Security Think Tank: Bug bounties are changing the image of hackers

When people think about hackers, the default perception is of a teenage script kiddie, slaving away in his bedroom under his hood. The media still mistakenly use the hooded individual hunched over a keyboard on a regular basis as visual content for related storylines, which just helps to reinforce the myth.

So, is this image still relevant? To a minor extent it is, because it portrays how most hackers will start their journey – testing their skills and honing to the nth degree. We all must start somewhere. The big difference now, though, is that the opportunities available to a hacker have increased dramatically.

Hacking is now an accepted profession in which people can earn an honest and decent living. Not only are there many penetration testing jobs within organisations, providing these “startup” hackers with a place to legitimately fine-tune those skills, but we also have a new breed of testing – bug bounties.

Bug bounty programmes take two forms. Companies offer a bug bounty for vulnerabilities that are detected in their systems, where a hacker discovers it and discloses it to the company, so it can be fixed before it is publicly released. The hacker is then rewarded for this discovery. This is popular with many large tech companies, such as Google, Apple and Dropbox. Several governmental organisations are also starting to use this method.

The second form is a bug bounty platform, for example HackerOne, SynAck or BugCrowd, which is a merger of the bug bounty idea and traditional penetration testing. A company hires the platform to probe its infrastructure, websites and applications for potential vulnerabilities. Hackers become members of the platform and are given the opportunity to discover vulnerabilities, which are then passed back to the hiring company.

The hackers are rewarded for vulnerabilities discovered, rather than paid for the time it takes, which is what happens with conventional penetration testing. This encourages the hackers to delve deep and discover something – the more critical the vulnerability, the bigger the reward.

These platforms are proving very popular with companies because they enable a real-world test of their systems, allowing hackers to test and hone their skills on real systems without fear of reproach. Some of these hackers have breached the $1m barrier for bug bounties, so it can be very lucrative, encouraging more hackers to use their skills for good. This shows a shift towards hacking becoming a gig economy – they can take the role full-time or hack in their spare time.

A few years ago, these script kiddies would have stopped hacking as they grew up, got a job and started a family, leaving little time to play with computers. But today, the hooded hacker has grown up and become a true professional. Whether this means images of hackers should depict a suited and booted adult is up for debate, but certainly the behaviours and characteristics of a hacker have changed.

Hacking is now part of normal business processes, reflecting the need to test systems regularly to ensure that both information and supporting systems remain protected. Companies need to embrace individuals with the skills to hack, and nurture them. Hackers can be a great asset, providing detailed insights into problems that you were not aware even existed.

So, encourage people to break your systems, and use those skills and knowledge to your advantage before someone else does and you end up losing your business.