its Wall of Fame and Honorable Mention pages.
Like Thompson, Beth Cannon, the director of security engagement, architecture and strategy at PayPal, said she had few reservations about welcoming hackers in.
“The viewpoint we’ve always taken is somebody is always scanning, somebody is always trying to find a vulnerability they can exploit,” she said. “So reservations about opening it up were not part of the conversation, just because we know that happens every day anyway.”
Cannon said she was more worried about whether or not the program would get noticed and be popular.
Many security problems have been discovered that PayPal would not have had the staff to find on its own, Cannon said.
“We would never be able to scale our vulnerability scanning team to the size of the researcher community,” she said. “We have many researchers that are return customers, who come back and find it harder and harder to find issues. So I believe this program does help identify security issues more than we could with our internal staff and helps us extend that reach.”
PayPal doesn’t try to vet the hackers. It does require them to get PayPal accounts and it gathers information from their Twitter and Facebook feeds and public blog if they have one. (Security geeks tend to be into blogging.) Other than that, anyone can submit. There are hackers who come back time and again whom Cannon’s team has gotten to know well.
The participants take pride in being featured on the Wall of Fame and honorable mention pages. “Being in the honorable mention or Wall of Fame mean you found something that was really hard to find and was a really big deal,” Cannon said.
One key to running a program like this is being clear and transparent about how the bounties will be paid, Cannon said.
“You want to pay well for the really hard things to find and appreciate the researcher community as an extension of your team,” she said. “Build relationships with the researchers, blog with them, offer to publish with them.”
In PayPal’s program, the need for communications and engagement with the hackers was greater than Cannon expected. (It’s mostly through email, with some follow-up phone calls.)
“They’re looking for quick responses, they want to know right away if their bug is valid,” she said.
Bug bounty firm Synack offers a variation on the theme. It runs discrete, private bug bounty programs for customers whose names it won’t disclose. Its financial institution clients include many of the top ten U.S. banks, according to CEO Jay Kaplan.
Synack hires hackers all over the world, after putting them through a rigid vetting process.
“We have to know these individuals can be trusted. We need to know their background, and we have to take into account how ethical the individuals are,” said Kaplan. “If there’s precedent for them having done something illegal, that might be indicative of something in the future. We don’t want to be in the position of saying we knew about it but thought they wouldn’t do it again.”
Synack looks at resumes, current employers, and social media posts and conducts independent background checks and criminal records.
Its white-hat hackers go beyond looking for software errors or holes. They take an adversarial approach, attempting to do potentially fraudulent things like transfer funds from one account to another.
When they scrutinize mobile banking apps, for instance, the white-hatters look for things like insecure cryptography, unsafe storage of keys, improper verification of data sent by a server, and the ability to intercept messages and transactions.
Companies that have been using bug bounty programs for years see only benefit to them. Along with the many other types of security defenses banks need to have in place – including more general external vulnerability testing – offering a bug bounty is likely to become a best practice for banks.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.