In The Art of War, Sun Tzu wrote, “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
What this brilliant general said more than 1,500 years ago about armies wielding swords, shields, and crossbows in ancient China holds just as true for IT teams fighting network hacking: knowledge of the enemy is a game-changing asset in battle.
Today, many of the tech industry’s most powerful companies have deployed bug bounty programs that invite white hat hackers to attempt breaking into their company networks. They recognize that the people with the greatest reservoir of knowledge and insight about hackers are hackers themselves. But unlike hackers who make a living ripping credit card numbers from databases and blackmailing cheating spouses in exchange for Bitcoin, they’re hackers who use their skills for noble rather than nefarious purposes.
A brief history of bug bounties
Bug bounty programs have been around for more than 20 years. Netscape launched the first in 1995, offering cash rewards to users who could find security bugs in the Netscape Navigator 2.0 beta. But this strategy didn’t attract attention until the Mozilla foundation launched a bug bounty program in 2004, promising $500 to any user that reported a critical security vulnerability in Mozilla software. When Google announced its own bug bounty program in 2010, followed closely by Facebook’s white hat program in 2011, bug bounties officially hit the mainstream.
As popularity and legitimacy grew, so did the reward sizes, making organizations outside tech notice and begin exploring bug bounty programs of their own. Western Union and United Airlines recently introduced their own bug bounty programs, and earlier this year, the Department of Defense (DOD), a common target for hackers, announced the launch of the “Hack the Pentagon” pilot program. The DOD will start by paying independent security researchers to find vulnerabilities in the Pentagon’s public websites, and ultimately the program will extend to less public targets, including its networks. It marks the first time the U.S. government has adopted a bug bounty program and shows just how effective this approach is at boosting security, thwarting hackers, and deterring network hacking. Katie Moussouris, chief policy officer at HackerOne, recently told Wired, “You can’t find all the bugs yourself. Whether you’re a well-funded government like the U.S. or anyone else, you have to work with the hacker community.”
Sleeping with the enemy
No piece of software is perfect, especially from day one, and internal teams can’t always flag them all on their own. There are a lot of reasons for this: Maybe they’re too familiar with the software, so the cracks slip by unnoticed. Maybe a certain bug is only identifiable by someone who has seen something similar before and/or who has a unique perspective. Maybe there are too many bugs for a single team to handle. As for hiring hackers instead of security pros, sometimes it takes a hacker to know a hacker, or at least what hackers look for when they eye a target for a network hacking job. Google, Facebook, Square, Yahoo!, Apple, PayPal, Amazon Web Services, and Twitter—they’ve all hired white hat hackers to test their networks. And they’ve paid out millions.
Bug bounty programs apply the wisdom and scale of the crowd to suss out vulnerabilities. The Harvard Business Review found that groups of diverse problem solvers can outperform groups of high-ability problem solvers, while a concentrated knowledge base will have a narrower perspective. By inviting large, diverse groups of people with a variety of experience and expertise to look for bugs, businesses are able to cover as much ground as possible. They can fix weak spots before the “bad guys” find and exploit them.
It’s also cheaper than hiring a dedicated internal team. A team of researchers from the University of California, Berkeley found that bug bounty programs are “economically efficient, comparing favorably to the cost of hiring full-time security researchers.” Most companies can’t afford to have thousands of people on staff dedicated to looking for bugs—bug bounty programs dramatically boost their bandwidth without requiring hefty resources.
They also work really well. BugCrowd’s The State of Bug Bounty July 2015 report revealed that security researchers find more than four high- or critical-priority vulnerabilities within a single software program. Armed with this information, businesses are better able to protect their network and their end-users from being compromised.
Inviting white hat hackers to search for bugs prevents network hacking in a scalable, affordable, proactive, and highly effective way. Rather than scrambling to repair damage (or living in fear of attack), companies can focus on the things that really matter, like building their businesses. As Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Victory will be yours.