The Security Interviews: Inside the world of bug bounties
You may not make a million as a bug bounty hunter, but you might help remove some of the stigma that persists around cyber security, says HackerOne’s Shlomie Liberow
When I arrive at the anonymous south London building that houses the offices of bug bounty programme operator HackerOne, the front desk is unmanned and there is a little sign that says, “Back In Five Minutes”. My head is filled with visions of hopping the barriers right now and pwning the pen testers.
Unlike me, the man I am here to meet, Shlomie Liberow, has made a career out of hacking things, but he started out as a developer with a computer science degree – mostly because he wanted to know how to make things before he got to break into them.
“I worked for BAE Systems, as a developer at first, to get a feel for how corporations build things. I was working security as a sideline, in terms of research. I did a lot of reading, listened to a lot of podcasts. And then I started doing a bit of bug bounty hunting,” he says. “I submitted my first bug about four years ago, to DropBox. It was a duplicate.”
Liberow took his first official steps into the world of cyber security as a consultant and ended up working with high-net-worth individuals, a proactive role that saw him provide cyber security training and conduct pen testing exercises such as phishing simulations.
Now, as HackerOne technical programme manager, Liberow spends his working life helping organisations develop bug bounty programmes (BBPs), from inception through development to launch and operation, covering programme design, training, structure and so on. He still gets to break things, albeit on his own time to avoid a conflict of interest.
How bug bounties work
So what is HackerOne, and what is a BBP? At its core, Liberow describes it as a concept that complements existing cyber security processes and procedures.
“The idea behind HackerOne is that every mature company has some sort of security team, but regardless of how talented it is or how big it is, there will always be areas it can’t necessarily cover simply because it lacks resources, or because it lacks knowledge,” he says.
“It’s practically impossible to cover all your bases, so our model is to say, ‘Whilst you do all those security processes, we’ll open it up to anybody who wants to attempt to find bugs and vulnerabilities in a safe and rule-based manner’.”
“Every mature company has some sort of security team, but there will always be areas it can’t necessarily cover simply because it lacks resources, or because it lacks knowledge”
Shlomie Liberow, HackerOne
Through partnering with the hacker community – HackerOne has approximately 500,000 hackers on its books – organisations can leverage the abilities of ethical security researchers who are trusted and well-intentioned, and can maybe bring a different approach to things due to their specific interests and areas of expertise, which are not necessarily public or widely available.
“You get to use their experience and their approach to find bugs in your company and make yourself more secure. The cool thing about it is that you get to use those 500,000 hackers without cost until they find a bug,” says Liberow. “Worst-case scenario – you have lots of eyes on you, but nothing’s found, so no harm done.“
From private to public
For HackerOne, there is no such thing as an average client. Liberow brackets them in terms of maturity, in terms of what infrastructure they have, in terms of how exposed they may be, how much risk they face, and how much risk they want to take on.
It is by assessing these factors that he builds models that let him understand how best to tailor a BBP to the client’s unique needs.
“There’s no value in them getting 100 bugs in the first month but having no way to fix them, so I want to work in tandem with their security team to figure out what they’re capable of handling, what they’re interested in having tested, and where they think their weaknesses are,” he says.
Initially, clients will be exposed to various groups of hackers depending on how HackerOne has categorised them. Clients in very high-risk buckets or sensitive industries such as defence will only be targeted by extensively vetted hackers certified on the HackerOne Clear programme, an elite group of about 500 individuals.
F-Secure’s Mikko Hypponen discusses cyber weapons and nation-state threats, and explains why arms limitations treaties might one day expandto include malware and other threats.
Ann Johnson, Microsoft corporate vice-president of cyber security, is on a mission to prove that artificial intelligence holds great promise for the security sector,and she has the analogies to back it up.
Clear hackers don’t just receive a thorough background check, they must also be of a certain calibre in terms of ability and reputation on the HackerOne platform, based on metrics such as how impactful their bug reports are, how many valid bugs they’ve found, and so on.
“Generally, those hackers are more high end, more knowledgeable, more experienced and also more interested,” says Liberow.
For other clients, the process is more about matching them to hackers with the right skills, such as expertise in cracking different systems or coding languages.
From there, the BBP will be gradually extended in scope, bringing in more hackers as appropriate, as the client grows in confidence and becomes more willing to open other parts of its infrastructure for testing.
“You start small and then scale as they get more comfortable with the process and as the hackers get more comfortable with the scope of the project. The long-term goal is to go public, where anybody who finds a bug in your company has an avenue to tell you about it,” says Liberow.
“When you go public that can sometimes be a bit of a shock, just because it sometimes triggers a lot of extra attention. So we tend to be quite conservative in how fast we bring a company to a public state.”
For those that are leery of going totally public, HackerOne also runs vulnerability disclosure programmes (VDPs). The key difference between a BBP and a VDP is that clients running the latter typically don’t offer a monetary reward, merely a way for hackers to responsibly disclose vulnerabilities without getting in trouble or wasting time trying to find the right contact. Many clients find a VDP is a little less pressured than a full public BBP.
“I found one last night,” says Liberow. “It was a critical bug, and typically, five to 10 years ago I wouldn’t have known who to talk to or if I would get in trouble. I wasn’t even looking for it, I was doing some research and happened to find this system, but through a VDP I was able to send a message about it.”
“A good example is the NCSC [National Cyber Security Centre]. If you discover an issue in any UK government infrastructure, you can send a report through the NCSC. Typically government can be quite intimidating – who wants to send a message to a government institution and say, ‘Hey, look, there’s a bug!’?”
He continues: “I actually submitted to the NCSC this morning as well, and the response came in under 90 seconds. That’s phenomenal timing in comparison to before. I once sent a message to a UK government institution and I messaged them on Twitter – they asked me to send them a letter in the post with the bug. They wanted me to actually write a letter, I guess, with the code in it, and post it to them. Which, of course, I never did.”
Security without shame
Opening up your organisation to a VDP or BBP can be a daunting step for many. It’s easy to see why security teams and CISOs might feel threatened by the idea of inviting hackers to probe their defences.
Fears over what hackers might find and what that might mean for the organisation or your job are perfectly justifiable, says Liberow, so it’s important that alongside VDPs and BBPs, clients try to change their mindsets, and think about security without attaching shame or stigma to it.
Yes, incidents are inevitably going to happen, he says, and that’s not acceptable, but it is perfectly understandable, and it’s not worth trying to apportion blame for them.
“Initially you have to be quite brave, and be quite confident to say, ‘We’re comfortable enough to say you’ve found this bug and this is what the cause of it was, this is what you’ve done to fix it’,” he says.
“It can take time to get security teams comfortable, but it’s down to the organisation they work in to allow them that comfort and say, ‘We appreciate that you’re great at your jobs, you know what you’re doing, however, it’s impossible to do everything all the time’. That way, when a bug is found, they don’t look down to security and say, ‘Hey, why did that happen?’.”
Many of HackerOne’s clients have, over time, got much more comfortable with the process, and become more open and public about the bugs the hackers uncover because they’ve learned not to be shamed by it.
“Bugs are always going to be found because of how much organisations are doing every day. The more that technology leaders are happy and open to publicising bugs, the less shame and stigma there is in it”
Shlomie Liberow, HackerOne
“Bugs are always going to be found because of how much organisations are doing every day, how many services they have and systems and infrastructure. The more that technology leaders are comfortable to say they’re perfectly happy and open to publicising bugs, the less shame and stigma there is in it,” says Liberow.
To help with this, HackerOne does its best to make sure it never goes over the heads of client security teams.
“It’s important to make sure it’s not seen as the security team competing with us,” says Liberow. “They are the ones helping us run the programme, they’re going to give us as much information as possible because it comes down to an appreciation that they’re not going to know everything – no one does, even our best hackers don’t.
“A lot of this is just down to appreciating that hackers are extremely creative, and the best you can do is take that, fix the immediate problem and try to think, in the future, where else might something come up? And what can I do today to ensure it doesn’t?”
Ultimately, says Liberow, a VDP or BBP helps an organisation take control of the messaging around its security posture.
“Companies are being forced into this space more and more against their will because they’re found vulnerable by a malicious hacker, and that’s exploited whether they like it or not, so then they have their brand identity associated with a leak or hack. We would rather they took control of the message.
“And if something like that does happen, but they’ve been running a bug bounty programme, it demonstrates to a customer that they care about security – they may not have found the vulnerability but they do have the processes in place.
“If I’m signing up for a product in a personal capacity, and the company has a bug bounty programme and they’ve released X reports, it doesn’t really put me off,” he concludes.
So, you want to be an ethical hacker
Since its inception, HackerOne has made a few millionaires out of bug bounty hunters. Some have even attained a certain degree of celebrity – figures such as the UK’s Mark Litchfield, who started out selling PCs in his Scottish hometown, or the US’s Tommy Devos, an ex-black hat who served two prison terms but now travels the world as a bug hunter and security educator, living proof that a criminal past is no barrier to ethical hacking.
But it’s not a day job. Liberow says that some might be able to make a living from it, but he doesn’t think one should aspire to that. It can be quite an extreme sort of life, he says, and one that requires a lot of application, will and brainpower.
Many of HackerOne’s hackers are actually IT consultants, developers or security professionals who use the bug hunting experience to make them better at their day job, he says. Such people may be bored of dealing with the same technology in their workaday lives and relish the opportunity (and permission) to test out ideas and techniques.
“They get to experiment, they get to play and figure out how to use various tools, understand issues, and then apply it in their own business. One complements the other, and it keeps you sharp,” says Liberow. He reckons that a good number, perhaps even most of his hackers, work in large digital organisations.
It can also be a route in for newbies or teens in hoodies, but doing it this way takes a lot of work, and while the hacking community is generally very supportive in terms of sharing tips, tricks and exploits, Liberow points out that bug hunting takes mad skills.
“I think there’s a misconception when it comes to things like this because, ultimately, this knowledge is very powerful, and because you’re coming along finding bugs in infrastructure and services built by very smart people, it takes a lot. And those skills don’t just come like that – you have to start from the bottom,” he says.
Put it this way, you’re not going to sign up and then be disclosing critical vulnerabilities in hours, you will be on a journey, but for the determined, it’s one that HackerOne supports through programmes like Hacker101 (get it?), a free set of online training resources that anybody, at any age or level, can use.
“You have to start somewhere, right?” says Liberow. “Everyone’s going to start with less knowledge than other people.”
