The Rise of the Hacker Bounty Hunter

By
Image
Photo: Todd McLellan

One night earlier this year, while playing around with a new anonymous-sharing app called Secret, Benjamin Caudill was gripped by a familiar sensation: This thing is not secure.

Almost as soon as I opened the app, I knew it might be vulnerable,” Caudill says. “It’s a sixth sense, I guess.”

Some people fix problems for a living. Caudill, a Seattle-based information-­security researcher, finds them, in exchange for small cash payments or just the reward of not being sued. (“It’s definitely more of an intellectual pursuit than a financial pursuit,” he says.) Caudill and his business partner, Bryan Seely, discovered a flaw in the app’s design that allowed them to link a user’s email address to the secrets he or she had posted. (In San Francisco, where Secret is used mainly for disclosing bedroom fetishes and shit-talking venture capitalists, this could have done serious damage.) But Caudill and Seely didn’t use the hole they’d found to play the voyeur or ruin fledgling careers. Instead, they contacted Secret’s CEO, David Byttow, and let him know that his software was leaking.

It’s been a busy year for information-security teams, what with the iCloud selfie hack, the eBay-password breach, and more obscure problems like the Heartbleed vulnerability. And, of course, Silicon Valley is still reeling from the news of its collaboration with the NSA on domestic surveillance, which made data security a household concern. But Byttow didn’t direct Caudill and Seely to Secret’s internal-security team, and he didn’t offer them jobs at the company—the bribe-slash-retainer arrangement you see in bad cyberpunk movies. Instead, he directed the white-hat hacker to an online platform called HackerOne, which matches reward-seeking hackers with companies looking to beef up their security.

HackerOne is a sort of start-up security bazaar, built not on the hacker principles of vandalism or greed but something much more like monetized goodwill—a crackerjack coder discovers a corporate vulnerability, writes a note to company HQ, gets a thank-you note and often a payment (anywhere from $25 to $5,000 and up) in return. On the flip side, a company like Secret—or Twitter, Yahoo, and Square, all of which run programs through the site—gets to mobilize a volunteer IT army. HackerOne provides the infrastructure for these arrangements but stays out of the deals themselves, merely tacking on a 20 percent fee for each successful bounty. Think of it as TaskRabbit for hackers.

Bug-bounty programs aren’t new in the IT world. (Netscape ran one in 1995, offering T-shirts and mugs to hackers who found software glitches.) But today’s efforts are bigger and more systematized. Since opening for business in 2012, HackerOne has raised $9 million from investors and staffed up to 18 employees, making it a mainstream tech player in its own right. As an industry, Silicon Valley has always fetishized hackers and hacker culture, even as it feared their influence. But with HackerOne and its ilk, hackers are squarely in the middle of things for once, thanks to middlemen connecting cash-flush companies with cheap, eager freelancers. So far, HackerOne says it has facilitated $1.27 million in payments for 3,978 bugs—­serious coin, to be sure, but far less than it would cost to hire all those hackers full time.

HackerOne has its roots in a similar bug-bounty program started by Facebook in 2011. Facebook’s program, which was based on the theory that the social network’s more technically inclined users might find holes in the site that a Facebook engineer had missed, resulted in a huge surge of submissions—14,763 in 2013, to be precise. And Alex Rice, then a Facebook product-security lead, thought, If Facebook could benefit from a bug-bounty program, why not the two-man start-up down the street?

Rice, HackerOne’s co-founder and chief technology officer, showed me around the company’s office on a recent morning. It’s a nearly barren ninth-floor space in a San Francisco office tower, with new PCs still in their boxes and two oversize beanbag chairs planted in the entryway. The company had just moved in a week earlier, and a worker was installing a water machine in the kitchen.

Many start-ups, Rice found, grasp the benefits of a bug-bounty program immediately. But older, more traditional companies are still wary of engaging with hackers. Apple, for example, has never offered a bug-bounty program, although it probably wishes it had—after the selfie hack, the creator of iBrute, a tool many believe was used to steal the naked photos of ­Jennifer Lawrence and other celebrities, told Forbes he would have warned Apple ahead of time if he’d been paid.

There’s a big concern from vendors that if I start a bug-bounty program, I’m basically holding up a big sign that says, ‘Come mess with me,’ ” says Jake Kouns, the chief information-security officer at Risk Based Security.

Those fears may have been valid on the internet of 1995. But today, there are untold thousands of skilled amateurs who spend their spare time scouring the web for vulnerabilities, more for amusement than anything else. Give them enough time, and they’re going to find something on you. And if you can cheaply harness the power of that collective curiosity to ward off a PR nightmare, why wouldn’t you?

At this point, every site worth attacking out there has been hacked,” Rice says. “It’s just a question of whether or not the public finds out.”

Nathaniel Wakelam, a 19-year-old Australian student, is one of the bounty hunters who have benefited from the sea change in how hackers and corporations interact. In the past year, Wakelam has found more than 100 bugs in the code of companies like Facebook, Google, and Yahoo, using platforms like HackerOne and a competitor called Bugcrowd. For his troubles, he’s earned more than $60,000. (His largest public score, an admin-level vulnerability on Giftcards.com, netted him $2,700.) He’s paid his way through college with his bug bounties and gotten a job at a security firm called RMSEC, but he suspects he should be earning even more.

In some cases, I’ve found bugs that have prevented the destruction of companies,” he told me. “And they’ve paid me a couple thousand dollars for that.”

What Wakelam likes about HackerOne and Bugcrowd is that they’re convenient—he can easily log on when he has a few hours to kill and see which companies are offering money. These sites have also leveled the hacker playing field and given rank amateurs access to programs that previously might have been invitation-only. “What HackerOne and Bugcrowd have done is limit the space between companies and myself,” he says. “As someone in university, there’s no faith in me. But what these sites have done is allow companies to approach individuals like me in a non-direct manner.”

Caudill, the bounty hunter who found the big vulnerability in Secret, didn’t even expect a small payment from the company. But since the hack he made was so huge and potentially damaging, Secret told him it would retain his and Seely’s services in the future and send him a gift basket in appreciation for his help.

I don’t think we’ve actually gotten it,” he says.              

*This article appears in the September 22, 2014 issue of New York Magazine.