Bug hunters: The hackers earning big bucks… ethically

The term hacker is often used pejoratively, but the ability to spot weaknesses in companies’ software and cyber-security systems is in high demand. Ethical hackers are now earning big bucks and the industry is growing.

James Kettle is a bug hunter – not of the insect kind, but of software.

He scans through pages of code looking for mistakes – weaknesses that criminals could exploit to break into a company’s network and steal data.

His computer science degree was a little slow-paced for his tastes so he looked around for something else to do and came across “bug bounty” programmes run by Google and browser maker Mozilla.

These are schemes that pay cash to hackers for spotting mistakes, or bugs, in companies’ software.

“They really made you work hard for each one and it took about 50 hours per valid bug I found,” he recalls.

The payoff, apart from the cash, was that he was struck by an insatiable desire to keep finding flaws in code. And this eventually turned into a lucrative career.

And he’s very good at his job.


What you need to find bugs

  • Insatiable curiosity
  • Solid technical expertise in web and networking technologies
  • Patience and dedication
  • Puzzle-solving abilities

    He’s now one of the top-earning bug finders on Hacker One, a service that matches hackers with companies and governments looking for experts to test their software.

    These elite ethical or “white hat” hackers can earn more than $350,000 (£250,000) a year. Bug bounty programmes award hackers an average of $50,000 a month, with some paying out $1,000,000 a year in total, say industry insiders.

    Finding a bug that has never been found before is very rare and can lead to significant payouts, perhaps in the hundreds of thousands.

    Mr Kettle works for software company PortSwigger, which makes the Burp Suite tool that many hackers use to probe websites to see if they are ripe for exploitation.

    “I find new ways of hacking into websites and automating that, and I use bug bounties to prove my new techniques work,” Mr Kettle tells the BBC.

    “It’s fun and challenging.”

    Most software contains mistakes because it’s been written by fallible humans, and criminals are constantly scanning code for these vulnerabilities, often using automated tools.

    So it’s a race to find these weaknesses before the bad guys, or “black hat” hackers, do.

    The problem is that until recently few firms have had enough eyes to throw at the problem. So they’ve been crowdsourcing expert help from firms such as Hacker One, Bug Crowd and Synack.

    These act like agents for vetted ethical hackers, managing the bug bounty programmes, verifying the work done, and ensuring confidentiality for their clients.

    Hacker One, the largest of the three best-known bug bounty firms, has more than 120,000 hackers on its books and has paid out more than $26m (£18.5m) so far, says Laurie Mercer, a senior engineer at the firm.

    “Bug bounty programmes offer a way for organisations to ‘outsource’ application security testing, but it comes at a cost,” says Bob Egner, vice-president at security firm Outpost24.

    “You have to pay a crowdsource bug bounty vendor to introduce your application to their independent researchers, manage the programme for you, and ultimately pay for any bounties required.”

    But the risk of not doing enough to find these vulnerabilities is a potential hack attack resulting in stolen data, financial loss and damaged reputation. According to a recent report by security firm Nuix, 71% of black hat hackers say they can breach the perimeter of a target within 10 hours.

    Swedish bug hunter Frans Rosen is using his bounty income to fund tech start-ups.

    “We use the bug bounty money as the seeding investment,” he says. “It’s a fun way to use the money.”

    The cash enables the start-ups get established and do some development of their products or apps, he says. As a former web developer, he knows what can go wrong when websites are being set up and run.

    “After that we help them get the scale investment to fund them properly,” he says.

    Not all hackers who find bugs work for an established security firm, however, so being represented by a company such as Hacker One or Bug Crowd gives them credibility when they want to alert companies to security vulnerabilities.

    Security tester Robbie Wiggins says telling a firm that its website or apps can be hacked is always tricky.

    More Technology of Business

    • ‘More than 600 apps had access to my iPhone data’
    • Meet the gargantuan air freighter that looks like a whale
    • Airbus builds a new super-transporter
    • Reaping the wind with the biggest turbines ever made
    • Making deliveries in a badly mapped world

      Often there is no formal reporting structure, he says, apart from a generic admin email address. Bug bounty firms help get the error reports in front of the right people.

      But the rapid growth in bug bounty programmes and the significant cash rewards has made it a crowded field, he says.

      “It’s constantly changing and finding bugs is getting harder.”

      So he specialises in finding firms that have made mistakes with their Amazon cloud storage accounts. So far, he’s found more than 5,000 that look like they are wrongly open to the public.

      “Bug bounty hunting is now a hobby and helps every now and again when I need some extra cash for the kids,” he says.

      Another advantage of such programmes is that they can keep hackers away from the dark side.

      “Bug bounty programmes provide a legal alternative for tech-savvy individuals who might otherwise be inclined to the nefarious activities of actually hacking a system and selling its data illegally,” says Terry Ray, chief technology officer for data security firm Imperva.

      Perhaps it’s time more hackers came in from the cold?

      • Click here for more Technology of Business features
      • Follow Technology of Business editor Matthew Wall on Twitter and Facebook

KeepVid scraps YouTube-ripping function in favour of legal approach

A popular website that let people save or “rip” videos from services such as YouTube has unexpectedly turned into a copyright advocacy site.

KeepVid let people download copies of videos that could not officially be saved from YouTube, Vimeo and others.

But the service has now been removed from its website and replaced by a page of guidance on terms and conditions.

The terminology used suggests it has now become aware of legal restrictions on downloading from sharing sites.

Journey of discovery

In an update to its website, KeepVid said it had discovered that ripping videos from YouTube was against the site’s terms and conditions.

“KeepVid unveils that users aren’t allowed to download videos from YouTube,” it said.

It revealed that “there are many video-sharing sites in the market” and offered to “introduce” visitors to services such as Netflix and Spotify.

It said it had “found out” that Netflix was “a very popular place to watch and download videos to your computer”.

Download by subscription

KeepVid was often the top search result for people who were looking for a way to rip videos from YouTube and Vimeo.

For a majority of videos, YouTube does not offer an official way for people to download and keep them.

However, subscribers to its premium tier, YouTube Red, can download videos to watch offline within the YouTube app.

KeepVid operated its service for free on its website and through paid software called KeepVid Pro. Both services have been discontinued.

The company has not explained why it has decided to close its service. However, it said it hoped the video market would be “organised to meet people’s requirements”.

“Video downloading will become possible if the video download tools and video sharing platforms reach an agreement about downloading videos,” it said.