Feedback
Tech

A Behind-the-Scenes Look at Hackers Who Get Paid to Find Bugs

Earlier this month, Apple announced it would start offering up to $200,000 to hackers who can find software flaws in its products, joining the ranks of hundreds of companies who offer financial compensation for bug-busting. The first program of this kind was deployed by Netscape in 1995; since then, Microsoft, Tesla, and Google have all introduced bucks-for-bugs programs. Facebook has so far paid out more than $4.3 million to researchers since it started its program in 2011.

Picture illustration of People posing with laptops in front of projection with word 'cyber' and binary code in Zenica
REUTERS/Dado Ruvic

With such high-ticket prizes to be claimed, a new industry has been spawned in Silicon Valley: The bug bounty hunter. And the potential is huge — a recent report showed that 94 percent of companies on the Forbes 2000 list don't have a bug bounty program or a vulnerability disclosure.

That's an accident waiting to happen, believes Alex Rice, chief technology officer and co-founder of HackerOne, a bug bounty company based in San Francisco.

"Everyone is very quickly becoming a technology company and they are suddenly waking up to the fact they haven't been doing security right from the very beginning," Rice told NBC News. "Our mental perception of technology hasn't been keeping up with where it actually is."

At issue is the fact that, from toys to vacuum cleaners and even government records, we're now living in a world where the majority of the items we rely upon daily are hackable.

"They have cameras in them and they're all connected to the internet. So a mobile camera in your house starts to open up interesting avenues," said Rice.

HackerOne and another San Francisco based company, Bugcrowd, are two examples of bug bounty platforms bridging the gap between businesses and hackers.

"It's changing this model of, 'We don't want any feedback. We don't want hackers looking at our stuff,' to, 'OK, actually we think this is a healthy thing, come talk to us,'" Jonathan Cran, vice president of operations at Bugcrowd, told NBC News during a recent visit to the company's San Francisco office.

Who's Getting Hacked

The increased business comes as a rash of hacks have hit across industries.

Last year, children's toymaker VTech said it suffered a security breach after someone accessed millions of profiles belonging to parents and children in the company's "Learning Lodge."

Two security researchers demonstrated a complex hack last year showing how they could remotely kill a Jeep Cherokee on a highway.

Read More: Chrysler Recalls 1.4 Million Cars After Remote Hacking of Jeep

Hotel operator HEI, which runs chains such as Starwood, Marriott and Hyatt, reported this month thousands of customers' credit card payment data may have been hacked from food and drink transactions at several locations.

The list of hacks goes on and on.

Who Are These Hackers?

The hackers submitting bugs to HackerOne and Bugcrowd number in the tens of thousands and hail from around the world. Both companies said they get the most submissions from the United States, but have paid bounties to hackers in more than 100 countries.

Some bug bounties at HackerOne and Bugcrowd are public, allowing anyone who wants to test their skills to give it their best shot at finding a vulnerability. Others are kept private, with more experienced hackers being invited to put a company's security to the test.

One of them is Justin Kennedy. Like many skilled hackers, he has a full-time job but earns a healthy supplemental income from making bug bounties a hobby.

The Boston-based director at NTT Security told NBC News he's used his skills to earn an estimated $25,000 to $30,000 over the past two years reporting bugs he has found during his free time, mainly on Bugcrowd but also across other platforms. His rewards have come from web-based applications and various consumer level security systems, he said.

"As my day job focuses mostly on scenario-based penetration testing [simulating the actions of an attacker from a specific starting position with specific goals], I tend to gravitate towards the Capture the Flag style bounties when they are running," Kennedy told NBC News.

Even the federal government is warming up to bug bounty programs. The Pentagon recently invited friendly hackers to test some of the Department of Defense's websites.

Read More: U.S. Military Invites Cybersafety Experts to Hack the Pentagon

After the program was completed in June, Lisa Wiswell, Bureaucracy Hacker at the Defense Digital Service, wrote in a Medium post that 1,410 hackers had joined the challenge.

Of that group, she said 1,189 reports were submitted and 138 were qualified and paid out. In total, Wiswell said 117 people received rewards ranging from $100 to $15,000.

"And precisely zero registered hackers that intentionally did anything nefarious, or malicious," she added.

Hillary Clinton took notice, writing in her technology platform she will "encourage government agencies to consider innovative tools like bug bounty programs" that will "encourage hackers to responsibly disclose vulnerabilities they discover to the government."

HackerOne's Rice said it's just another sign of the important role bug bounty programs will play as we become even more connected — and also a reminder that no computer system is bulletproof.

"Get into the mindset technology has bugs. It is going to break from time to time," Rice said. "The technology you should be putting your trust in is from the manufacturers who are honest about that and have a clear record of transparency about how to go about resolving those issues."