Internet companies pay out to those who spot bugs

Concerned about protecting the personal and financial details of its users, PayPal, the online payments company, has introduced a system called "two-factor authentication".

To log in, users must first enter their user name and password. They then receive a security code by mobile phone that they have to type in to gain entry. The idea is to create an extra barrier that makes it harder for criminals to break into a customer's account.

The only problem was that this additional line of defence had a significant flaw. Last year, a group of computer hackers from Duo Security, a Michigan-based cyber security company, discovered a problem with PayPal's mobile app that meant it was possible to bypass this second barrier because of a previously unknown bug in PayPal's systems.

Zach Lanier, senior security re­searcher at Duo, says users could have been "lulled into a false sense of security, unaware that a security feature isn't living up to its promise".

It was lucky for PayPal that it was Mr Lanier's team that discovered the problem. He was able to warn the company through its "bug bounty" programme, which pays people who discover security vulnerabilities. Duo Security pocketed the bounty while PayPal fixed the bug before revealing publicly how it been discovered.

Google, Mozilla and Hewlett-Packard are among other technology groups that have bug bounty programmes. Bounties range from $500 for spotting tiny bugs to $60,000 for uncovering serious flaws.

Millions of dollars have been paid to individual hackers and security companies through these schemes. Unveiling Facebook's bug bounty programme in 2011, Joe Sullivan, the social network's chief security officer, wrote on the company's website: "We realise . . . that there are many talented and well intentioned security experts around the world who don't work for Facebook. We established this bug bounty programme in an effort to recognise and reward these individuals for their good work and encourage others to join."

In 2014, Facebook paid $1.3m to hackers for their benevolence.

There is no way for companies to create perfect online defences. Underlying every website or app are lines of code. As these have been written by humans, defences can range from the well constructed to the sloppy and flawed.

In theory, thanks to bug bounties, some hackers can make a decent living just looking for security flaws. However, most who participate in the programmes are computer professionals who uncover bugs in their spare time to make some extra cash, or they stumble across problems by chance.

But approaching a company about any access flaws or bugs you find is not always a good idea. In 2011, Patrick Webster, a security researcher, found a problem at First State Super, an Australian investment group that allegedly left millions of customer accounts at risk. When he told it of the problem, the company reported him to the police. (Both police and civil actions were later dropped.)

Still, bug bounty programmes have become so popular among big technology companies that start-ups are emerging around what is becoming a lucrative industry. Last year, HackerOne, a cyber security company started by Alex Rice, who formerly ran the product security team at Facebook, raised $9m in funding from Benchmark Capital, a leading Silicon Valley venture capital firm.

The start-up is developing a software platform through which people can report bugs to companies and be paid for reporting flaws while at the same time avoiding unwanted attention from law enforcement. HackerOne has so far facilitated more than $1m in payments for about 4,000 reported bugs.

Explaining its motives, the company says: "There is a disturbing lack of trust and consistency relating to how people report vulnerabilities and how organisations respond to them . . . we're convinced that we must dramatically change how the world handles security research if we have any hope of advancing the state of security. We built Hacker­One to empower the world to build a safer internet."

Bugcrowd is another company that wants to become a central repository for reporting flaws. In March, the company, which acts as a crowdsourcing platform for security researchers, announced it had raised $6m in funding from investors. In total, Bugcrowd has raised $9m since its founding in 2012, with companies including Western Union, a US financial services group, launching bug bounty programmes through its site.

Given the apparent success of programmes, some, such as Brian Krebs, a cyber security expert and blogger, have even suggested bug bounty programmes should be compulsory, with all companies forced to pay when security problems are brought to their attention. The idea is that this would create vast security improvements across the internet.

But others have warned that such programmes might not be right for all companies.

Chris Wysopal, chief technology officer at Veracode, a Boston-based online security company, says organisations should not attempt to create bug bounty programmes unless they have their own strong team of hackers to respond to any problems that are discovered.

After all, the only thing worse than being shown a hole in your online defences is the inability to close it.

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation