The last two years have seen the Equifax breach, the WannaCry cyberattack, a nefarious DDoS attack that destroyed the internet for a full day, and a laundry list of other security breaches of the stores, restaurants, and retailers we know and love. A skilled hacker has a dangerous amount of power in their hands — power with the potential to destroy lives.
But take heart: Scattered across the internet are hundreds of thousands of equally skilled hackers who are fighting to protect you.
If your personal information wasn’t compromised this year, you have that army of nerds to thank.
Way back in 1983, Volkswagen offered a reward to hackers who were able to breach the operating systems of the company’s Beetles. Twelve years later, Netscape instituted the first “bugs bounty” program, offering rewards to users who reported issues in its Navigator 2.0 software. The program wasn’t especially lucrative — Netscape’s product director at the time said in an interview that “several” hackers received a $1,000 prize, while “many others” received Netscape merchandise — but it demonstrated the potential of such programs. A small but dedicated group of Netscape users put hours into the task, despite the small chance of a reward.
A few other companies followed suit throughout the next few decades, including Mozilla, which announced a similar program, with a $500 prize, in 2004.
But it wasn’t until 2010 that bug bounty programs were brought to the mainstream: Google launched an “experimental new incentive” for the cybersecurity community to find bugs in Chromium, offering $1,337 for “particularly severe or particularly clever” bugs and $500 for other security bugs.
Today, most of the largest companies with technological components, from Snapchat and Dropbox to Tinder and Starbucks, have “bug bounty” programs. They offer monetary rewards, often in the thousands of dollars, to anyone who can exploit security vulnerabilities and report them to the company. Across basements, offices, cubicles, arenas, Slack channels, and forums, hackers answer their call.
According to a recent HackerOne report, ethical hackers largely hail from India (23%), the U.S. (20%), Russia (6%), Pakistan (4%), and the U.K. (4%). They come from a range of educations: 58% are self-taught, 50% studied computer science in college, and 26.4% studied it in high school. A full 90% are under 35, with 50% under 25, and just 8% under 18.
But there’s one trait that all ethical hackers have in common, and that’s “endless curiosity,” according to Marten Mickos, CEO of bug bounty platform HackerOne: “We don’t find them. They find us. They read, they study vulnerabilities, and then they report them. Most of them start when they’re young.”
Jack Cable is no exception. He’s a high school senior who taught himself to program by watching YouTube lectures when he was 12 years old. In between homework, college applications, and high school math team competitions, Cable has exposed more than 200 security vulnerabilities for around 50 companies, including Uber, Bitcoin Exchange, and even the U.S. Air Force.
Cable has spent the duration of his career serving the public good, as have other hackers. Cable also knows people who began as criminal hackers who are now turning their lives around, working for good.
Cable frequents a forum of around 150 hackers who share tactics and collaborate on finding bugs, even though they’re ultimately competing for the prizes.
“Everyone is much more collaborators than competitors,” says Cable. “There is a strong component of helping each other out, of working together to improve these companies’ security.”
Sean Melia is a senior security engineer at security service company Gotham Digital Science. In late 2014, he saw a YouTube video in which a hacker reported receiving $15,000 for finding a bug. Intrigued, Melia poked around the internet and found a bounty program from Yahoo. Over the next few weeks, he located more than 30 bugs for the platform — and pocketed $22,000.
Melia located more than 30 bugs for Yahoo — and pocketed $22,000.
“I’ve never had that much money at one time getting deposited into something,” he said of his start. “I was kind of hooked after that.”
Now, after a long day of assessing the security of networks and web applications, Melia goes home and hacks. He has found more than 800 bugs for more than 50 companies, including Yahoo, Twitter, and Starbucks.
That said, Melia insists that the money isn’t everything. “To be good at this, it has to be a passion,” he says. “If you’re just like, ‘I want the money,’ you’re not going to fare well.”
Still, the money is a nice incentive. One hacker, “robd4k,” recently earned enough to build himself a house. And according to HackerOne data, the top hackers based in India earn 16 times that of the average software engineer.
While the hacking community is predominantly white and male, there’s diversity in the methodology that hackers employ, and this multifaceted approach is what companies with bug bounties seek.
Ethical hackers “will be much more creative in finding the bugs,” Mickos said. “Even if you have a really smart person in house, it’s difficult [for them] to find their own typos. The outside world will always outperform the inside world.”
Are they ever tempted to exploit vulnerabilities for themselves? Not as long as the reward for being ethical is bigger.
“I’ve never found a case where I would benefit more from not reporting it,” Cable said.
Melia discovered one of his recent bugs by accident.
He was routinely scanning the Starbucks app, just like a normal user, and was in the process of ordering himself a coffee when he realized that by changing his order number on the checkout screen, he could modify other people’s orders. This would allow him to send coffees to other people’s houses — or have their orders sent to his house, at no cost. Melia reported the bug for a reward of several thousand.
“I’d rather have a $4,000 to $6,000 bounty than a chance of stealing a free coffee,” he said.
Though ethical hackers sometimes congregate and share strategies, the process itself is generally solitary — other hackers are, at the end of the day, the competition. They’ll spend hours poring over apps and websites, often with little reward.
“It’s a lot of trial and error,” says Cable. “Testing everything, [thinking about] how you can use that to employ something.” He adds, “Ninety-nine percent of the time it’s not going to indicate a vulnerability. and in that case, you have to move on.”
The most important feature in an ethical hacker, Cable says, is persistence. “If you can keep the mindset that there will be setbacks and at times it will be difficult to find vulnerabilities, if you keep trying new things and keep learning, you’ll be able to identify more vulnerabilities.”
Melia prefers a “black box” approach. On a typical day he opens an application, enters it like a “normal” user, and tries to manipulate everything he can to make the application do things it wasn’t intended to do. Along the way, he learns as much about the company as possible: the size of the network, the scope of the audience, the locations the app or website reaches, the structure of it and what might be exposed.
When discouragement comes, Melia recommends stepping away from the computer, or turning to Netflix.
“There have been instances where I can’t exploit a bug, and then I’m lying in bed and I’m like, ‘Oh, I figured it out.'”
If they want to make a profit, a hacker can’t rest for too long. “Any one of the other hackers would have found it eventually,” said Melia of his Starbucks hack. “I was just the first one.”
Many individuals with hacking skills don’t choose the path of Cable and Melia. Some of that, says Mickos, has to do with the stigma of the job.
The deluge of breaches, vulnerabilities, scams, and viruses that tend to envelope cybersecurity news have left a bad taste in the public’s mouth when it comes to the word “hacker.” And there’s not enough reporting on the good that hackers do to convince the public to value the community.
There are about 1,000 ethical hackers for every bad one, but they don’t get covered in the press.
“For every bad hacker there are about 1000 ethical hackers,” Mickos says. “It’s just they don’t make a story in the press, so you don’t hear much about them.”
That’s a problem for two reasons. First, because most hackers, according to Mickos, begin building their skills at an age when they’re just developing their moral compass, when bounties are difficult to get, and when free coffees look incredibly tempting. And when hackers don’t feel that people value their work, they’re less inclined to help those people.
Second, laws in many places reflect a broader societal suspicion toward the hacking community, and that can impede the work that ethical hackers do.
The Computer Fraud and Abuse Act, passed in the 1980s, defines the term “computer fraud” in a way that prosecutors are able to stretch broadly to subject white-hat hackers to hefty fines, or even prison time. While it’s unlikely to apply to official bug bounty programs where authorization is explicitly granted, the threat of legal action can keep self-employed hackers from sharing discoveries they make and, consequently, from advancing the field overall.
Melia has been nervous about law enforcement before. He once found a vulnerability in a website that allowed him access to the data of 3,000 users. He “immediately cancelled” what he was doing and reported the bug, but still received an “almost threatening” phone call from the company. He was sent a $500 gift card only after assuring the company that he’d done nothing with the data. He was relieved that he wasn’t arrested, but was still required to sign a non-disclosure agreement.
He’s one of the lucky ones.
In 2008, the Massachusetts Bay Transportation Authority invoked the CFAA to from presenting at a conference about flaws they’d found in its electronic ticketing system — talking about hacking, the judge ruled, was as bad as hacking itself.
And in 2005, 19-year-old Samy Kamkar was able to create a script that would force anyone who visited his Myspace page, or the page of anyone who had visited his page, to send him a friend request. Kamkar reported the bug anonymously to Myspace, but it was too late. One million friend requests and a deleted profile later, the Los Angeles Police Department seized Kamkar’s computers and electronics. He was sentenced to three years of probation — without internet access.
Companies need to offer high enough bounties that make it more profitable for hackers to help.
To end up with the world’s most talented hackers working for good rather than breaching Equifax, companies need to offer high enough bounties. To do so is an investment in the companies, and in the public’s security.
Legislation should make concrete exceptions to protect hackers who report bugs that they find — the world is worse off if those bugs are kept secret, or even exploited, because hackers fear arrest.
Most importantly, companies and the media should recognize the work that hackers do.
“I see in all parts of society that teenagers and teenage boys will go outside of the human rules,” says Mickos. “But if you work with them, don’t dismiss them, and appreciate their energy and skill and curiosity, they will develop into very good citizens and find their moral compass.”
Companies should incentivize ethical hacking and offer monetary rewards. HackerOne reports that nearly one in four hackers have not reported a vulnerability because the website lacked a channel to disclose it.
But companies should go beyond offering monetary rewards. They should publicize the work that ethical hackers do, to make the media and the world aware.
This recognition plays no small part in keeping hackers like Cable and Melia around. A name in a news article can lead to media appearances, and even job offers.
“They have to make it worth the hackers’ while,” says Melia. “There needs to be some type of public disclosure. The bounty community helped fix these issues … the companies need to recognize the efforts put in by the communities to protect them.”
Hackers are, according to Mickos, “the ones who will rescue and safeguard our society.”