[BreachExchange] Bug Bounty Programs – your company’s friend or foe?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Mar 20 18:59:37 EDT 2018
https://www.natlawreview.com/article/bug-bounty-programs-
your-company-s-friend-or-foe
Bug Bounty Programs (BBPs) actively encourage hackers to explore a
company’s systems and report back on any vulnerability they discover.
Often, pre-determined financial incentives are offered to the “security
researcher” in return for their findings. The attraction of this process is
obvious; rather than suffering a cyber incident that could – and for many
organisations has – cost millions of dollars and resulted in reputational
damage, companies can instead make a comparatively small payment to ethical
“white hat” hackers with the intention of pre-empting an incident.
But what happens when BBPs go wrong? In November 2016, Uber was extorted by
two opportunistic hackers who downloaded a cache of sensitive archived data
stored on Uber’s private Amazon Web Services cloud. The data contained the
names, email addresses and phone numbers of 57million users as well as the
drivers licence numbers of over 600,000 US drivers. Neither consumers nor
law enforcement bodies were notified at the time by Uber. Instead Uber paid
the hackers ten times the company’s listed $10,000 reward to keep the
hackers quiet and delete the data. Uber has since publically apologised for
its botched data breach response.
Companies can take practical steps to strategically design and manage their
BBP, such as creating a ‘scope of acceptable conduct’ (whereby the
distinction between accessing and acquiring/downloading data is clearly
drawn), set criteria for what proof is required to confirm a ‘successful’
hack and offer non-monetary incentives to ethical hackers such as giving
them public credit or increased exposure to job opportunities.
The problem is once the hacker breaches your systems temptation lies open
before them, at which point that ‘white hat’ can tend to look a little…well
black! The lesson perhaps is to make the bounty large enough to make the
hacker want to stay honest and collect it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180320/10d56097/attachment.html>
More information about the BreachExchange
mailing list