Good on them!
I'd much prefer these to be discovered, the finder paid $lots (which would essentially come out of what other customers and I are paying in licences) and potentially save me and my business $lotsmore in downtime and data compromise.
Vuln hunters brought home the bacon last year, according to figures released today by bug bounty platform HackerOne. The Hacker-Powered Security Report is a biannual study of vulnerability disclosure ecosystems. It found that organisations resolved 27,000 vulnerabilities, earning ethical hackers $11.7m in 2017 alone. The …
> It doesn't mean there aren't any taking the latter route.
I expect them to be doing both!
Find and develop exploit, create malware package, as 'blackhat' sell malware package, wait for money to reach bank account, as 'whitehat' report exploit, wait for money to reach bank account...
So this method provides plenty of carrot to report exploits and a decent stick for software authors to take note and release fixes...
For the big websites / standalone software companies, this is going to have to become the norm. Nothing so far has been able to shift the mindset from the "just ship it, got to be first to market no matter how poor or rushed it is" mentality, and now there's a mechanism developing that can truly make a difference.
For any big players in any market, not doing so could ultimitely become a big red "AVOID!" flag for customers if it becomes a big thing, and there will truly be an incentive to clamp down on the cheap and nasty practices that have been too prevalent up til now, as the market can then weed the cheapskates out.
As far as making it a profession goes, it's probably very risky right now unless you have the inside knowledge to exploit it at this early stage, but I can forsee huge success awaiting the people who truly get the big "eureka" moments and push this forward with innovations that nobody will dare to be without as regards making money off it. Could this be the way software development can reach the next stage of maturity, rather than all the other hopes and dreams that have so far failed? After all, I've never seen a fundamental approach that starts off by saying as a first point of principle : "All software and systems have bugs and vulnerabilities, and even planned tests will never catch the truly clever ways to exploit and uncover them".
It's essentially outsourcing the security testing to an external contractor, with the difference that you don't have to go to the trouble to engage anyone, mess about with contracts etc. From the point of view of software companies, even offering massive bounties is probably still much more cost-effective than to hire someone directly. The largest bounty was $75k, which might have taken months of research by a highly skilled hacker (ahem, security researcher). Hiring such a person directly would take a salary (if they even would agree to be employed, they might not like the idea anyway) at least double that at a cost to the company of close to a quarter-million a year. For a large, or even medium-sized, vendor, keeping a bounty pot of say half a million a year is peanuts.
Also keep in mind that anyone whether employee or contractor can to a greater or lesser extent be sucked in to office politics that can affect how and what they are reporting. It's probably better practice to have the bug-hunting done by total outsiders with no connection to the company.
Indeed. It is of course often very risky for an ordinary employee to report this kind of thing. A fairly large proportion of middle managers react in a very hostile way to something they perceive of as an attempt to make them look bad in the eyes of senior management. They certainly do not see it as the "shop floor prol" doing what might be a very considerable service for the company.
The article left out some arguably important information. How many hackers earned a piece of that $11.7m pie? How many folks are able to make a living from this kind of work? How many are just earning a little extra on the side? It's certainly good news that this bit of the economy is growing, but is it made up of a bunch of part-timers or well-paid workers? We have a good idea of who the customers are but not of the providers.
Which workers were winning welcome wages?