Bug Bounty Programs, the Way to Turn Black Hats Into Ethical Hackers: Interview with Zerocopter's Edwin van Andel
Bug bounty programs are spreading more and more nowadays, as companies try to get help from ethical hackers in fixing their security problems. Over the years, companies have either chosen to start their own, in-house programs, or turned to platforms such as HackerOne to get the job done.
The result is that everyone is happy - companies secure their systems and apps, while hackers line their pockets while also testing out to see how good they are.
We wanted to have a chat with Edwin van Andel, ethical hacker and CEO of Zerocopter, about the benefits of this type of bug bounty programs, how they'll affect long-term online security and more.
Q: How do you think bug bounty programs will change security in the years to come?
I think they already do. At the moment you clearly see the big companies who already do a lot of pentest look for a ‘second opinion’ and start a bug-bounty program. For now only the big companies, but I think that this process will slowly ‘sink’ lower, and more and more companies and governments will be starting a (managed) bounty program.
Q: Do you think having a bug bounty program will become the norm for tech and non-tech firms across the world?
Yes, as long as the companies have a strong tie with the internet, either via their products, or via their brand and marketing. The smaller companies and the companies that sell services and not rely on the internet for business or brand will probably lag behind a bit.
Q: What are some of the reasons why hackers choose the white hat over the black one?
Hacking is becoming more and more a sort of accepted profession. This means that hackers can now legally show their skills to the world, either via a bug bounty program or via Responsible Disclosure. Most hackers want to show the world how good they are, more than that they want the money. But of course also getting the money is most welcome, so the higher the bounty, the more hackers are willing to ‘do it legally’ and -as an added bonus- not have to look over their shoulders the whole time because they did something illegal.
Q: Do you think it's a good idea for the Pentagon to run bug bounty programs?
Yes, I think all governments and related institutions should eventually go for bounty programs. The fact that the Pentagon even gets reports from hackers from Iraq and Iran shows that hackers are willing to help, not hindered by politics or race, to create a safer internet.
Q: Which type of program do you believe is best and most efficient - in-house or via Zerocopter or HackerOne? Are there any differences?
If you opt for an in-house program, you have to deal with a lot of factors. You need to respond quickly, in the right tone and also know what you're talking about. Then you have to keep sending updates on your mitigation process, and in the end you have to reward the hackers quickly and in good mutual agreement. All these things can sometimes be hard and difficult. If you run a program with Zerocopter or H1, you get a lot of the work and interactions done for you, plus you have a buffer that will sometimes give you a bit more time to internally fix your problems, or help you with issues that are not clear or maybe need a mediator.
Q: Is the attraction of the bounty enough to maybe even turn black hats into ethical hackers?
Yes. It gives them peace and quiet, extra earnings and a way to show the world how smart they are. And as I tell the world in my presentations: Most hackers are good hackers. Willing to help. Willing to assist in creating a more secure connected world.
Q: You were just at Defcon where Marcus Hutchins, also known as MalwareTech, the WannaCry hero, was arrested and accused of creating banking malware Kronos. Many believe this type of action against a white hat hacker is going to affect the way other ethical hackers collaborate with law enforcement. How do you see the situation of his arrest? How will it affect the work of ethical hackers?
Yes, there was some concern that the FBI arresting a hacker after Defcon would be a huge step back in the acceptance of hackers and pushing the word “hacker” back into the dark again. But for now, it seems to be mostly okay.
If you are a researcher, you have to study your targets. So if you study malware, you have to have and work on malware samples. Now if he sold them, that would be wrong. But if he merely studied and bettered the samples in a lab environment, then it should be okay. So we’ll have to wait for the outcome of his case.
I don’t really think ethical hackers will now work less with the government or law enforcement, just based on this incident.
What it did show though is that the hacker community is still tight. Within hours of the news of his bail height, a group of hackers started a fundraiser to get the bail paid.