Ethical hacking: how to make money, not problems with the law
The search for vulnerabilities resembles a lottery in which you can both break the jackpot with a tidy sum and lose everything, including freedom. And this is not a matter of luck, but a clear understanding of the boundaries of ethical hacking. We decided for you to make out on your fingers how to pick bugs in other people's systems legally.
Bug hunter in a million
Ethical hacking is a legitimate form of hacking, with which you can find errors in other people's systems and draw the attention of developers to them. This is done by white hackers (White Hat). They are opposed by other hackers (Black Hat) - criminals who use their knowledge with malicious intent. If the former are looking for vulnerabilities to fill a security hole in the system, the latter tend to crack it in order to compromise.
The most popular form of ethical hacking is Bug Bounty's bug search software. They are already over twenty years old. These services will allow companies to timely detect and eliminate bugs in their products before attackers learn about them.
Usually this happens as follows: the company announces a tender for the search for vulnerabilities in its systems and the amount of remuneration. After this, the information infrastructure (device / program / application) of the company begins to be probed from all sides by numerous experts (pentesters). In some cases, corporations announce the start of a closed program. In this case, the organizer chooses the potential participants and sends them invitations and conditions for participation.
There are two major platforms that help vulnerability researchers and companies who want to test their services meet : HackerOne and Bugcrowd. They, in fact, aggregate all the programs of IT companies, and registered service participants can choose what is interesting to them. Now both platforms bring together thousands of information security experts from different countries. By the way, even government agencies use similar services. For example, the Pentagon chose HackerOne to launch its Hack the Pentagon program .
Bug bounty contests featured very decent amounts. Last year, HackerOne published a Hacker-Powered Security report , from which it follows that in 2017 the average reward for a found bug was more than $ 1,900. In total, over the past 4 years, white hackers have been paid more than $ 17 million for 50 thousand errors found.
In general, thanks to Netscape Communications Corporation for the bug bounty model. Their Netscape Bugs Bounty service, launched in the mid-90s, made it possible to search for defects in the Netscape Navigator browser for a fee. The company was one of the first to guess that only thousands of other IT-specialists who can find problem areas for money can be better than their developers. The idea of the program was so successful that its model was soon adopted by well-known IT corporations.
Russia also does not stand aside. Not only large companies (Yandex, Mail.ru, Kaspersky Lab) turn to white hackers for help, but also the state. This year, a centralized program to search for vulnerabilities in state-owned IT systems and vendor products will be launched in our country. Until the end of 2020, it is planned to spend 800 million rubles on it. And this is a very revealing initiative: in the world, ethical hacking has long become more popular and more profitable than crime: in contrast to unauthorized hacking, for which a real term shines. On bug bounty-programs you can earn good and, most importantly, honest money.
When hacking can bring to court
Searching for vulnerabilities is not just a game where you find what you like, select a
If the company does not have a bug bounty program, it is better not to tempt fate. For example, an 18-year-old hacker who was arrested for the vulnerability found on the website of the Hungarian transport company Budapesti Közlekedési Központ (BKK) found himself in a difficult situation. Using the “developer tools” in the browser, the researcher made a number of changes to the source code of the page and thus managed to deceive the system by “lowering” the ticket price: from $ 35 to 20 cents. The young hacker did not exploit the vulnerability and honestly reported the bug to the company's management. But instead of gratitude, they filed a statement with the police.
The conclusion from this case is simple: you should participate only in official bug bounty contests, where all procedures are clearly regulated. Otherwise, wait for the call. The principle “I will hack quietly, just look out of curiosity, and then I ask for money for my work” - will not work. For this, there is even a term - Gray Hat .
Curiously, conflicts can even be with those companies that have their own bug bounty programs. It is worth recalling the case when Synack security specialist Wesley Weinberg found three vulnerabilities in the Instagram infrastructure, thanks to which he gained access to almost all sensitive data of the application. And if for the first bug he received a premium of $ 2.5 thousand, then for the second and third he had to sweat. Facebook officials told the researcher that he violated the rules of the Bug Bounty program. In an official statement published by representatives of the social network, it was emphasized that Weinberg did not have the right to extract user and system data. His actions were considered highly unethical. From the unpleasant consequences of the company he was protected by the attention of the media.
Conclusion: to be more attentive to the list of vulnerabilities that fall under the influence of the bug bounty, to comply with the responsible disclosure policy and not to try to gain access to personal data.
The Criminal Code warns
Russian hackers should remember that the Criminal Code of the Russian Federation is harsh to any attempt to break into someone else’s infrastructure. And the punishment can be obtained immediately under three articles (Articles 272 , 273 , 274 ), which threaten not only fines, but also a real term for illegal access to computer information, the spread of malware and violation of the rules for storage, processing and transmission of information.
So far, Russian legislation does not have clear definitions of exactly which actions to work with network resources are criminally punishable. Therefore, the question of the boundaries of ethical hacking is very blurred. And this uncertainty creates a situation in which any dubious behavior falls under the attention of special services.
Even if your goal is to train or train your skills, you should not recklessly engage in active reconnaissance, for example: iterate through the directories of sites, use proxies (burp) to manipulate requests, scan ports, use vulnerability scanners .
Legal hacking: without trial
Now let's talk about the legal side of the issue. To receive money and fame for the bug bounty, you must carefully read the rules of the competition that the company launches. For Russian programs, additional requirements for participants may appear, for example, “only for Russian citizens” or “only for tax residents of the country”. Important: the competition itself should be aimed at achieving socially useful goals. If this condition is not met, then the event from the competition turns into criminal activity.
Also, the official documentation of the bug bounty program should indicate the requirements for participants, the dates and product information for testing. The organizer must indicate the principle of transmitting information about identified vulnerabilities and the procedure for its disclosure for public access, criteria for assessing vulnerabilities and, of course, information about the award. And this is the most pleasant.
Who earns how much? Russian grinder Ivan Grigorov said in an interview that "according to some top hunters, for them 25 thousand dollars a month is not a problem." Another example is the baghunter Mark Litchfield, who talked about how he earned more than $ 47,000 in a month searching for vulnerabilities.
There are also one-time, especially large payments. So last year, Microsoft announcedabout launching bug bounty for Windows with a maximum bonus of $ 250,000. Money was promised for vulnerabilities in the hypervisor and the Microsoft Hyper-V core that could allow remote code execution. A little earlier, Facebook paid $ 40,000 to a Russian information security specialist Andrei Leonov for one critical vulnerability.
Google once transferred experts over $ 6 million, and Facebook for its five years of existence, its bug bounty paid respectable hackers $ 5 million.
The numbers above confirm that now bug bounty has become a good addition to work or even the main source of income for pentesters. To successfully participate in such programs, you need to know the methods of searching and exploiting vulnerabilities, primarily in web applications, as well as comply with ethical standards and company rules.
In any case, getting trained and becoming a white hacker is much safer and more profitable than going to crime. The need for ethical hackers is constantly growing, and given the avalanche-like growth of new IT areas - blockchain, big data, IoT - this need will only increase.