Bug bounties break out beyond tech

Come April, you will be legally allowed to hack the Pentagon, thanks to a new “bug bounty” program through which the U.S. Department of Defense says it’ll pay hackers to crack open its systems. It’s the latest instance of the pay-for-vulnerabilities ecosystem moving from the confines of Silicon Valley into rest of the business world.

The Pentagon’s bug bounty program, the first in the history of the federal government, comes with restrictions. Far from a free-for-all, security researchers must undergo a background check, and the program itself will be limited in scope: “mission-facing systems” are out of bounds.

“We are at the inflection point. There was once a time when people didn’t understand the value of firewalls,” now a fundamental security technology, says Katie Moussouris, chief policy officer at HackerOne, a security company that helps others create bug bounty programs. “We’re at that point with bug bounties.”

More on cash for security bugs: The dark side of bug bounties

Giving hackers carte blanche, or close to it, to look for vulnerabilities in your company’s website or servers may sound like a good way to get, well, hacked. But it turns out that financially rewarding hackers for doing something they might be doing anyway has an added benefit: It motivates them to report the bugs to you before exposing them to the public. Getting time to fix a bug before everybody else knows about it can save the public from being exposed to a potentially catastrophic hack.

While the Department of Defense has not disclosed whether it has a partner helping with its bug bounty program, the business growth for companies like HackerOne that specialize in bug bounty development reveals an interest in them reaching far beyond the tech industry. HackerOne counts Silicon Valley stalwarts such as Adobe Systems, Yahoo, and Twitter as clients, but it also has General Motors on its rolls. The company says it’s seeing 30 percent growth in customer bookings each quarter.

HackerOne also maintains a public-service directory of bug bounty and vulnerability public disclosure programs, which includes non-tech companies like United Airlines and ING Group.

“Vulnerability disclosure is undergoing a transformation from a very scary thing, where somebody approaches you in a back-alley kind of way—at least that’s the perception of it—to awareness that it’s the organization’s responsibility to accept feedback.” — Jonathan Cran, vice president of operations, Bugcrowd

Jonathan Cran, vice president of operations at HackerOne competitor Bugcrowd, says that as of September, 18.7 percent of his company’s clients focused on something other than technology. That percentage, he adds, is growing.

“Vulnerability disclosure is undergoing a transformation from a very scary thing, where somebody approaches you in a back-alley kind of way—at least that’s the perception of it—to awareness that it’s the organization’s responsibility to accept feedback,” Cran says.

Among Bugcrowd’s non-tech clients are Western Union, Zephyr Health, and Tesla Motors, the company says.

From having a bug bounty to running it well

Bug bounty programs—part of the tech landscape since 1995, though only broadly accepted much more recently—are complicated creatures. They require the organization offering the bounty to maintain open lines of communication with the hacker community, while fixing the vulnerabilities the hackers report.

Randy Westergren, a security researcher and developer who has submitted vulnerability reports to a long list of companies, including Verizon, Marriott Hotels, and Intuit, last year publicly disclosed vulnerabilities he found in United Airlines’ website and mobile app after United patched its products. While United responded quickly to Westergren’s emails in accordance with the policies outlined in the United program, it took the company more than six months to patch the security hole, he says—leaving United customers at risk.

“My experience with United was the first instance in which I’ve had to threaten public disclosure to have a vulnerability patched,” Westergren says. “My approach ended up working; they were pressured to fix it, but it was certainly less than ideal.”

United Airlines declined to comment.

“I would call United a success story, at this point,” Bugcrowd’s Cran says, referring to its bug bounty program. “They’ve publicly said they’re willing to process issues.”

A publicized vulnerability at United is one thing. What happens if the Pentagon goofs up its bug bounty program?

While hackers and federal officials have long history together, they’re as likely to be at loggerheads with each other. Moussouris believes that their partnership will be successful because the Pentagon is running its bug bounty program as a limited test “in order to work out any process issues,” she says.

“Ideally, researchers will grant them the grace to work out this pilot, and the Department of Defense will accept the researcher feedback and improve,” she says.

Corrected on Friday, March 4, at 10:05 a.m. PST and on Monday, March 7, at 9:30 a.m. PST: HackerOne includes United Airlines and ING Group on a list of companies that offer bug bounty programs. Earlier versions of this article incorrectly identified them as HackerOne clients and mischaracterized United’s response to Westergren.