Hello, operator, I’d like to report a bug: Why one company is offering hackers directory assistance
HackerOne, one of the leading bounty firms, is creating a system that will connect computer vulnerability hunters with companies that may not have formal disclosure policies.
Reuters / Yuya Shino
Before he cofounded San Francisco-based bounty broker HackerOne three years ago, Michiel Prins hunted software bugs for a living. Yet finding a way to report flaws that could leave users vulnerable to criminal hackers was always a hassle.
Only a handful of organizations actually had a formal policy for security researchers to call in tips, and those were mostly Silicon Valley tech firms, Mr. Prins says. So he would have to go through hoops to try to tell companies about bugs – even scouring professional networking site Linkedin for the e-mail addresses of top executives to message them directly. “Usually we would spend more time figuring out how to contact the organization and getting the issue patched than finding the security flaw,” Prins says.
Now, Prins’s company wants to change that – and streamline the time-consuming process that friendly hackers still have to deal with when trying to report bugs.
HackerOne, one of a handful of organizations around today that helps researchers get paid for finding bugs, announced last week that it was adding directory assistance to a massive list it created this summer to allow hackers to look up security contacts at major companies. Now, if hackers find the company they want to reach has no official disclosure policy, HackerOne will reach out to that firm directly to help determine the best way to report bugs, and provide that information back to the researchers.
While creating the directory, the company’s Chief Technology Officer Alex Rice says, they found that 94 percent of the Forbes Global 2000 – the world’s largest and most powerful companies from all sectors, including the cream of the crop in finance, the auto industry, healthcare, and insurance – still do not have formal channels for white hat hackers to report flaws they find to the companies. “So if you’ve found a vulnerability that you want to make sure gets fixed, the answer is, you can’t, or you need to subject yourself to personal risk,” Mr. Rice says, such as a lawsuit.
HackerOne’s move comes as the debate over whether – and to what extent – hackers should be able to breach systems and devices with the intent of exposing security flaws is heating up nationwide.
Fear of being targeted for lawsuits is real for many hackers, whose investigations to find security flaws can require circumventing copyright protection measures, which is a felony under the Digital Millennium Copyright Act (DMCA). For instance, that provision allowed lawyers from IOActive, which designs the Cyberlock digital access control systems, to threaten suit against researchers who said they found vulnerabilities in the company’s software earlier this year.
IOActive is just one of several companies who have made similar warnings: In September, cybersecurity firm FireEye obtained an injunction in Germany that prevented ERNW from releasing information about flaws that company says it found in its products (FireEye ultimately patched the bug and credited the researcher). Oracle’s Chief Security Officer has also publicly complained about researchers trying to reverse engineer their software.
It’s also an issue the US government is dealing with too: Some worry that President Obama’s proposed federal hacking statute announced in this year’s State of the Union address could broaden the Computer Fraud and Abuse Act and toughen penalties for hackers.
So, as Rice says, having a known intermediary such as HackerOne reach out to companies can help assuage researchers’ fears of reprisal. “The worst outcome is not knowing what the outcome is going to be,” he says. “Not knowing if finding and testing a security vulnerability because you happen to stumble upon is going to land you in jail.”
Others think directory assistance will do little to change HackerOne’s policy of recruiting researchers off of the open Internet, which they view as irresponsible. “You’re giving the entire world an open invitation to hack their stuff,” says Jay Kaplan, chief executive officer of Synack, another vulnerability-spotting company based in Redwood City, Calif. “Researchers just need to realize that some of these organizations won’t ever feel comfortable with that.”
Synack differs from HackerOne, Kaplan says, because it operates on a proprietary platform that requires researchers to undergo strict vetting procedures before they can log on. (A spokesperson for HackerOne says the company does not restrict hackers from registering for the site, but maintains a reputation system that rewards users that accurately report bugs.)
Despite the challenges, there are some signs that companies and policymakers both are increasingly recognizing the value of researchers and easing the legal restrictions. Last month, the Librarian of Congress lifted the ban on hacking car software under the DMCA, and the Department of Commerce is pursuing a program that could allow for safe and legal vulnerability disclosures. What’s more, an increasing number of companies outside of the tech world also have adopted responsible disclosure policies that give researchers amnesty to come forward with flaws.
Since the Internet is growing up – with some 50 billion devices estimated to be connected to the Internet by 2020, including in people’s homes and on their bodies – some in the tech world think it’s time for businesses to grow up along with it, and support developing formal processes for hackers to get in touch responsibly.
“There’s a whole new wave of technology that’s being connected and exposed to a dynamic threat environment,” says Eric Wenger, Director of Cybersecurity and Privacy Policy at Cisco Systems. “Those companies are going to have to go through the same sort of maturity process, when you start to engage with security researchers and start to have security researchers inside your company.”