In a significant shift in the way the tech industry responds to hackers, an increasing number of companies are resorting to use of “bug bounty” programs that reward hackers who identify flaws in their company software and security systems. In the last several years, the list of companies that have had their data hacked is a who’s who of corporate America. The reported data breaches have been so numerous that for many a sense of fatalism has set in – the director of the Federal Bureau of Investigation recently said there are two types of companies: those that have been hacked and those that don’t know it yet. However, the tech industry is trying a new more proactive approach – paying hackers to make their software and security systems more secure.
The list of technology companies that are paying hackers bounties includes Google, Facebook, Dropbox, Microsoft, Yahoo, and PayPal, and even electric-car maker Tesla. Facebook and Microsoft even sponsor an Internet Bug Bountyprogram that is run by volunteers from the security sector and pays hackers to report bugs. Additionally, start-ups such as HackerOne, BugCrowd, Synack, and Bug Bounty HQ hire teams of hackers to do private vulnerability-finding missions. There are signs that this trend may expand beyond the tech industry. As more household appliances and critical infrastructure, like water systems and power lines, go online, the risk of hacking increases.
Critics of the bug bounty programs argue that while useful, they are inherently reactive. Therefore, developers need to incorporate secure coding practices into the design of their programs. But even the most sophisticated coders are not able to catch and correct all of a system’s flaws. Google’s team of 10 full-time hackers, called Project Zero, has fixed more than 400 critical flaws in widely used programs. Ultimately, the increasing popularity of bounty programs tells us that companies likely will need to use a two-pronged approach – both incorporating secure coding practices but also using expert hackers to find other vulnerabilities that still may exist.