‘Bug Bounty Hunter’ Programs Utilize The Talents Of Hackers To Make The Internet Safer

What do you picture when someone says the words, “bounty hunter?”

Clearly, a bounty hunter is someone with great upper body strength, a weapon, and a desire to apprehend people running from the law. Right?

Well, there’s a whole section of the internet that sees a completely different picture when someone says the words, “bounty hunter.”

They see someone sitting behind their computer, concentrating on the screen. The reason goes back to internet security and how companies are working to make their sites and apps more secure for their users.

Companies have had “bug bounty hunter” programs for a while now.

What exactly is a bug bounty hunter program?

A bug bounty hunter doesn’t carry a gun or go running after bad guys, instead, they go through business sites, apps, and coding in order to try to find security flaws.

Someone that’s part of the bug bounty hunter program would work independently from the normal security team for each site that employees them.

The people most useful to these bounty programs are called “white hat hackers.” White hat hacker is a slang term for people who are, essentially, ethical hackers.

Companies don’t go out looking for a bug bounty hunter. Instead, they start “seasons,” like Uber recently did, or post general guidelines for submissions, and bug bounty hunter hopefuls go to them.

Gianluca Stringhini, a computer scientist and assistant professor at University College London, explained the importance of bug bounty programs to the BBC.

“By having bug bounty programs, companies make sure the best hackers look at their code. The more eyes look at the program, the more bugs they find. It’s also a way for these companies to identify talent.”

Throughout the year, various big companies have issued notes about their bug bounty programs. The releases have included average payments, the types of bugs found, how to become a bug bounty hunter for them, and other information about the bug bounty programs.

On Friday, Twitter created a blog post explaining their bug bounty program, run on HackerOne. They outlined three different bugs that were found and fixed in 2015. One of those bugs could have been utilized to delete every credit card throughout the site.

“…a simple insecure direct object reference bug on the credit card deletion endpoint allowed an attacker to delete, but not view, credit cards not belonging to them. Additionally, the ids were auto-incrementing integers and there was no rate-limiting on the endpoint, so it was possible for someone to delete all credit cards on Twitter.”

That particular bug was found by a bounty hunter and is now taught to their Secure Coding class during orientation for new hires.

On the first of May, Uber launched a 90-day bug bounty “season.” During the season, a bug bounty hunter can make up to $10,000 dollars per critical issue brought to the attention of the company.

“We believe that bug bounty programs are an important part of the modern software development lifecycle,” John Flynn, the Chief Information Security Officer of Uber said in a blog post. “Our unique program combines healthy rewards, a loyalty program, and a ‘treasure map’ of information to incentivize our community to find even the most subtle bugs as we work together to protect users.”

There are many people who would look at the idea of a bug bounty hunter program and worry about the bugs being advertised. Anyone participating as a bug bounty hunter is free to make the bug public, according to most companies, but only after that bug has been privately reported and fixed.

[ Photo by andriano.cz/Shutterstock ]