By Pankaj Maru
Not that long ago Mark Zuckerberg, CEO and Co-Founder of the social networking site Facebook, experienced an unusual first. A Palestinian Facebook user, after several failed attempts to warn the company about a security flaw on the site, hacked Zuckerberg’s page to prove his point. By taking this risk, the user proved that one need not be friends with a user to post on his wall. This feature, he argued, could be exploited by cyber crooks to spam user accounts, which for Facebook now exceed a billion.
While Khalil Shreateh’s act did not win him any “bug bounty money” from Facebook, he did manage to get the site’s — and the online community’s —attention. Apparently, the social media site did respond to him and take corrective action after the hack.
In recent years, bounty or reward programs have become quite popular both in real and virtual worlds. While in the real world, bounty programs are largely run to nab criminals, software and Internet companies employ reward initiatives mainly to enhance security of their online applications, software products and programs.
Technology companies not only spend big money on research and development, but also invest hugely in security by having dedicated teams as well as deploying solutions. Yet, there are reports of major security breaches, data leakages, spam and malware attacks.
One way to tackle such issues is by taking external help from outside people through bounty programs. These programs help technology companies fight malware attacks or vulnerabilities which the cyber criminals, hackers, and fraudsters try to exploit for reasons varying from hacking, defacing websites, DOS (denial of service) attacks, to re-directing web traffic, stealing data and user information and others.
The idea behind such reward initiatives is to attract and engage with user community or ‘white hats’ outside the organization, which have in-depth knowledge and understanding, domain expertise and hands-on experience of working on software products and platforms.
These ‘white hats’ can range from young students, academics and researchers to top domain or technology experts that work or use a company’s products, applications and platforms and are capable of exposing any presence of vulnerability or loopholes and notifying it to company.
Rewards and credits
Recently, Facebook and Google publicly disclosed the amount they paid for their respective bounty programs. Facebook paid over $1 million in its bug bounty program to some 329 people from 51 different countries including India. The California-based firm has paid $20,000 as the highest single bounty so far and some individual researchers have earned over $10,000.
Google, on the other hand, has raised its prize for its vulnerability reward programs to US $5 million from this year. So far, the search giant has paid in excess of $2million over the past three years for over 2000 reported security bugs.
Many small and mid-size tech firms also have reward initiatives. While these firms may not able loosen their purses like Google or Facebook, they too have interesting and encouraging incentives programs.
Among them is the U.S. based Barracuda Labs, a global multidisciplinary research and threat analysis wing of Barracuda Networks, which offers bug reporters cash prizes ranging from some $500 to $3000 around, depending on the nature of the vulnerability.
“We receive a number of submissions throughout the year on a variety of topics. The number has remained fairly steady over the years since launching the program,” he adds.
Online payment gateway for businesses PayPal, which launched its bounty drive a year ago, has already received over hundreds of participations from researchers across the world.
Anagnos adds that PayPal has seen immense contribution from its security research partners in the one year that it has implemented this program.
Most programs follow more or less the same procedures and strict scrutiny. As a procedure, most users are barred from sharing information about the vulnerabilities detected by them in company’s products or platform and are not authorized to talk publicly.
Symantec, a founding member of the Organization for Internet Safety (OIS), follows guidelines laid by OIS. OIS encourages open communication between the ‘white hats’ and vendors, demarcates responsibilities between the two parties and protects the individual.
“We work closely with researchers who communicate vulnerabilities to us, and we give credit to finders who follow responsible disclosure,” says a company blog post.
Attracting new talent
The program also allows organizations to get talented people on board directly as seen in the case of Facebook. “No matter how much we invest in security — and we invest a lot — we will never have all the world’s smartest people on our team and will never be able to think of all the different ways a system as complex as ours might be vulnerable. Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world,” a blog posted by the social networking site reads.
Among the 329 recipients of Facebook’s bug bounty program, two people have taken up a full time jobs with Facebook’s security team. “While we have a team of dedicated security professionals who work vigilantly to help keep PayPal’s customer information secure, we realize that no company can do it all alone, and this goes without saying across the industry as well,” says Anagnos of PayPal.
Going forward
Given the significance of security today, it would be no surprise if the reward programs and initiatives become an integral part of business or corporate strategy, and companies start to invest in the same way as they do in CSR (corporate social responsibility) initiatives or setting up research facilities.
Unlike most foreign tech companies, Indian IT firms so far are yet to come up with their own reward initiatives. However, a Pune-based not-for-profit organization ClubHack has launched India’s first bug bounty platform Bugs4Bounty, in association with the University of Pune and the Department of Science and Technology, Government of India.
ClubHack’s Bugs4Bounty platform is a kind of escrow service that enables organizations to run their own bug bounty programs, he says. “Unlike other programs, where the user notifies the company about the bugs, here the platform allows partial access to bugs reporting — both to the organization as well as our staff. That brings transparency towards the bugs reporting and vulnerability issues,” he concludes.
As they say in the security world, “No security is foolproof,” but security certainly can be enhanced and tightened using the latest technology along with human skills and intelligence. And the reward programs are another significant step in that direction.