cloud network hunting note: an emerging business trend is on the rise: a number of startups such as Synack is helping big companies will check outsourced to global security holes “hackers”. These startups ACTS as a bridge role, to help companies reduce the safety and maintenance costs, using huge crowdsourcing hackers resources; At the same time also let those who have hackers spirit in help others, to earn good income.
Shashank Kumar contact computer hackers technology since seventh grade. At first, he is very like black into the site, the site practical jokes, although he expressed regret now. Then he discovered that make money by submitting a web bug report. On its official Twitter called @ cyberboyIndia, he said that he had made $30000 of “loopholes” reward, is worth a lot of overhead in the university.
these days during the final exam, the 19-year-old youth should have for memorizing. But there are many a night, he found himself awake late, let the notebook buzzing, looking for like yahoo, PayPal, AT& T these by major companies operating software vulnerabilities. On Twitter, Shashank statistics for vulnerability published reports of reward: from a free hat, to a new smart phone, to a check for $1500. Although the money I earned, but for his academic record, this is a fatal blow.
at present, there is a bigger trend is sweeping across the network security industry, Shashank is a representative of the trend. Not long ago, Google announced that they are improving their vulnerabilities rewards program (i.e., the famous Pwnium hacker competition) rules. Google is cancelled before a year fixed, considerable $2.7 million cash prize; Now, this project will be operating throughout the year, the bonus pool to rise to the infinite. Although Google tactfully reserves the right to cancel the project at any time. But in a sense, in this project, the gold Qian Yong flow.
Google expand , prize pool money to infinite
if Google wants to maintain its competitiveness, the similar situation is unlikely to happen. Loopholes in the past award scheme is a job that has no formal reward, a thank-you note, an online bulletin, a free T-shirt, or a few hundred dollars, this is the so-called reward holes reward plan. But in the past five years, they have accidentally became a business opportunity – almost all of the major technology companies have such a department, and continue to expand, invested more money than ever before.
the key lies in the fact that this such as Crowdcurity, Bugcrowd, Synack with HackerOne emerging Internet company, after they arose, all walks of life can release their own vulnerability award scheme. At present, the expansion of the market stands out: in the past two years, industry award scheme, its scale is in rapid growth, no matter how big or small enterprise scale, can let the emerging Internet company builds the platform for recruitment, and only need to pay large sums of money as a reward, let leak detection is no longer an only big companies to do.
not try our new weapons in the war
“before it has changed our views about security.” Vimeo chief technology division, recently released by HackerOne loopholes prize Andrew said from running. “For us, start from scratch within organizations to establish such a project will be almost impossible.”
Vimeo gradually forming in recent years, occasionally received opinion and the suggestion about system vulnerabilities, but every time want to spend money to solve these problems, I don’t feel comfortable running. “The only thing we can thank them for their approach is to give them a free account or free t-shirts, but these things are not really encourage the best talent long-term fixed involved.”
, like many companies, Viemo have eggs begets problems (i.e. it requires both the general and the researchers used technology, and researchers involved in repair). There were plenty of trusted members of the team, to create a need to spend a lot of money. And these companies are not willing to open accounts, because people don’t understand, don’t trust, especially a group of unusual and sometimes anonymous hacker teenagers.
provides vulnerability reward emerging companies to establish a trust and liquidity, ACTS as a bridge role, such as the relatively small size of Vimeo in such enterprises can use the global resources of hackers. “The reward is very painful; They are living in every corner of the world, they have no tax returns, need network company issue on its own.” Running the said. When HackerOne website to recruit hackers encounter problems, HackerOne will be dealing with law and the follow-up process. HackerOne by processing bills and pay the reward, can rely on outside hackers every reward entrusted by 20% poundage.
the operation of such a system is stable, so that people can be handling their own projects of large companies, such as yahoo, Twitter, have chosen to enable third-party vendors such as HackerOne operating loopholes rewards program rather than the internal out the project. Spend more and more “the loopholes in the method of hardware, software, like is to stick a band-aid wound, obviously doesn’t work. We might as well put these directly find and fix bugs tasks to the third party company, and this method has been confirmed.” HackerOne venture capitalist Bill Gurley said, “incentive plan not only to prevent these problems, more to deal with the problem.”
for loopholes “hunter”, the biggest risk is that they spend a lot of time looking for loopholes, writing to explain how to run, how to fix a report, only to find that the holes have been found “rival”, and “rival” to the bug report issued first. Shashank and his friends made in the industry find loopholes “repeat” mood of cartoons.
“that includes a great trust.” Vimeo company running said. “they spend a lot of time to identify and record the problems, each report submitted into the black box of waiting for audit. I need to deal with a lot of repeated reports. Unfortunately, we have to follow the principle of first to reward.”
is very interesting, from the six holes reward “hole hunter”, is not a full-time personnel. The randomness of this job month income disparity is huge. Although a lot of people said when he first contact with the job of income is considerable, but everyone treat it as a kind of passion, a hobby, or a part-time job. “I think loophole rewards like online poker.” A Russian hacker named Andrew says, “you may speak to the best of luck and get a big reward; May luck is not good enough, for a long time didn’t find a loophole.” To some extent, the strong market researchers could make business outsourcing and the package is almost. In these places such as India and Pakistan, despite the risk of a waste of time this thing, but there are still a lot of talent young want to look for loopholes.
duplicate or is the report of the low value for the company to enter the market is also a problem. “‘ your bug report to us we will give you money ‘disadvantage is that you will get a lot of rubbish report.” Recently released Trello rewards program Daniel LeCheminant said, “ten days ago, we received 200 report, but only 10 is valuable.”
because of loopholes reward no benefit, Synack has adopted a much smaller open mode. Synack company is released loopholes Internet company reward money the most abundant, and the Synack is founded by the U.S. national security bureau “veteran”, their years of searching for the government to use the network vulnerability. “We are from other management loopholes in good reward providers to take a different approach.” Founder Jay Kaplan said. “people in developing countries to use money, even made a $50 will also be able to attract them.” Released in Synack incentive plan of company does not put the money paid to hackers, but Synack will charge the companies a percentage of the service charge. Synack let a group of hackers review all passed level 3 test reports, and assign them a reward, isolating the more conservative, don’t understand the technology of many customers.
avoid negative effects
before Facebook, head of the department of homeland security, the current HackerOne’s chief technology of Alex, Rice said even if the return is not so high, most hackers on the black market select the product of the project by the authorities. “Want to sell things on the black market, you must like propaganda weapon propaganda, this influence will last for months. So you must allow most people to participate in this project, they have skills rather than malicious purpose.”
but some industry experts warned that, if not handled properly, it will have an impact on operating company incentive. “The problem is that these companies believe loopholes reward is announcement released them, they also thought it’s enough.” High – Tech Bridge, the security of the company’s chief executive, founder Ilia Kolochenko blog said in his company. He cites a submit repeat, but haven’t repaired the hacker’s example: “if you are not interested in what we found, we will replace our white hat for a gray/black hat, and then tell other people who might be willing to make more money.”
the loophole incentives helped launch PayPal, now working in a Synack Gus Anagnos said: “we won’t be too much to mention those who feel have no enough money, or they have found the holes without timely public negative impact brought by the hackers.” These hackers often revealed in public, said the company, made the public relations crisis to the involved company. This led to the company for each report has overreacted attitude, to carefully review. “When an organization found to have crisis, will be on the weakness of the less important, but became a waste of time.”
these emerging markets during the operation of the network company has to some extent by integral incentive system, establish the hacker reputation to reduce repeated reports of problems. “You have submitted a duplicate bug reports, they will give you bonus points.” Shashank pointed out in the mail. These integral mean more people are involved in reward more profitable, competitive smaller private projects. “So we have submitted duplicate bug reports here.” Shashank said. He recently held Bugcrowd and Crowdcurity at the top of the table, the table every month highlight top researchers.
find loopholes in private is good for both sides. “Big technology companies to confront the present chaos – side to attract people to come to try, but to bear people blatantly the risk of damage to your system.” Bugcrowd, chief executive of Casey Ellis said, “a company, a large retailers, they don’t like Internet companies to establish incentive plan, desire for the risk is not the same.” Emerging Internet company provide these services, and we have a common characteristic: they are always through the establishment of a personal project, and by recruiting a group of specific and credible hackers to join the project, which began to build the company. Fumbled slowly, the company operating the trick, they will expand the scale, such as a public test, or in the customer’s own web site launched an official award scheme.
situation, become a bad thing to good
a few years ago. Some loopholes is dissatisfied with his rewards to expand security experts have changed their view. “I’m afraid the company will open the project, because people will send terrible vulnerability, threat to require payment company, the company will waste time on them at the same time, the real security breach has not been repaired.” Dan Kaminsky says, “but I’m their work in this field be pleasantly surprised. At present in this area has a talent for serious erosion phenomenon, like this project, can help the company, will develop the maximize the ability of professional talents.”
however, there are still many people are sceptical. These skeptics think looking for vulnerabilities were mostly take temporary solution not effect a permanent cure, can not fundamentally solve the problem of system vulnerabilities. “There are a lot of information, the process of looking for vulnerabilities so that we can fix it.” Security analysts and OSSTMM, says Peter Herzog, the founder of “compared to the reality, the foundation of it more in the market. Once you have piled into their markets, a newcomer will emerge.”
Herzog, points out, like Sony Pictures of high-profile hacking, may betray the company began in members, not really in the hole. “There have been attacks most through social engineering (through the computer, the hole way and illegal access to information) and complete. In this case, we would like to how to calm people?” Herzog, asked, “when these people is to download and install malicious software at the same time also looking for loopholes, what is the meaning of that?”
even the emerging Internet company soon admit, loopholes reward is not the best way to deal with security dilemma. “Running a reward, and other things is not the same, now everything is safe.” Crowdcurity partner, chief executive of Jacob Hansen says, “vulnerability incentive plan the toolkit is a tool, is a kind of way. You also need to review code, physical security, training employees.”