Bug Bounty: ethical hacking without a contract
29 May 2024
The ethical hackingalso known as pentestingis a process of security assessment of a company through a professional. It is carried out by means of an agreement between both parties detailing the procedures to be carried out and the permissions granted to the ethical hacker to access data and systems.
In a technological world, for a cybercriminal to find a loophole to access a company's files can translate into huge losses. To close these loopholes security loopholesethical hacking is often used, and this is where the bug bounty, or bounty hunting, for finding flaws in cyber defences. It is a programme offered by some companies and organisations to incentivise researchers to finding and reporting vulnerabilities in their networks, systems and applications. The main objective is to identify and correct existing security problems before they can be exploited by cybercriminals. Researchers who discover bugs can receive financial incentives or other rewards, such as being featured in a hall of fame on company websites.
For a ethical hackerthe bug bounty is a crucial opportunity to demonstrate your skills, especially if you have no formal experience in the sector. The programmes are competitive and open-ended in nature, allowing participants to show their capabilities in relation to other competitors. Being able to show results and procedures performed is a fundamental component for a professional of this style. The accumulated experience through the bug bounty can make a significant difference to a cyber security professional's CV.
Companies are considering implementing these programmes because they allow them to identify and address vulnerabilities more efficiently and cost-effectively than more traditional audit methods. The mobilisation of diverse and specialised talent facilitates the discovery of problems undetected by internal teams within the organisation. In addition, companies' reputations are enhanced by demonstrating how committed they are to security and transparency.
The platforms of bug bounty offer some significant advantages over the manual management of a vulnerability report:
Traditional reporting involves more work for both parties in all aspects, but there is one main reason why ethical hackers tend to opt for platforms: the trust. Sending a vulnerability report to an unsolicited company can result in an accusation of fraud or deception that could damage the professional's reputation. The use of a platform offers a degree of security to both parties - the company is looking for that report and the hacker can submit a report without fear of legal reprisals or accusations.
HackerOne is one of the platforms most chosen by companies and ethical hackers for the practice of bug bounty at a global level. In it, we can find the programmes of corporations such as Amazon, LinkedIn or Epic Games, among others. Each company registered on the platform defines scope, rules and rewards depending on the specific vulnerabilities found. The practitioner can then decide which programmes they are interested in and proceed to look for weaknesses to include in their standardised report. If the company confirms the vulnerabilitiesThe hacker will be rewarded as stated in the announcement.
Example overview of bug bounty programmes within HackerOne (source)
In short, the bug bounty is an invaluable tool for an ethical hacker, especially those who are just starting out or who want to practice their skills in a secure way. The automation of management processes facilitates communication between the professional and the company, as well as leading to an increase in trust, improving the experience for both.