Slashdot Mirror

← Back to Stories (view on slashdot.org)

Companies Are Paying Millions For White Hat Hacking (nypost.com)

Posted by EditorDavid on from the bounties-for-bugs dept.

White hat hackers "are in very high demand," says PwC's director of cyber investigation and breach response, in a New York Post article titled "Companies are paying millions to get hacked -- on purpose." An anonymous reader quotes their report: HackerOne, a San Francisco-based "vulnerability coordination and bug bounty platform," reports that it has some 800 corporate customers who paid out more than $15 million in bonuses to white-hat hackers since its founding in 2012. Most of that bounty was paid in the past two years, as companies have become more aware of their cyber vulnerabilities. Clients that have used the platform include General Motors, Uber, Twitter, Starbucks and even the US Department of Defense.
Google paid $3 million last year through its own bounty program, according to HackerOne's CEO Marten Micko, who touts his company's "turn-key" solution -- a platform which now offers the services of 100,000 ethical (and vetted) hackers. "With a diverse group, all types of vulnerabilities can be found," Micko told TechRepublic. "This is a corollary to the 'given enough eyeballs' wisdom... they find them faster than other solutions, the hunting is ongoing and not happening at just one time, and the cost is a tenth of what it would be with other methods." And one of the platform's white hat hackers has already earned over $600,000 in just two years.

32 of 58 comments (clear)

  1. Payouts are garbage, though by Anonymous Coward · · Score: 1

    10k to fix a bug that could destroy everything. The black market is still better.

    1. Re:Payouts are garbage, though by ls671 · · Score: 1

      It has always been the same, technology or not; people with skills that use them according to their values. Send me the job offers, I might consider them...

      --
      Everything I write is lies, read between the lines.
    2. Re: Payouts are garbage, though by muffen · · Score: 1

      What exactly is the story here? Companies, all of them put together, are paying millions for everything, I'm pretty sure the water bill from flushing after taking dumps is in the millions, and it wouldn't surprise me if Google spends $3 million on food every month.

    3. Re: Payouts are garbage, though by Anonymous Coward · · Score: 1

      Admittedly, the only real news here is that this is an above board platform to connect such talent to organizations seeking such, as opposed to networking over IRC etc...

      You've got to admit that middlemen successfully making a buck usually signifies something or another... back in the day before guys like the L0pht crew you were more likely to end up under threat of arrest or sued than paid as a consultant.

    4. Re:Payouts are garbage, though by phantomfive · · Score: 1

      The black market will always pay better. If companies increase their offers, then the black market will increase them even higher. Although as the prices rise, the number of buyers on the black market will decrease.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Payouts are garbage, though by martenmickos · · Score: 1

      Given the ease of submission and speed of payment, a bug bounty can be very well worth it. On HackerOne, there is a hacker who made over $600,000 in two years with most of the individual bounties well under $10k.

    6. Re: Payouts are garbage, though by martenmickos · · Score: 1

      What I find interesting is that a regular newspaper will write about this despite it being a highly technical topic. The readers of New York Post are regular citizens. This shows that software security and the hunt for bugs are becoming important enough to be presented to the broader public.

    7. Re:Payouts are garbage, though by martenmickos · · Score: 1

      This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it to a service like HackerOne, and the market for that vuln is over. Although asymmetry is usually in the favor of the criminal actor, in this case it is in the favor of ethical behavior. One ethical hacker can put an end to the sale of a 0day on the black market.

    8. Re:Payouts are garbage, though by phantomfive · · Score: 1

      That won't happen. A company that writes security vulnerabilities will continue to write them, thus providing an endless supply. Until something changes within the company, there will be a bountiful harvest for both black and white hat.

      --
      "First they came for the slanderers and i said nothing."
    9. Re:Payouts are garbage, though by gweihir · · Score: 1

      Indeed. This is completely bogus. People doing it will go for the low-hanging fruit and if they find something really juicy by accident, they can easily make one order of magnitude more money on it. Nothing more complicated will ever get reported to the company. This may also explain why the cost of this is 1/10 of other methods: It has far less than 1/10 of the results and is dangerous in addition.

      Now, a really competent security review will be expensive, but it will look at things like code quality, design and architecture, competence of the implementers and maintainers, processes, roadmap, etc. It will, for example, find cases where only one safeguard is effective (and hence things cannot get hacked), but the risk is hight, because you usually want two independent safeguards. It will find things were technology is not quite there yet to attack them. It will find conditions that were unknown, but must be met in order for a system to remain secure.

      Of course, if done by one of the big IT consulting agencies, it will only pretend to do all these things, but as compensation it will be even more expensive. The amount and quality of fail I have seen in reports of IT evaluations from big names is staggering.

      In short, this is the moronic version of IT security, which is not worth the money saved on it, even if it would cost 1/100 of a real security review. It may have some short-term benefits for the bonuses of those having made this utterly stupid decision, but that is it. Long-term, it is disastrous.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Millions is not always a lot by Pirulo · · Score: 1

    A $3M expense from Google is not a considerable sum. They are cheaping out by only expending that little when you consider all data they store and are pseudo-responsible for.

  3. Not the best, and it's more than $300,000 / year by raymorris · · Score: 1

    The summary says:
    --
      one of the platform's white hat hackers has already earned over $600,000 in just two years.
    --

    From that you got:
    > So the world's best (or at least, best-paid) white-hat makes $150k/year?

    Over $600K in two years is over $300K per year. No, that's not "the world's best paid white-hat". That seems to be how much one freelancer made from Hackerone - he or she may have made just as much from other avenues, and there is no reason to think this person is "the world's best-paid white hat - in fact there is good reason to think they are not.

    That is roughly the range of someone highly qualified, though - without pairing it with management or other fields such as writing. (Think Bruce Schneier - trained as a cryptologist, paid as an author and nerd-famous media personality).

  4. I suppose the headline is true... by GameboyRMH · · Score: 1

    ...in the same sense that the NBA is paying millions for basketball-playing.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  5. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    Lying is lying dude. Trump does it.

    Of course. He's a politician.

    You do it.

    I'm not a politician.

    Your fat delusional reality is just one look in the mirror away.

    I shave each morning. So what?

  6. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    you're not qualified to comment on getting ahead. literally everything about you is below average but your weight. and you are proud of being our clown. good for you.

    You sound like my mother. Good thing I stopped listening to her when I was teenager. Otherwise, I would have committed suicide and the world would be worse off place than it is now.

  7. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    And likely spoonfuls of prozac in the mornings and most definitely the anti-depressant of a 4k calorie diet.

    I don't take anti-depressants. Never had, never will. My current diet is 1,500 calories per day.

    Where you for example sit at work "waiting for a script" so you're on slashdot. Do you actually believe that? How's that script of yours doing?

    I just finished re-writing the parser section of my Python script. It's currently grabbing, parsing and saving my 8,000+ comment history into a CSV file. This usually takes 30 minutes.

    I believe you are a fat loser with no brains, so this is where you socialize.

    I was at the Silicon Valley Comic Con 2017 this weekend, where I posted some comments on Slashdot in between events. Check out my William Shatner video from the sixth row at the City National Civic.

    SVCC 2017 - William Shatner - The Bicycle
    https://www.youtube.com/watch?v=ppJiwDSz0j8

  8. Re:Ten years too late... by pnutjam · · Score: 1

    Do you mean "black hat", because when I read black box, I assume you are testing a device with no documentation. I'm not sure what a white box is, maybe well documented?

    --
    Cheap storage VM.
  9. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    I don't believe you are sitting there waiting for scripts 7 days a week. Or maybe I do. Is you title sr computer operator?

    I have a regular job that pays the bill and I have my own company. It's not unusual for entrepreneurs to work seven days a week. I'm currently running a script pinging systems while listening in to a conference call at my bill-paying job.

    [...] you are a fat fuck who has a chin on his chin [...]

    That picture was taken four years ago and I didn't start my 1,500-calorie diet until recently. There two types of people on Slashdot: the ones who see my picture and come back with "you are a fat fuck", and everyone else.

    I bet when someone gets stuck next to you on a plane they ask to be moved.

    I never had that problem. I'm heavy but I'm not wide enough to pay for an extra seat.

    The fact that you went to a comic book event to see captain kirk actually proves my point about you socializing on slashdot.

    I also saw astronaut Buzz Aldrin's presentation on going to Mars.

    http://www.sfchronicle.com/science/article/Astronaut-Buzz-Aldrin-champions-science-during-11092087.php

  10. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    Do you mean "black hat", because when I read black box, I assume you are testing a device with no documentation. I'm not sure what a white box is, maybe well documented?

    Black box testing is testing something without knowing how it works inside. White box testing is testing something while knowing how it works inside. Grey box testing is a mixture of the two, say, a device with an exposed API that doesn't document the internal workings.

  11. Re:Ten years too late... by pnutjam · · Score: 1

    OK, if nobody would hire you for "white box", why couldn't you continue "black box" testing with responsible disclosure. There is a lot of money in that.
    I was confused because you indicated an inability to break into the industry and assume you misspoke trying to indicate what you where doing was unsanctioned and not necessarily legal.

    --
    Cheap storage VM.
  12. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    OK, if nobody would hire you for "white box", why couldn't you continue "black box" testing with responsible disclosure. There is a lot of money in that.

    My black box testing experience was six years as a video game tester and lead video game tester, six months as software tester for a virtual world and six week as a software tester for an ebook reader. Some hiring managers would find my experience "lacking" because none of it was a "mainstream" product. I didn't want to continue as a video game tester because all the local companies were moving to Southern California for the Hollywood convergence that never happened. Recruiters kept offering me positions in IT support when I started applying for white box testing positions.

    I was confused because you indicated an inability to break into the industry and assume you misspoke trying to indicate what you where doing was unsanctioned and not necessarily legal.

    Black/white hat hackers are different category.

  13. Re:Ten years too late... by __aaclcg7560 · · Score: 1

    Seeing a presentation about space is socializing? Gotcha. You know what I did? I went out to a restaurant then hung out with a bunch of girls at a k-pop karaoke. Today I decided to go to Italy for euro labor day for a week or two. Went online, booked the trip - gonna work remote for a bit. After 20 years of experience, I can do that without saving and planning, as it's going to cost just a few day's wages. Not quite a show by some unknown stripper in the evening gymnasts in vegas though. I'd need to save up for that. Till about lunch.

    You're the asshat with the drinking and financial problems! No wonder you sound so bitter in your replies. You should really lay off drinking $3,000 per night on wine. It's not healthy lifestyle.

  14. Re:Not as good as it sounds by gweihir · · Score: 1

    Very much so. And you can make a lot more as a gray-hat, with no risk of prison time. These people are basically a bit more advanced amateurs with big egos that exploit themselves.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Re:Not the best, and it's more than $300,000 / yea by gweihir · · Score: 1

    The problem here is that this will not keep. There is definitely luck involved, and if this person was, say, working 80h weeks, then the compensation still sucks.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. Re:Ten years too late... by gweihir · · Score: 1

    white box = you have all documentation, accounts, technical authorizations, and access to people
    gray box = you have some of the above, often in limited form
    black box = you know how to reach the target systems

    Black box pen-testing makes no sense, since it wastes a lot of time. The only reason to do it is that with a limited budget, it may not find things, i.e. create a false sense of security that management can then escalate as a great achievement.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. Re:Is "white hat hacker" a Millennial/hipster term by gweihir · · Score: 1

    It can also be a "system security analyst" and a "software security analyst" or a lot more fuzzily an "IT Security Expert" or "IT Security Consultant". Of course, in a time where the BS term "Cyber" gets attached to anything, "Hacker" is actually a significant improvement.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. Re:Vetting by gweihir · · Score: 1

    At the cost-point they claim? They maybe have verified the email address for that ...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  19. Not much luck over a two-year period by raymorris · · Score: 1

    My team and I do something similar periodically. Our experience is that luck is a short term phenomenon in the face of skill. Daniel may happen to find something pretty good in the morning, while I don't find much until the afternoon. Zach might find two interesting bits on Monday, none on Tuesday; Immad finds one on Monday and one on Tuesday. Over the course of a few days, our performance tends toward what you'd expect from our resume. Luck is very short term, skill is the controlling factor over the course of even days, and certainly over years.

    For example, guy who knows how to analyze a system to divide it into its components then focuses on the interactions between those components will find many more vulnerabilities than someone who focuses on one component and tries to find vulnerabilities within that component, internal to it. It's the interfaces between systems where most of the weaknesses are. Looking in the right places, the most likely places, is a skill, not luck.

    1. Re:Not much luck over a two-year period by gweihir · · Score: 1

      Luck is involved in the parts of finding things that others have not yet found and that hence give you a high payout. In particular, this gets progressively harder and the harder it gets, the lower the payouts. So while this person made $600'000 over 2 years, a repeat performance over the next 10 years, or so is exceptionally unlikely.

      An actually professional code security review does not depend on luck. It also does not try to maximize "bugs found". It looks at architecture, design, input validation, critical data-paths, etc. and more than half of the result will not be description of bugs found, but analysis of severity and conclusions to be drawn and even things that are not directly bugs, like critical data-paths that rely on one protection mechanism, configuration options that are hard to get right and breaks security (or remove one layer of protection) when done wrong, code structure that is misleading, security functionality in surprising places, etc.

      The whole focus on "finding bugs" is misplaced. You will never find them all and due to the randomization aspect of this, a different attacker may just find ones you did not find, regardless of how hard you looked. In fact, it is basically always cheaper and has a better result to re-implement with highly skilled and trusted people that thoroughly understand software security. Doing background-checks on these people and making sure they are satisfied with their jobs is actually much more important than to look at the code they produce. As so often in IT security, skewed and outright wrong ideas from bad movies are prevalent in the area of code security as well.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  20. Re:Ten years too late... by pnutjam · · Score: 1

    Thank you, that's why i was confused. Black hat make sense, black box, not so much.

    --
    Cheap storage VM.
  21. Re:Ten years too late... by gweihir · · Score: 1

    You are welcome.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  22. Two different and complementary things by raymorris · · Score: 1

    Code review and pentesting are two very different, yet complementary things. As you suggested, code review is likely to find a lot more, including things some people don't typically think of as "security" - points of fragility, for example. Code review is very useful, especially when done by people trained in security.

    Pen testing *after* code review is also very useful. It isn't unusual for code review to have a lot of detailed findings. As an analogy, looking at the internals (code review) might find that the deadbolt is is only held in with two half-inch screws, it's a cheap, crappy lock, and the gap between the door and the frame allows the lock to be shimmed. After you address those a pen tester looking at things from a different perspective walks right in through the side door. A concrete example is the OS. You might code review the application extremely well, then I shellshock right past it. "But the OS is out of scope!", you exclaim. So what. The bad guy and the pentester don't care about your review scope. We just walked right into your database.

    Two different, complementary things, both useful.