Security Think Tank: Bug bounties are changing the image of hackers
The traditional picture of a hacker is of a script kiddie in a hoodie hunched over a computer keyboard, but this stereotype is stale and outdated. Is it time to move away from a fear-based approach to security?
When people think about hackers, the default perception is of a teenage script kiddie, slaving away in his bedroom under his hood. The media still mistakenly use the hooded individual hunched over a keyboard on a regular basis as visual content for related storylines, which just helps to reinforce the myth.
So, is this image still relevant? To a minor extent it is, because it portrays how most hackers will start their journey – testing their skills and honing to the nth degree. We all must start somewhere. The big difference now, though, is that the opportunities available to a hacker have increased dramatically.
Hacking is now an accepted profession in which people can earn an honest and decent living. Not only are there many penetration testing jobs within organisations, providing these “startup” hackers with a place to legitimately fine-tune those skills, but we also have a new breed of testing – bug bounties.
Bug bounty programmes take two forms. Companies offer a bug bounty for vulnerabilities that are detected in their systems, where a hacker discovers it and discloses it to the company, so it can be fixed before it is publicly released. The hacker is then rewarded for this discovery. This is popular with many large tech companies, such as Google, Apple and Dropbox. Several governmental organisations are also starting to use this method.
The second form is a bug bounty platform, for example HackerOne, SynAck or BugCrowd, which is a merger of the bug bounty idea and traditional penetration testing. A company hires the platform to probe its infrastructure, websites and applications for potential vulnerabilities. Hackers become members of the platform and are given the opportunity to discover vulnerabilities, which are then passed back to the hiring company.
The hackers are rewarded for vulnerabilities discovered, rather than paid for the time it takes, which is what happens with conventional penetration testing. This encourages the hackers to delve deep and discover something – the more critical the vulnerability, the bigger the reward.