In December 2015, 28 old Syed Farook, accompanied by his wife, Tasfeen Malik who was a year older at the time, walked into the banquet hall of a conference center and killed 14 of his co-workers in San Bernardino, California. What has this got to do with the bug bounty program and making a lot of money?
The link between the two is rather indirect. The story of the San Bernardino killers is only indirectly linked to the bug bounty program as subsequent events proved.
During the investigations of the events surrounding the killings, the FBI recovered an iPhone belonging to Syed. But it was locked. They needed it unlocked so they can access information that might aid them in stopping future attacks like this one.
The FBI vs Apple was a celebrated case last year. Apple refused to unlock the phone over users privacy concerns and sought the help of the judiciary to stop the FBI from compelling them to unlock the phone.
While the case was still under litigation, the FBI contracted a private security analyst to help them unlock the iPhone. This was done successfully. Case closed. Apple was livid, demanding details how the phone was unlocked from the FBI.
At the time, that is last year, Apple did not have a bug bounty program. Perhaps, if the program was in place, the FBI would still be trying to arm twist Apple to help them fight terrorism.
What is Bug Bounty Program?
The bug bounty program ecosystem is comprised of big tech firms and software developers on one hand and white hat hackers (also known as security analysts) on the other.
The deal is simple: the tech firms and software developers offer a certain amount of money to hackers to spot and report weaknesses in programs or softwares.
This is to make sure the problem is solved before the public is aware of it. The ultimate purpose aims to keep the weaknesses away from black hat hackers to exploit.
The money offered to individuals vary from company to company and how difficult the vulnerabilities are.
And Apple came to the bug bounty party
Analysts would tell you if Apple had had a bug bounty program when the FBI came calling, they would still be sitting pretty bragging about how their software is uncrackable.
However, that case proved to Apple that the iOS operating system had a bug that could be exploited. Unfortunately, there was no incentive from Apple to make hackers spot and tell them about it. If the program had been in place, Apple would have patched the vulnerability a long time ago.
That is water under the bridge though. Because in August last year, after the embarrassing fiasco with the FBI, Apple announced their own bug bounty program. They offered up to $200,000 to any hacker who could spot and report a weakness in iOS.
The Apple bug bounty became one of the biggest bug bounty programs in the world. That showed how much Apple realized how important the program is. You can bet there are now a lot of hackers putting iOS through the paces looking for vulnerabilities in the system.
Earn up to $500,000 in the bug bounty program
Though the Apple bug bounty is huge, it is not the biggest. The price for the highest single payment goes to Exodus Intelligence.
The security company based in Texas announced their own bug bounty program a few days after Apple announced unveiled theirs.
Other notable bug bounty schemes include:
Facebook – Facebook’s program covers all their services including WhatsApp, Instagram, Messenger, and Facebook. Announced 6 years ago, it has different categories of payout based mostly on the severity of the bugs.
The highest payout to date was to Russian hacker Andrew Leonov, who was paid $40,000 for discovering that Facebook was vulnerable through an exploit in ImageMagick, an open software for editing photos.
Microsoft – Hackers can receive up to $100,000 for spotting a security flaw in any of their software. So far the company has paid out over $500,000 to various individuals.
Google – the company has a robust bug bounty program. Hackers could get rewards up to $50,000 for spotting and reporting security flaws in all of Google-owned services and software.
Check here for a list of all the major companies with a bug bounty program in place,
Is the program enough incentive for hackers?
The world of hackers is a very fluid one. It is mostly based on opportunities. Sometimes, the line separating white hat hackers and black hat hackers can be blurry.
Black hat hackers can make a lot of money selling their research in the dark web or to anybody who has enough money to pay. Also, they can sell a single discovery multiple times to increase their earnings.
On the flip side is the world of ethical hackers who have decided not to be criminals. A huge Bug bounty reward is reason enough to stay on the right side of the law.
However, when it comes to making as much money as possible, it is difficult to legislate on behalf of others. People’s motivations differ. And changes with time too.
Point is, today’s black hat hacker could be tomorrow’s ethical hacker. And vice versa.
Make a living through the bug bounty program
It is common for people to assume that hackers are a breed apart. The sort of people who spend too much time in a dark room only illuminated by multiple computer screens just hacking away at keyboards looking for their next victim. That is so false.
Early last year, a 10-year-old kid from Finland called Jani was given $10,000 by Facebook for revealing a flaw in Instagram that made it possible for anybody with the knowledge to delete any Instagram account.
At 10, he was not even old enough to use Instagram legally. And he was just an aspiring security researcher. Do you get the point?
The bug bounty program is open to just about anybody in any part of the world to make money. All you need is, learn how to be a good programmer and get to work looking for vulnerabilities in softwares and other internet-based services of companies with the bug bounty program in place.
Sounds easy, but it is hard work though. But nothing good comes without hard work, except for miracles.
Bug bounty program and the future
Unfortunately, as long as there are criminals, there would always be hackers hoping to use their knowledge illegally. The recent malware case rocking the world is a case in point.
This malware, a ransomware known as Wannacry, hijacks computers making them inaccessible to the owners. Owners have to pay money to the hackers before they would have access to the files on their computers.
These are black hat hackers who have decided they would make far more money illegally than getting a one-off payoff from a bug bounty program.
That is the future the world has to live with. Bad people would always do bad things.