The Sri Lankan Government should strongly consider implementing ‘bug bounty’ programs as a means of securing their online websites and databases, an expert in cyber security said yesterday on the opening day of the 2017 Cyber Security Summit.
Bug bounty programs are schemes through which companies can offer a ‘bounty’ – most commonly a monetary reward – for anyone able to find previously undiscovered bugs and hacking routes into their websites. Citing the successful implementation of such initiatives in numerous online domains ranging from those belonging to the Dutch Government – which are some of the most secure in the world – to those of large global corporates, Jake Davis noted that this was one of the easiest and most efficient ways to secure a company’s online systems.
“You can hire as many in-house security teams or external companies as you want – and that’s fantastic, you can cover all the areas – but the most unknown and ridiculous, abstract way of hacking into a website you still won’t be able to find it,” said the former hacker-turned-cyber security expert in his keynote address.
“But hackers are always doing this sort of stuff. From their point of view, they sign on to a bug bounty website, they see a company and think ‘I can get paid $ 1,000 minimum to hack this website, I’m going to now look for things that they might not expect’.”
Davis, who was among the founding members of infamous hacking groups Anonymous and LulzSec, has numerous Hall of Fame credits (Bug Bounties) to his name for disclosing the vulnerabilities of several major websites, most notably Apple, Facebook, Twitter and Google. Now serving as a cyber security consultant, he believes bug bounties offer a way of exploiting hackers’ “sense of mischief” for the greater good.
“Hackers have that sense of mischief, especially more ‘black hat’ hackers, and if you tell a hacker, ‘the more hypothetical damage you think can cause with this bug that we can fix, the more we’ll pay you,’ hackers get that mental satisfaction, and kind of mutual respect from their peers.”
Starbucks, Twitter, Snapchat, Rockstar Games and even Pornhub are some of the companies which utilise bug bounty programs, paying each hacker upwards of $ 50 per bug found, with collective sums handed out as bounties ranging from $ 100,000 to nearly $ 1 million. Davis though believes the widespread prevalence of bug bounty initiatives should speak towards its effectiveness.
“A lot of different companies do this. But one of them that I find very interesting is Pornhub; they’ve paid out the same as Rockstar Games and more than Starbucks. If a porn website has a bug bounty program it sort of shows that we should all probably have bug bounty programs.”
For those that maybe flinching at the thought of cumulatively paying hundreds of thousands of dollars to effectively get their website hacked, Davis explains that in the long run it’s far less costly than having to deal with the fallout if even one of those hacks were to destabilise your company.
“Over time it’s probably going to be much cheaper than hiring security teams to overlook all this stuff. Also just take the Starbucks example – 259 hackers received bounties, that could be 259 company destroying headlines for Starbucks.”
However, that’s not to say all bug bounties need be costly affairs; the Dutch Government has some of the most secure government websites in the world – so much so that even Davis says he would struggle to hack into them – but they’ve achieved this feat spending no more than the cost of a t-shirt.
“This is my favourite ever bug bounty, it’s like marketing for hacking,” Davis said as a slide appeared behind him showing a man wearing a t-shirt with the caption ‘I hacked the Dutch Government and all I got was this lousy t-shirt’.
“Now I really want one of those t-shirts, so I need to hack the Dutch Government. But the problem is I can’t hack the Dutch Government because the Dutch Government is now too secure, because everybody wants to break in and help them secure their systems so that they can get these ludicrous t-shirts.”
- Data leakages in organisations: Are Data Loss Prevention (DLP) solutions the sole panacea?
- On IoT: Boosting ‘hyper-exponential growth’ of organisations across the globe
- Organised cyberattacks overshadowing financial sector’s rapid hyper-connectivity
- Cyber Security Summit 2018 CEO Forum at Cinnamon Grand
- Mitigating cyber threats: The never-ending battle between defenders and attackers