Want to make a cool $20,000?
All you have to do is hack the Nintendo 3DS, a handheld console that’s been out for a few years already. Alisting on HackerOne spells everything out: Hackers will receive a cash payment for discovering a vulnerability in the system, which does let gamers make purchases and stores private information like your age and gender. There’s a range for this, of course -- some discoveries will pay $100. Also, anyone who files a report must follow the exact template.
它让你奇怪 - 为什么一个主要的日本公司会提供这样的奖励?为什么它甚至值得为费用,特别是当你知道他们有内部安全研究人员时?
许多公司,包括Apple,Uber和Yelp,定期提供赏金。一份报告称,苹果将支付200,000美元if you find an exploit in the new iPhone. The expense is obviously worth it or the bounty programs -- and sites like HackerOne -- wouldn’t exist.
[ ALSO ON CSO:启动Bug Bounty程序的7个步骤]
“The main advantage is that you get researchers that think like a hacker and will try to find vulnerabilities like a hacker,” says Alvaro Hoyos, the CSO atonelogin., an identity and access management company. “This helps you identify issues that either your internal or external penetration testing teams might miss, not just because of that hacker frame of mind, but also because you have a greater quantity of researchers constantly testing your systems.”
Chris Roberts, the chief security architect atAcalvio Technologies是一家端点保护公司,说黑客赏金的兴起是由于社区如何变得更加组织和乐于助人。网站喜欢BugCrowd和BugSheethave made it easier for larger firms to post a bounty, accept research findings, and pay the researcher.
He tells CSO that he has been paid about $3,000 to $5,000 to find a vulnerability, although in some cases the company only gives him a warm thanks. In some cases, a bounty for his team has run as high as $25,000 to find a bug a hacker could expose.
Challenges in offering a bounty
Roberts noted that companies are not always prepared to offer a bounty or set up the bounty program. One big challenge is finding the right bounty amount to match the vulnerability.
“This can lead to some unpleasant exchanges with researchers,” he says. “You will have to properly manage the input, the responses and the findings -- even though you are now hoping that your IT security budget is lower. You will have to staff up to work through the submitted results or risk the wrath of people getting fed up not getting a response.”
他说,在某些情况下,黑客将不想被识别,可能不希望与公司法律团队合作,他说。并非所有研究人员都希望通过一个复杂的报告模板读取所有细节。并且,如果程序未正确配置(例如,仅为研究人员进行测试环境),则实际攻击可能很难辨别。
[相关:Risk vs reward: how to talk about bug bounty programs]
Hoyos says one potential challenge to a bounty is that it can call attention to the new service, gadget, or app. It could alert a criminal hacker that a company like Apple or Uber knows there could be a vulnerability, even if that’s not necessarily true.
“If your company lacks the resources to close out bugs being reported in a timely manner, you are, in theory, letting more and more third parties know an exploitable bug exists,” says Hoyos. “Chances that none of those third parties will disclose that bug to a malicious actor or abuse it themselves goes up as more of them become aware. This of course is assuming the worst possible outcome and knowing what you don't know is still extremely valuable.”
保罗希拉,首席执行官TDI., a cybersecurity company, says some bounty programs go awry -- hackers discover an exploit, and instead of letting the company know and collecting the reward, the sell the discovery on theDark Web。The bounty program created a new problem.
从双方期待什么
提供赏金 - 或者是寻找漏洞的研究员 - 也是具有挑战性的,因为在许多方面,诱惑是提供赏金而不是招聘安全专业人士,跑自己渗透测试, and setting up a security infrastructure.
“If you’re using this methodology because you don’t understand your corporate defenses, meaning you’re not equipped to detect attacks and act upon them, then offering a bounty is not for you,” says Innella. “Bounty programs should be used by companies with robust cyber defenses and considered a part of regimental cybersecurity testing, essentially in an outsourced capacity.”
Jumping into ethical hacking to find exploits is not something to take lightly, according to Nathan Wenzler, a security architect atAstech Consulting.。他制作的一个重要点:虽然黑客赏金的数量涨幅,但也有一个较低的趋势。例如,优步已经支付了819,085美元,自发射赏金,最高范围为5,000至10,000美元,但平均值更像是每漏电750美元至1,000美元。
仍然,保罗卡拉塔亚德,首席技术官FireMon, a firewall management company, says finding a zero-day exploit for a large enterprise can pay much higher -- into the seven-figure amount.
That’s a pretty good pay day.
这个故事,“为什么公司提供黑客赏金”最初发布CSO 。