IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Silicon Valley Companies Pay Hackers ‘Bounties’ to Find Flaws Before Crooks Do

With crooks paying 10 times or more for the same information, some experts warn, businesses will have to greatly increase what they offer to keep pace with the bad guys.

(TNS) -- With cyberattacks seemingly getting worse every day, a bidding war has broken out between Silicon Valley tech giants and black marketeers for the talents of hackers who spot software vulnerabilities that can be used to steal everything from corporate trade secrets to consumers' financial information.

Increasingly, local firms -- including Google, Facebook and Mozilla -- are offering "bug bounties" worth thousands of dollars to outside code crunchers who spot such flaws. But with crooks paying 10 times or more for the same information, some experts warn, businesses will have to greatly increase what they offer to keep pace with the bad guys.

"The trajectory we're on now is completely unsustainable," warned Vikram Phatak, CEO of NSS Labs, an Austin, Texas, security firm that is among those calling for bigger hacker payouts. "There will not be a person in the country who will not have a compromised computer if this goes on. We are ripe for having a major catastrophe."

NSS Labs has proposed creating a centralized program, where companies with large numbers of bugs -- including Oracle, Apple, Google, Mozilla and Adobe Systems -- would be required to pay at least as much as the black market for software weaknesses called zero-day vulnerabilities, which are newly discovered but not widely known. Those flaws can command up to $300,000 from crooks, according to a study this year by Rand, although some experts put the price at up to $1 million.

But the NSS Labs idea has gained little traction. And some major software firms have resisted paying any bounties.

That includes Adobe, which disclosed last year that it suffered an attack that accessed 38 million user passwords. Instead, Adobe works with its "customers and researchers in the security community who report vulnerabilities," and acknowledges their tips on its website, according to spokeswoman Heather Edell.

Others who reportedly don't offer bounties include Apple, Cisco Systems and Oracle, with the latter corporation's Java software widely criticized for years as being so buggy it's an easy target for hackers. All three firms declined to comment.

Some other companies that do pay bounties have boosted them recently, though the amounts typically still don't match what can be had from the cyber underground.

Last year, for example, Yahoo was deeply ridiculed when a chink in its software was discovered by security firm High-Tech Bridge, and it rewarded High-Tech with a $12.50 discount on T-shirts, pens and other items at Yahoo's company store. After High-Tech Bridge huffed that the amount was "a bad joke and won't motivate people to report security vulnerabilities," Yahoo upped its bounties to $15,000.

In September, Google began offering $15,000 for "usual" vulnerabilities -- three times what it previously had paid -- while noting in a blog that one "very impressive" bug disclosure earned $30,000. Although Facebook says its average bounty is a little more than $2,000, it noted in a recent blog that it paid $33,500 for a particularly bad bug somebody discovered. And Microsoft, after resisting the idea, last year began offering bounties worth up to $100,000.

Other companies eager to learn where they are vulnerable hire outside firms such as 2-year-old Bugcrowd of San Francisco, which pays up to $20,000 for flaws found by its worldwide team of more than 13,000 hackers, a term that broadly refers to anyone with programming expertise, including people with purely legitimate intentions.

Among Bugcrowd's most prolific bug catchers is Ben Sadeghipour, a 24-year-old Sacramento State University student majoring in computer information security, who said he learned hacking as a child to circumvent the password his mom used in hopes of keeping him off her computer.

Estimating that he's earned about $23,000 for the 30 or more bugs he's found this year, Sadeghipour said he's been contacted by black-market types offering to buy the vulnerabilities he identifies, though he said he's never accepted their overtures, adding, "I don't want to make dirty money."

Synack of Redwood City, which was founded in 2013 by two former National Security Agency officials, uses a different approach for finding software flaws, said Vice President Gus Anagnos, who formerly ran PayPal's bug-bounty program.

Instead of recruiting hordes of hackers, he said, it pays bounties of up to $5,000 to a highly vetted "red team" of corporate security specialists, academics and "members of the government," though he declined to comment on news reports that some of those specialists are NSA employees.

Some companies also reportedly sell zero-day bugs they discover to government buyers around the globe, including U.S. intelligence and military agencies, which use the information to develop so-called exploits that can infiltrate an adversary's computers.

Although several U.S. agencies -- including the NSA -- declined to comment, a 2013 report by a presidential advisory group acknowledged that "in rare instances, U.S. policy may briefly authorize using a zero day for high priority intelligence collection."

But critics fear that U.S. and other authorities sometimes fail to correct these flaws, leaving the public dangerously exposed, and that the purchase of bugs by various nations is fueling the black market.

"The actions of world governments to buy these things has made it more likely that hackers will sell vulnerabilities and we will all remain vulnerable," said Bruce Schneier, a fellow at Harvard Law School's Berkman Center for Internet and Society.

Discovering such weaknesses isn't easy, even for companies that design software. That's largely because "when computer science majors in schools are taught code, they are not taught about security vulnerabilities," said Lillian Ablon, who co-authored the Rand study.

Until that changes, many experts believe, hiring hackers to find the flaws makes sense.

"As long as we have software, we're going to have bugs," said Robert Capps of Sunnyvale security firm RedSeal Networks. Consequently, he added, "with a lot more eyeballs on the problems, we can get those holes fixed much faster, which is good for the consumer as a whole."

Contact Steve Johnson at 408-920-5043. Follow him at Twitter.com/steveatmercnews.

———

©2014 the San Jose Mercury News (San Jose, Calif.)

Visit the San Jose Mercury News (San Jose, Calif.) at www.mercurynews.com

Distributed by Tribune Content Agency, LLC