• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Business is booming for bug bounty hunters

March 27, 2015 By Corey Nachreiner

Editor’s Note: A few months ago, I shared an article and video from a new InfoSec related site, Third Certainty. This security news and analysis site isn’t just a great professional resource, but one I think appeals to normal consumers as well. It’s lead by pulitzer prize winning journalist,  Byron Acohido, who excels at breaking down complex topics into stories that everyone can understand. Sign up for the free weekly newsletter, and recommend the site to your less technical friends.

In any case, Acohido recently published an article talking about bug bounty programs, which includes a video where I talk about the underbelly of the zero day vulnerability market. Check out Acohido’s article in full below, and visit his site for more great content.

Business is booming for bug bounty hunters

By Byron Acohido, ThirdCertainty

[vimeo http://player.vimeo.com/video/122450361 w=500&h=280]

Corporate-sponsored bug bounty programs have become an indispensible means of tempering new forms of cyber attacks.

It is now routine for Google, Mozilla, Adobe, Facebook and Microsoft to pay five- and six-figure fees to hackers who make a living ferreting out fresh security holes in the software applications consumers and companies use every day.

Hackers are continually on the hunt for overlooked flaws in popular operating systems, such as Windows, Mac OS, and Android, as well as in ubiquitous software applications — all of the major Web browsers and any software that runs on browsers, such as Adobe Flash and Java.

The more widely the operating system or app is used, the more hackers probe it for flaws. These flaws are referred to as zero-day vulnerabilities, or zero days. There are endless zero days yet to be discovered. And each one discovered, has to be patched.

Security & Privacy News Roundup: Stay informed of key patterns and trends

There is an entire cottage industry of white hat hackers who do little else but search for zero days. When one is discovered, the tech company responsible for the OS or app gets notified of the new bug. And the white hat gets paid handsomely. The tech company then develops a patch and seeks to get it widely deployed.

Black hat hackers hunt for bugs, too, and also are compensated well. The difference is that they sell to the top cyber crime rings that then use the zero days for thievery and spying.

There also is a third major group paying out bug bounties: governments, including the United States.

Like organized crime rings, governments don’t want the zero days patched, because they have something very specific in mind for them, Corey Nachreiner, director of security strategy at WatchGuard Technologies, tells ThirdCertainty.

Governments are seeking to stockpile zero days, and hold them in reserve to use against rival nations. In modern cyber warfare, no superpower wants to be on the short side of a zero-day gap.

“Governments need an arsenal, so it’s in their advantage not to get the vulnerability fixed,” Nachreiner says.

In harm’s way

American companies are aware of this potential to be hacked by a government-backed hackers, armed with the best-available zero-days, and many are seeking to strengthen their encryption systems. And they are resisting government efforts to ensure that U.S. intelligence agencies can still crack into their communications, according to a recent report in The New York Times. While the government’s request seems reasonable, it also leaves businesses more vulnerable.

The problem is, of course, there are a lot of busy, motivated bug hunters out there.

So it is very plausible that sooner or later someone else will discover a flaw that’s stockpiled in a government cyber war chest, Nachreiner says.

If a black hat hacker finds a security hole that, say, the U.S. government has had in its stockpile for a long time, that’s not a good thing.

A crime group could put the zero day to work for an extended period, doing wide damage, before anyone notices.

“Not fixing these vulnerabilities as quickly as we know about them, in the long term, harms everyone’s security because we’re all using the same software,” Nachreiner argues.

More on security concerns

3 steps for figuring out if your business is secure

5 data protection tips for SMBs

6 steps for stopping hacks via a contractor or supplier

 

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • Naming APTs

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use