They pour over software code to ensure that the internet services you use – whether email, payment gateways or social networks – are free of any security flaws. Javed Anwer speaks to the guardians of the interweb.
Rafay Baloch fell in love with the world of computers after seeing the Matrix films when he was a 15-year-old boy. He was particularly mesmerized by Neo, the protagonist, who could hack into computer systems.
Even as Neo worked his way through the network of sci-fi sentient computers, Baloch had made his decision. He was going to be a computer hacker!
Five years later, he is a well-known white-hat hacker. And although he is still in college-pursuing a bachelor’s degree in computer science fromBaharia University in Karachi-he has already authored two books on cyber security and even runs a popular blog on the topic. But his biggest claim to fame is his expertise as a software bug hunter. In his free time, the 20-year-old seeks security vulnerabilities in web services run by technology giants like Microsoft and Paypal.
For his efforts, in the last year itself, companies have rewarded him with bounties of over $20,000 (Rs 11.15 lakh approx).
Money for bugs
While respectable, Baloch’s exploits pale in front of what some other white-hat hackers have accomplished. Like him, there are thousands of programmers who peer into popular web sites and internet services to look for security loopholes. Unlike black-hat hackers who exploit these loopholes for personal gains, white hats report these vulnerabilities to companies.
“Earlier, tech firms used to place these hackers in the Hall of Fame on their web site to acknowledge their efforts,” says Mohit Kumar, a white-hat hacker who runs a site called The Hacker News. “But in the last few years, many technology companies have started offering bounties to anyone who finds vulnerabilities in their products or online properties.”
There are tens of big technology firms running bounty programmes nowadays. Facebook, for instance, has paid out around $5,00,000 to bug bounty hunters between July 2011 and July 2012. Paypal is another firm offering big riches and pays up to $5,000 for a single bug. Google introduced its bounty programme in September 2010 and since then has “paid $8,28,000 to more than 250 individuals” . The company, which considers its Chrome browser to be one of the most secure programs ever created, challenged hackers in a competition called Pwnium, last year. At stake was a bounty worth $2 million with the option to take home up to $60,000 for a single exploit.
One hacker, known by the name of Pinkie Pie, struck with an exploit, which Google engineers later termed a “work of art” to win $60,000. He had earlier won another $60,000 and since then has breached Chrome twice, earning over $40,000.
A lesser-known, but equally successful bounty hunter is Sergey Glazunov, a Russian hacker. According to Google’s Chromium web site, Glazunov has already earned more than $1,40,000 from his exploits.
While big bucks are a motivation, bounty hunters say it’s not their only reason. For Baloch, tinkering with networks is a matter of passion. For Harsha Vardhan Boppana, a 22-yearold engineering student who also made over $20,000 last year, it is more about learning new skills and testing them in real world scenarios.
“I started because discovering loopholes in web services is fun and allows you to learn new technologies. As you go through the source code of the website and try to tear it apart, you tend to come across many things that you won’t learn in textbooks,” says Boppana, who is a student of Vignan University in Andhra Pradesh.
Effective and economical
For online services like Facebook, bug bounty programmes are incredibly useful. Importantly – at $500 for every bug – it is also cost effective. Years ago, Eric Raymond, a hacker and open source software advocate, said, “Given enough eyeballs, all bugs are shallow.” The bounty programmes run by Google and Facebook in today’s world are largely based on this principle.
While the one-time payment may seem large, the overall cost to the companies works out to be much cheaper than hiring world-class security experts and paying them a regular salary.
Joe Sullivan, chief security officer at Facebook, explained, “We launched the Bug Bounty programme with the goal of finding people around the world who can help improve our security. Regardless of the quality and quantity of people we hire at Facebook, we are constantly aware of the fact that there will always be more people out in the community who will be testing our system anyway. As such, it makes perfect sense to incentivize these people to research constructively and responsibly. This helps keep Facebook safer for everyone.”
A career choice?
Still, the general consensus among hackers is that it is difficult to make a career out of bug hunting.
Christy Philip Mathew, a Kerala-based network specialist who works with an Israeli mobile apps firm, says that a hacker has to be very fast to make any money.
“Nowadays, the competition is huge. As soon as a reward is announced, hundreds of hackers across the world aim to win it. You not only have to find the bug before anyone else does, but you also have to report it to the company immediately. If someone else reports the bug before you do, your discovery is no longer valid,” says Christy who has made over $5,000 in the last two years from hunting bugs.
The rewards are also not uniform. While companies like Google and Facebook are known to shell out big bucks for bugs, a few others try to keep costs down.
“A lot of companies still do not pay for reporting exploits,” Baloch says. “Instead, they try and satisfy hackers by mentioning their names on a page on their web site. I believe these firms should pay because what we do involves hard work.”
In some cases, web sites offer a little more than the honourable mention, while still stopping short of money. “So far I have earned around $10,000 with most of the reward coming in the last several months. But I have also been paid with free smartphones and t-shirts,” says Vignesh Kumar, who is an electrical engineer by profession.
Boppana, however, is quick to say that although bug hunting is a tough career option, it does open new doors for hackers. “When I found a very critical bug on Paypal’s web site, the company offered me a regular job. But I am still in college so I refused,” he says.
Meanwhile, Baloch has bigger plans. “After completing my education, I plan to open my own cyber security consultancy firm to offer solutions to multinationals and banks. I am sure the experience that I’ve gained today from bug hunting will come handy at that time.”