Hacking to find security weaknesses is often a lucrative business
NEW York: Imagine getting $1 million for finding a security weakness in a mobile operating system. That’s what happened to an anonymous team of hackers who found a way to hack through Apple’s iOS to score the sizable prize, security startup Zerodium announced this week.
Zerodium launched the challenge in September, saying it would pay seven figures to a team able to figure out a way to take over iPhones and iPads running the latest versions of iOS just by tricking it into visiting the wrong web page or opening a text message.
Two teams actively competed for the reward, but only one was able to meet the terms of the bounty by the contest’s October 31 deadline, Zerodium founder Chaouki Bekrar told The Washington Post.
He said the company plans to report the vulnerabilities to its customers, described on its website as “major corporations in defence, technology, and finance” and government organisations “in need of specific tailored cybersecurity capabilities”.
But it isn’t planning to immediately tell Apple how the hack works, although it may do so “later”, he said. That could help Apple create a patch to protect against the attack. Apple declined to comment.
Even if the announcement is a publicity ploy – as some security researchers believe because neither the team’s identity nor the exact details of how it broke through iOS’s defences have been revealed – there is something that we can learn from the competition.
And that is the economics of hacking and the good, the bad, and the questionable ways to make money by finding bugs in software.
First there are “white hat” hackers who work with companies to protect software.
Many work at penetration testing
Some companies pay fairly significant rewards. For example, Microsoft’s programmes will pay up to $15 000 (about R210 000) for an individual bug and up to $100 000 for previously unknown techniques which can sometimes require developers to rethink the architecture behind a system.
And this market has become more organised in recent years, with companies like HackerOne popping up to help connect researchers to companies that offer such programmes.
However, not all tech companies – even ones that are good about working with researchers who come forward with problems – have formal bounty systems.
For instance, Apple, which has a generally positive reputation among researchers, doesn’t have a formal bug bounty programme. And in some cases, companies new to the vulnerability disclosure process may feel threatened by a third- party researcher attempting to tell them about a problem and react with legal threats.
“Often security researchers are threatened with lawsuits under the Computer Fraud and Abuse Act or the Digital Millennium Copyright Act in the US, and there are similar laws around the world,” explained HackerOne chief policy officer Katie Moussouris. “But this doesn’t actually benefit the company in question. It may temporarily silence researchers, but the flaw is still there,” she said. – Washington Post