Google recently announced it will pay up to $30,000 to security researchers who find a vulnerability in its Chrome browser and up to $150,000 to anyone who finds security holes in Chromebook devices.
But not long ago, tech companies were not very welcoming toward security researchers—aka ethical or white hat hackers—who found vulnerabilities in their systems. In past decades, ethical hackers have faced prosecution and even jail for probing the software and networks of tech companies for security holes. Even if their intentions were sincere, ethical hackers would be taking great risks when they were doing security research.
Things have changed a lot in the past few years. Now, companies and government agencies have come to appreciate the work white hat hackers do. Many even reward ethical hackers for testing their systems.
However, white hat hackers still walk a fine line, and there are still cases where they find themselves in hot water for the work they do. Meanwhile, companies are often unprepared when working with security researchers.
In an interview with the Daily Dot, Julia Kanouse, CEO of the Illinois Technology Association, explained what hackers and companies can do to avoid trouble when working together.
Companies are in need of security researchers
“What we’ve seen in the past few years is that companies are increasingly embracing the idea of ethical hacking,” Kanouse says. “They’re starting to put more process and structure in place around how they deal with it internally if they get a disclosure and how they’re starting to actually promote and try and bring ethical hackers in.”
In the past years, many large tech companies such as Uber and Facebook have launched bug bounty programs, where ethical hackers can submit information about security vulnerabilities and get rewarded for their efforts. We’ve also seen the emergence of online platforms like HackerOne, where white hat hackers can officially introduce themselves and sell their services on demand.
The reason for this welcoming of ethical hacking is partly due to how work environments have evolved. Many companies have shifted from people working in a single building to online workplaces that run across several cloud platforms and apps, with users scattered in different geographical regions. Companies have effectively turned into complex online digital systems that contain sensitive information about the business, its employees, and its customers. Consequently, the costs of security breaches have become much more than they used to be.
“When you look at how the amount of data has exponentially increased… there’s just so much more that is hackable now,” Kanouse says, adding that the internal development teams in companies often can’t find security holes themselves and having a fresh pair of professional eyes look at their systems can help a lot. “If they knew there was a vulnerability, they wouldn’t have built it that way in the first place. So I think that’s the big benefit of having that outside perspective from ethical hackers.”
Challenges remain
While the need for security has brought companies and ethical hackers closer together, there are still problems they can both run into.
For hackers, Kanouse says, if there aren’t clearly defined rules from the company, they may find themselves in trouble in terms of doing something illegal related to the data.
“If you don’t fully know the industry rules and regulations in terms of how far you can go and what kind of data you can get access to, you just have to be really careful not to put yourself in a position where you do something that is illegal. I think there’s a very blurry line there. It’s very gray,” Kanouse says.
In February, an ethical hacker was arrested after reporting vulnerabilities in Magyar Telekom, a Hungarian telecommunications company. The hacker had probed the company’s networks without having a formal contract. After the hacker reported his findings, the police arrested him for cyberintrusion.
In 2012, a British student was sentenced to eight months in jail after discovering security flaws in Facebook’s servers. The defendant’s argument that his intentions were non-malicious and he planned to report everything to Facebook did not convince the judge to exonerate him.
On the company side, the biggest pitfall is not being prepared, Kanouse says. Organizations and companies must also be prepared for when an ethical hacker reaches out to them with a vulnerability.
“If you haven’t proactively thought about what you’re going to do if you get that kind of message from security researchers, it can go off the rails pretty quickly,” she says.
In 2018, two security researchers approached an online casino company with vulnerabilities they had found in their servers. When the company didn’t respond, the hackers took to Twitter in hopes of drawing the attention of the company. That drew the company’s attention, but when the researchers demanded payment for their efforts, things got out of hand and resulted in confrontations with the company’s officials.
This happens often, especially with companies that have no bug bounty program and no procedure to deal with security disclosures. But it also happens at big companies. Earlier this year, a teenager chanced upon a severe vulnerability in Apple’s FaceTime video-conferencing app. When his mother reached out to Apple with the bug, she received no response. Apple eventually fixed the bug, but not before it cropped up on social media with users posting videos of how they had reproduced it.
“Companies need to think about it before it happens. They should be thinking about this in the exact same way that they think about mitigating other risks in their business,” Kanouse says, adding that the bigger the company, the greater the ramifications of not responding in time.
But Kanouse also adds that hackers should make sure their communication is not creepy, especially when contacting smaller companies that might be dealing with this kind of outreach for the first time.
She also stresses that hackers should not make their findings public before the company patches the vulnerability, even if they receive no answer.
“Going public creates some issues because now you’ve put it out publicly, there’s a vulnerability and an unethical hacker could jump there right away, and there’s a likelihood that someone bad would take advantage,” she says.
READ MORE:
- Report: CBP contractor hack was vast, revealed plans for border surveillance
- Hackers got control of Dylan Sprouse’s Twitter account, posted offensive content
- What is buffer overflow, an old vulnerability that’s causing new problems?
- Can you spot an email from a hacker?
Got five minutes? We’d love to hear from you. Help shape our journalism and be entered to win an Amazon gift card by filling out our 2019 reader survey.