SINT MAARTEN—David Jacoby and Frans Rosén want security researchers to become more altruistic about how they approach bug bounty programs.
While programs such as those facilitated by HackerOne and BugCrowd have become ubiquitous over the last several years, the researchers said in a talk at Kaspersky Lab’s Security Analyst Summit that bug hunters should also think about contributing to the greater good.
“We have so much money in this industry… we have so much money but we do so little. When was the last time you did something good?” Jacoby asked the crowd.
The idea helped drive the researchers, who raised $15,000 for charity recently working with companies that had never given money away for security.
Jacoby, a senior security researcher with Kaspersky Lab’s Global Research & Analysis Team, and Rosén, a knowledge advisor at the Swedish security firm Detectify, described how they went about inventing – in their words – a “mutation of a bug bounty program.”
Jacoby and Rosén’s initial goal was to spend a weekend hacking and raise 100,000 Swedish Kronor, roughly $11,000 USD, for charity. While the two fell short of their goal – they raised $2,000 – they helped fuel conversation around a new project. Jacoby found himself on the phone with companies in his native Sweden, sometimes up to four hours at a time, discussing bug bounties.
Bug bounty programs haven’t really caught on in Sweden yet, Rosén said, which is part of the reason he thinks their project had traction. The companies the two talked to didn’t have a budget set aside for security issues, let alone a bug bounty program.
“It was actually quite cool, we’d contact companies that would never ever participate in a bug bounty program – they’d say they didn’t have the budget,” Jacoby said, “but I wound up talking to company’s marketing departments – which did have money and wanted to help charities.”
Jacoby and Rosén, assisted by three other researchers, began by offering firms a 24-hour pen-testing window, pro bono. Instead of paying them for their work, the researchers challenged the company to instead donate to a charity of their choice.
“Everyone we called wanted to do this, it was amazing,” Rosén said.
The idea really clicked with a Swedish ISP, Bahnof, whom Jacoby said was interested in donating money to charity in exchange for pen-tests on a monthly basis.
“It’s proof that people want this,” Jacoby said.
Jacoby said that Rosén’s experience with bug bounty programs proved beneficial in crafting the program. Rosén has discovered hundreds of bugs over the years – nearly 500 according to HackerOne – including several in services such as Vimeo, Dropbox, Yelp, and GitLab. Just last month the researcher earned $3,000 for a cross-origin bug in Slack.
As part of the project Jacoby and Rosén didn’t touch the money, nor did they tell companies which charities to give funds to.
“We were only performing the pen-tests for the audit, we were finding the bugs. It was the companies who decided where to donate money,” Jacoby said, “We would have companies donate to charities that helped children, animals; we even had one company that wanted to use the money and give it to children to attend security conferences.”
The researchers ended the talk with a call to action, asking like-minded researchers take the idea and run with it. Jacoby thinks the concept wouldn’t work if it was overseen by a massive corporation, but could work well in small groups of people like theirs, especially if it was done on a regional scale.
“If we could get companies to donate money locally – let’s say for a girl who wants to attend a cybersecurity conference or for a university that needs a security expert to come and speak – by using the skill set we as researchers have… I think that’d be pretty impressive,” Jacoby said.