Ethical hackers say they lack channels for reporting vulnerabilities
Image credit: Dreamstime
A major survey of ethical hackers has found that many of them struggle to report vulnerabilities, largely because organisations do not provide secure means to do so.
The 2018 Hacker Report was compiled by cyber-security platform HackerOne, which connects businesses with a network of ‘ethical hackers’ who work to identify vulnerabilities such that they can be fixed before compromising security. Its clients include Twitter, Uber, LinkedIn, Yahoo and Snapchat.
The report – which included a survey of nearly 1700 ethical hackers – found that nearly a quarter of hackers had neglected to report vulnerabilities due to the at-risk companies not providing means for doing so. This could require the company to have a vulnerability disclosure policy – which normally provides a “security@” email address – or other formal channels for safely flagging up vulnerabilities.
Alternative means of alerting an at-risk company to vulnerability, such as emailing or tweeting to employees, are “frequently ignored or misunderstood”, the report said.
“For companies that do not have a vulnerability disclosure policy […] the most common (and legally safest path) for a white-hat hacker with knowledge of a vulnerability is non-disclosure – because there’s no way to disclose it,” the report said.
Providing formal means of receiving reports about vulnerabilities can prove valuable to organisations; the US Department of Defence has fixed over 3000 vulnerabilities in the past 18 months via its vulnerability disclosure policy, and paid out $300,000 to hackers in the process.
According to the Hacker Report, 94 per cent of companies in the Forbes Global 2000 do not have a published vulnerability disclosure policy. However, hackers believe that change is on its way, with 72 per cent of participants stating that they felt companies are becoming more open to receiving alerts of security vulnerabilities.
A company’s vulnerability disclosure policy does not guarantee financial rewards for a hacker, unlike “bug bounty” programmes. These programmes are used by major tech companies, including Microsoft, Google, and Facebook, and offer recognition and payment to hackers who flag up security vulnerabilities.
Bug bounty hackers are motivated largely by these financial rewards, although according to the report, they are more motivated by the opportunity to learn new techniques, to be challenged, and for the fun of it.
According to the report, bug bounty programmes are a “great equaliser” because bounties are offered internationally, with hackers in India reportedly earning more than 16 times as much as they would as a software engineer in their home country.
Ethical hackers (also known as “white hat” hackers) use their skills to improve the safety of the internet by flagging up vulnerabilities before malicious hackers (“black hat” hackers) can exploit them. Ethical hacking is offered as a service for companies wanting to improve their cyber security, and taught as a course at some universities.