Stories
Slash Boxes
Comments

SoylentNews is people

Crowdsourcing the Hunt for Software Bugs is a Booming Business—and a Risky One

posted by Fnord666 on Monday August 27 2018, @03:31AM   Printer-friendly
from the feast-or-famine dept.

MrPlow writes:

Submitted via IRC for SoyCow4408

They are the Ubers of the digital security world. Instead of matching independent drivers with passengers, companies like Bugcrowd and HackerOne connect people who like to spend time searching for flaws in software with companies willing to pay them for bugs they find.

This cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry. Some still have jobs and hunt bugs in their spare time, while others make a living from freelancing. They are playing an essential role in helping to make code more secure at a time when attacks are rapidly increasing and the cost of maintaining dedicated internal security teams is skyrocketing .

The best freelance bug spotters can make significant sums of money. HackerOne, which has over 200,000 registered users, says about 12 percent of the people using its service pocket $20,000 or more a year, and around 3 percent make over $100,000. The hackers using these platforms hail mostly from the US and Europe, but also from poorer countries where the money they can earn leads some to work full time on bug hunting.

[...] On the legal front, the platforms are pushing for more “safe harbor” language to be inserted in contracts governing bug bounties. The aim, says Adam Bacchus of HackerOne, is to get companies to be clear that if hackers follow the rules of engagement within reason, they won’t wind up being taken to court.

Bugcrowd has launched an initiative called disclose.io to create a standardized framework for finding and reporting bugs. This would provide explicit authorization for using bug-hunting techniques that would normally be clear violations of provisions in anti-hacking statutes. It complements a broader push in the US by groups such as the Electronic Frontier Foundation to stop companies from using laws like the CFAA to silence researchers who find serious flaws and disclose them in a responsible manner.

Source: https://www.technologyreview.com/s/611892/crowdsourcing-the-hunt-for-software-bugs-is-a-booming-businessand-a-risky-one/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Crowdsourcing the Hunt for Software Bugs is a Booming Business—and a Risky One | Log In/Create an Account | Top | 2 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Monday August 27 2018, @08:54AM (1 child)

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Monday August 27 2018, @08:54AM (#726827) Homepage
    At $DAYJOB, we signed up for HackerOne, and had no end of idiots claiming to have found things that were not security issues at all - most were just false positives from static checkers like Coverity. These fools seemed to think that we don't run all such static checkers internally anyway (and therefore we have a well-researched list of known false positives). $PRODUCT also happens to be one of the most well-audited pieces of open source code in existence, and zero-days, were they to exist, seems to have street value in the $$$$$s, so we didn't really expect amateurs to provide any insights. Some chump wanted payment for finding a dead link on a long-defunct website that technically belongs to us. HackerOne was a complete waste of time.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Tuesday September 11 2018, @01:40AM

    by Anonymous Coward on Tuesday September 11 2018, @01:40AM (#733001)

    ...a well-researched list of known false positives...open source...

    Why not publish the list of false positives as comments within the code?