Hunched over laptops in a small room in a downtown hotel in Vancouver, they’re unlikely looking bounty hunters. No guns, no handcuffs and no bad guys in sight. Instead their prey is lurking hidden in the computer, software bugs that can be exploited by hackers intent on cracking supposedly secure websites. For two days at the CanSecWest security conference earlier this year in Vancouver, a steady parade of security experts attacked everything from Apple’s Safari, Microsoft’s Internet Explorer and other web browsers, to Adobe’s Flash. By the end of the two days, they had collectively racked up close to $1 million. It wasn’t the ill-gotten gains of black-hat hackers, but instead prize money awarded by companies to white-hat hackers who search out bugs in software and by doing so help companies make the software more secure. (The term “black hat” comes from old westerns where the bad guys usually wore black hats and the good guys wore white ones.) “These websites are already under attack,” said Jacob Hansen, CEO and co-founder of CrowdCurity, a California-based start-up that provides companies with a platform for crowdsourcing security testing, with rewards programs. “What you do by creating a bounty program or a reward program is you are really creating a communications channel for the good guys out there. “They can use the communications channel to identify security issues and then earn a reward.” It also heightens their stature in the security community. Getting paid by a company like Google or Microsoft for uncovering a major glitch means more than cash: it’s caché. “They are able to put it on their CV, they tweet about it, blog about it, they’re recognized within the community for being a skilled security guy,” said Hansen. Powers used for good Vancouver’s Bex.io, which provides a software platform for Bitcoin exchanges, is among companies that pay a bug bounty to white-hat hackers to help improve their security. “The general idea of a bug bounty is that you put your software up to attack,” said Kris Constable, in charge of Bex.io’s operations and security. “Most software that exists today is attacked by malicious people. “The idea of a bug bounty is to create a model where people can use those powers for good. Instead of using that vulnerability against you, they are rewarded for finding it. “Most major companies now are offering bug bounties.” With Bitcoin exchanges a potentially lucrative target for hackers, the stakes are high and Bex.io has an ongoing bounty program, with rewards paid in bitcoins. Payoffs vary, and they can be lucrative. Microsoft’s bounty program pays up to $100,000 for “truly novel exploitation techniques” in attacks on the latest version of its operating system. Earlier this year, Google expanded its vulnerability reward program to include all its Chrome apps and extensions, offering rewards ranging from $500 to $10,000 US depending on the severity of the vulnerability, and their potential use to hackers. Facebook offers a minimum $500 reward to white-hat hackers who uncover security bugs, with no maximum specified, and payments based on the severity and creativity of the exploit.

Late last year a Brazilian web security researcher Reginaldo Silva found a Facebook vulnerability that could have been used by hackers. Within three-and-a-half hours of getting Silva’s report, Facebook had a short-term fix live and it later paid a $33,500 US bounty to Silva. According to Facebook it has paid out more than $2 million since it started its bug bounty program in 2011. In 2013, it paid out a total of $1.5 million to 330 researchers worldwide. Etsy, an online marketplace for handmade and vintage items, also offers a minimum $500 reward, with higher payouts depending on the bug found. CEOs held accountable While Internet security was once shrouded in secrecy, with companies preferring to simply assure their customers and users that their applications are secure, that “security through obscurity” viewpoint is coming under increasing criticism. No sooner do companies issue such reassurances than news of another major breach breaks. Most recently, eBay has warned all its users to change their passwords after hackers accessed a database with customers names, encrypted passwords and other personal data. And blaming hackers is no longer enough — now, not only IT departments but CEOs are being held accountable, by customers and by shareholders. Target president and CEO Gregg Steinhafel stepped down earlier this year, his departure hastened by a massive security breach in which hackers accessed personal and financial data — including credit and debit card information — for more than 40 million customers. Companies that use crowdsourcing to test their software say they aren’t making themselves more vulnerable to attack: hackers are testing all the time, they’re just not sharing their discoveries with their victims. “There are two schools here, the new school and the old school,” said Hansen. “In the old school they want to hide everything and not be open and transparent around potential security issues. “The new school realizes they need to interact with the (security) community. Nobody is 100-per-cent secure, but the best way to ensure you are as secure as you can be is to interact with the community.” CrowdCurity lets companies set up their own bug bounty program on its website, with rewards ranging from $1,000 for a high critical bug, to $300 for a medium and $50 for a bug judged to be not so critical. CrowdCurity has 1,000 testers from all over the world who can choose to take the challenge and see if they can uncover glitches that could leave a website vulnerable to attack. Displaying an assurance of security doesn’t guarantee a website is secure anymore and Hansen thinks it won’t be long before bug bounty programs will become standard — meaning consumers will expect such testing. Bug bounty programs may even be touted by marketing and PR departments, hoping to convince users they’re serious about security. “It will be a requirement for users of the website that the site interact with the security community and stay transparent around their security issues,” said Hansen. Shane Macaulay, considered one of the top bug bounty hunters in the world, was a winner in the first CanSec West Pwn2Own contest in 2007. (Pwn is slang meaning to own in the sense of conquering or taking over; own refers to the fact that successful hackers get to keep the laptop they hacked.)