At the tech industry’s Black Hat 2015 security conference in Las Vegas, Microsoft announced a range of improvements to its software. It wants friendly researchers to find flaws before hackers do.
The company’s security architect, Jason Shirk, said the measures were aimed at bringing “defence up on par with offence”.
Companies use “bug bounties” to enlist so-called white-hat hackers with enough specialised skill to spot security gaps before cybercriminals use them to steal customer information or crash websites.
Last month, it emerged that two internet security researchers had each been paid 1m loyalty reward miles by United Airlines after they uncovered gaps in the airline’s web security. Its bug bounty programme had only been announced two months previously.
According to internet security firm ESET, “bug bounties” are a relatively new phenomenon but have now become a “significant security measure for modern businesses, especially if that business is heavily reliant on the web”.
It points out that, in the past, security researchers reporting flaws would have either received a mere “thank you” or even faced accusations of being hackers themselves. Now, though, rewards worth tens of thousands of euro can ben on offer.
Facebook, for example, states on its website that while bounties are awarded at the discretion of its bug bounty team, when it finds a report that is new and valid, its minimum reward is $500 — and there is no maximum.
“Each bug is awarded a bounty based on its severity and creativity,” says Facebook. “We only pay individuals. If you choose to donate to a recognised charity we will match your bounty so that the charity gets double the bounty amount.”
According to ESET, Facebook paid out over $1m to researchers in 2014.
“In November 2013, Brazil computer engineer Reginaldo Silva found one of the worst vulnerabilities in Facebook’s software, netting a bug bounty of over $30,000,” ESET said in a blog.
“The bug related to code used for the authentication system OpenID, which lets people use the same log-in credentials for various online services. Mr Silva found the vulnerability could be executed from a remote computer, one of the most dangerous types of software flaws.”