Last week, security researcher Roy Castillo posted a recount of interactions with Facebook about a bug that he had found. The bug allowed anyone to look up the real e-mail address of any Facebook member.
Roy wrote about how someone could exploit the bug and what happened after letting Facebook know. I think this is a great article about the reality of bug bounties that numerous companies have been posting, reaching out to independent security researchers to help in securing their software before potentially damaging vulnerabilities are discovered by the wrong people.
Roy’s discovery and eventual disclosure to Facebook earned him $4500 that was delivered to him in the form of a “WhiteHat Visa Card.” This is only one example of how companies are changing their outlook on vulnerability researchers from seeing them as potential criminals, as we have seen in the past, to valuable bug bounty hunters who are paid less than it would cost if the bug was used maliciously.
In fact, the website BugCrowd.com has a huge list of companies that are willing to pay anyone who finds a vulnerability and let’s them know about it.
I wonder about the future of our security community: will bug bounty hunting become the norm? Is this form of vigilante computer security the best way to beat the bad guys? I think so. It might even help would-be criminals make the choice between using a potential exploit as a legitimate source of income rather than an opportunity for wrong doing.
Either way, the entire industry over the last few years has reflected a new vision of the traditional “hacker” as more and more government organizations and corporations seek the basement dwelling, semi-law abiding Jedi masters of the net as an effective method of fighting a very serious cyber threat.
To adapt an old adage: “If you can’t beat ’em, hire ’em!”