Imagine you’re one of those eccentric millionaires, and you offer to pay burglars up to $10,000 for finding new ways of breaking into your plush mansion. More specifically, imagine incentivizing a whole subculture of activity that’s centered exclusively around gaining unauthorised access into your home, around vandalizing and defacing it so it’s no longer even inhabitable. Also, by “burglars,” imagine that not only card-carrying criminals are encouraged to participate in your little scheme, but also locksmiths, construction workers, parkour traceurs, and anyone else who might conceivably have the ability to jump the fence into your back yard or dig a tunnel into your front room.
Does this sound like an attractive way of improving your security? Well, no, is the simple answer, but this hasn’t stopped Uber from joining the long list of tech companies who are encouraging a legion of computer-savvy whizzes to hone their hacking skills, that is, to hone their ability to disrupt the systems on which we all increasingly rely. On Tuesday March 22, they announced a ‘Bug Bounty Program,’ which will dish out either $3000, $5000 or $10,000 depending on the level of threat exposed by its willing volunteers. This brings the transportation company into line with the likes of Google, Microsoft, Facebook and Twitter, who all effectively bribe so-called ‘security researchers‘ away from using their skills for nefarious ends.
From one perspective, such ‘bug bounty’ schemes have met considerable success. For instance, since the Facebook program kicked off in 2011, it’s awarded more than $4.3 million to over 800 ‘researchers’ for nearly 2,500 valid bug identifications. Still, that so many bugs have been uncovered and ransomed off doesn’t mean that they’ve been completely eradicated and that we’re any safer. In fact, the quantity of valid submissions has remained fairly stable over the program’s duration, with 2013 witnessing 687, 2014 seeing approximately 727, and 2015 privy to 526. That these figures have remained relatively constant affirms that the individuals who find them are paid off, not because their work makes or will ever make Facebook an inviolable, bug-free domain, but because Facebook and companies like them want to buy their silence, and don’t want to invest enough money into making their platforms more robust from the get-go.
In other words, these bug bounties aren’t directed towards the stomping out of all glitches and vulnerabilities, since new glitches and vulnerabilities will always arise to replace those exposed by the hackers-for-hire who accept Silicon Valley’s ransom money. Instead, they’re directed towards bribing hackers and ‘researchers’ not to exploit the manifold weaknesses that exist within websites. Not only that, but they’re aim is to stop the public from learning of these weaknesses, of how the sites they use daily are riddled with holes and flaws that put their data and their privacy at constant risk. Because so many tech corporations are paying to cover up their shortcomings and failures like this, it’s almost as if they’re paying blackmail money rather than making us fundamentally safer.
That they’re paying for the silence and good behavior of potential hackers as much as for the removal of existing glitches is evident in the non-disclosure clauses attached to bug bounty programs. With the recently announced Uber arrangement, participants aren’t able to speak or write about their discovered flaws, at least not until these flaws have been completely patched up by the company’s own programmers. As such, the hackers involved are essentially being paid not to talk, not to share details on the often risky constitution of Uber’s system.
Which is fair enough, because the alternative for Uber would be to allow these same hackers to harness the vulnerabilities they dig up for criminal purposes. Nonetheless, aside from how paying people not do things that feed into crime is borderline unethical and unsavory, it’s quite probable that bug bounty programs feed into crime themselves. This is because, by incentivizing people to look for glitches in websites, companies like Uber and Facebook are incentivizing an increasing number of people to develop the skills that puts computer systems and the people who use them under threat.
That they’re attracting more than the usual experts and trustworthy professionals is visible, for instance, in the list of commonly submitted false positives Facebook receives. These false positives include such non-bugs as profile pictures that are always public (they’re meant to be), being able to message anyone else on Facebook, being able to create an account in someone else’s name, public accounts that are, well, public, and so on. From such seemingly obvious false positives it emerges that of the 17,011 total submissions Facebook was sent in 2014 (not just including the c. 727 valid ones), a considerable number must have come from amateur or even beginner hackers.
The upshot of this is that, if bounty programs become the norm for tech corporations like Uber, then such hackers may not remain amateurs or beginners for longer. They’ll be motivated to learn more about computer security, and they may eventually cultivate the abilities and the resources to cause serious headaches for companies and their customers. Moreover, given that the corporations they deal with are too ‘economical’ to make them employees, and given that most of them aren’t even paid anything for their submissions, their lack of dependable rewards will mean that they’ll have very little loyalty towards the corps they intermittently serve, Uber’s very revealing “loyalty system” notwithstanding. This might, therefore, end up creating a growing underclass of disaffected and underemployed ‘security researchers’ who would rather cause trouble for Facebook, Microsoft or entire nation-states than help them out.
Such a scenario might be purely hypothetical at the moment, yet the recent news that cyberattacks on US federal agencies rose by 10% in 2015 suggests that hackers are growing in number. So too does a study by the Poneman Institute from last year, which revealed that the annual cost of cybercrime to American firms and institutions more than doubled between 2015 and 2010, which, incidentally, was one year before Facebook inaugurated its bounty program. In light of such data, Uber and companies like them might want to reconsider their policy of publicly outsourcing their all-important security research to untied freelancers, since even if their cold efficiency might save them the cost of employing talent on a full-time basis, it might just create costs for all the rest of us somewhere else down the line.