Companies are paying “bug bounties” to hackers who find — and disclose — flaws in their software.

Share story

In the lingo of computer hacking, “black hat” hackers are the creeps. They steal your credit card data, hack into your email account, and take over your home router for malicious mayhem. Think Bonnie and Clyde.

Companies hate “black hat” hackers, worried that they will penetrate corporate servers and steal proprietary secrets or create turmoil.

But the global hacker community is big, and some companies are finding ways to appeal to hackers displaying certain qualities — curiosity, a tendency to want to break things apart, and a natural trespassing instinct — but without blatant outlaw practices.

Called “white hat” hackers, they are being drawn to programs that invite hackers to search for, and disclose, flaws in software, helping corporations patch network vulnerabilities and fend off hostile digital intruders.

The programs to lure the hackers are called “bug bounties,” and they are going mainstream. Big companies that pay hackers to find flaws in their software include everyday names like Apple, Instagram, Facebook, Google, United Airlines, Uber and Western Union. A handful of startups, like HackerOne, BugCrowd and Synack, provide contracts or on-demand platforms for companies or government entities that want skilled hackers to test their networks for vulnerabilities in a secure fashion.

Such programs bridge the long, jagged chasm between corporations and the global hacker community, and are finding some common ground.

Hardened “black hat” hackers aren’t attracted by such programs, and may never be, said hackers who take part in bug bounty programs.

“Ask yourself the question: Will there still be robbers even if you offer them jobs as lock pickers?” said a 28-year-old Dutch hacker who goes by the name Hackdwerg, or “hack dwarf” in Dutch.

Speaking via Skype, the Dutch hacker said he’s found more than 260 vulnerabilities or holes in servers and programs and collected numerous bounties.

Hackdwerg, whose contacts were provided by a Europe-based cybersecurity expert, declined to identify himself further, but his thinking illuminates a bit about the world of underground hackers.

“I’m one of the white hat hackers who’s been a black hat hacker,” he said. Asked what illegal hacking he had done, the Dutchman said, “I do not want to answer that question.”

For corporations looking to improve digital security, the idea of flinging network gates open to hackers, some of whom won’t even identify themselves, can be nerve-jangling.

“When you talk to customers, ‘hackers’ can sometimes be a little bit scary,” acknowledged Jay Kaplan, chief executive of Synack, a Redwood City, Calif., company that crowdsources vulnerability for clients. Instead of the term “hackers,” Synack refers to its penetration testers as white hat security researchers.

“It’s kind of a risk for companies in that you’re paying people to find flaws in your system,” said Katrina Timlin, who works in the strategic technologies program of the Center for Strategic and International Studies, a Washington think tank. “If you don’t pay them enough, there’s the fear they could go rogue.”

Even if they don’t prove to be scoundrels, she said, a concern is that they may have “contacts on hacker forums who might not be on the right side of the law.”

Jobert Abma is a co-founder of HackerOne, a bug bounty marketplace that brings together experienced hackers and companies willing to pay them to look for vulnerabilities. He said one of the only ways to become a skilled hacker is to break into computer systems.

“A lot of the people who are currently in (computer) security have done things that they shouldn’t have done, legal-wise, but never with the wrong intention,” Abma said. When they find flaws in computer systems, “they don’t sell it on the black market,” he added.

HackerOne, which started in 2012 in San Francisco, now has a stable of 3,500 white hat hackers, each of whom has found at least one bug, Abma said. The company says its hackers, who come from 70 different countries, with India in the top spot ahead of the United States, have fixed more than 35,200 bugs.

A few are superstars, such as Mark Litchfield, who is based in Las Vegas.

“He’s the best paid. He recently hit a half-million (dollars) and he made that half-million in about two and a half years,” Abma said.

Another hacker who has seen his life transformed is Manish Bhattacharya, from a “very humble background” in the state of Bihar in India. He discovered his first vulnerability in 2012, winning recognition from Microsoft. He’s been on a roll ever since.

Now, he wrote in an email, he is “making more than average MBAs from top B (business) schools in India. Initially ‘no money’ was the issue, now taxes are the pain. My father often complains, ‘you pay double (just in) taxes (of) my yearly income.’”

He recalled how he got his first payout — a mere $100 — but how it changed his life: “That month, my pocket money was 6,000 Indian rupees instead of 150 rupees.”

Some white hat hackers in the West, who have unrelated daytime jobs, say public recognition of their computer savvy is a greater motivation than receiving bug bounties.

“It’s more about the internet fame than the money,” said Hackdwerg, who added that finding a crucial flaw can involve tedious work but bring deep satisfaction. “It feels euphoric.”

Kaplan, who co-founded Synack with a fellow cyber offensive specialist at the National Security Agency, said Synack uses hackers stringently vetted for both skills and trustworthiness from all over the world. He said the global perspective is critical to clients.

“Hackers in different countries absolutely employ different tools. They are trained differently. They have different methodologies, tradecraft,” Kaplan said. For companies and institutions to strengthen security, he added, they must use security experts who are “closely analogous to the same people attacking them on a daily basis.”

Apple launched its invitation-only bug bounty program in September, and opened it to only a handful of researchers. Other industries and sectors, like banking, energy, health care, big retail and pharmaceuticals, often don’t have bug bounty programs, or keep them low key.

“They don’t see a way to control these folks,” Kaplan said.

That’s where Synack’s business model comes in. While HackerOne offers a marketplace with a greater number of hackers, and has attracted clients like General Motors and Uber, Synack uses smaller teams of vetted hackers who operate for clients only through a proprietary platform that allows the company to audit all that they do. Client lists are kept confidential.

The Pentagon sees benefits in harnessing hackers through both companies, granting them $3 million and $4 million contracts, respectively, in October to test Pentagon systems.

It marked an extension of a Hack the Pentagon program last April, which ran for 24 days, resolved 138 vulnerabilities and paid average bounties of $588.

When the program launched, the first submission came in 13 minutes.