SAN FRANCISCO — It’s the type of hack cell phone companies fear most. A text message with a video or photo attachment appears on the screen and immediately — far faster than the human eye can glance down and start reading — malware is uploaded to the phone. Yet from April 6, when security researcher Joshua Drake told Google about the bug that could affect over 95% of Android phones currently on the market, to Sept. 16, when Google’s Project Zero finally posted its own report expanding on the bugs reported to them, Drake was fighting for recognition of his efforts.
“It’s the feeling of getting scooped,” said Drake, who works as a researcher with the mobile security company Zimperium and is known among hackers as the co-author of the Android Hacker's Handbook. “It feels like the Project Zero guys rushed to publish something because of my research. I mean, what does that say for Google to publish a vulnerability about their own product building on research done by the Android hacker guy?”
It didn’t help that Google, which runs one of the highest-profile programs allowing hackers to report bugs through Project Zero, initially offered Drake $1,000 for his bug.
Google rewarded me $1,337 for these patches. That's after I talked them up from $1,000. Now Android has a VRP!
In another tweet, Drake joked about buying Chicken McNugget dinners with his reward money, following the six months he spent researching the bug and offering Google patches to fix it.
“That is absurd and nonsensical. Good on you for doing the right thing but something of this nature deserves greater compensation,” tweeted Greg Carson, a Brazil-based hacker. Others were less kind, tweeting “you got ripped off” and that this was “why responsible disclosure sucks balls.”
A bug like the one found by Drake could take months, even years to research. On the black market it could be worth millions of dollars to nation states or cybercriminals, both of which are constantly looking for exploits that give them easy access to cell phone and computers. Meanwhile, the white, or legal, market for bugs is still in its infancy. New companies like BugCrowd and HackerOne that connect hackers with corporations looking to test their vulnerabilities are growing. But hackers point to prizes like a free T-shirt or a $100 check as more insult than reward considering the hundreds of hours of work they put in — and many say the corporate world still views hackers as more foes than friends.
“I’ve had people like Charlie [Miller] tell me I could have gotten over a million dollars if I had sold my bug to a government instead of reporting it to Google,” said Drake. Charlie Miller, the hacker who recently made headlines as part of team that remotely hacked into a Jeep, revealed earlier this month that he had taken a high-paying job with Uber’s self-driving cars division. Miller also controversially admitted that earlier in his career he sold exploits to the U.S. government. Those exploits, often called zero-days, are vulnerabilities that are not publicly known, and therefore exploitable. If, for instance, Drake had chosen to sell the vulnerability he discovered on Android phones to the U.S. or Chinese governments rather than report it to Google, millions of Android phone users could have unknowingly been tapped.
“Maybe that is how you get ahead, and I’m not trying to criticize Miller for selling to the American government,” said Drake. “But if you are selling someone a loaded gun, ethically, you have to ask yourself if you really want to do that. I don’t think I would feel right about selling a loaded gun and then claiming I didn’t know what was going to happen with it.”
For as long as hackers have been hacking, there has been a discussion over how and when to disclose what they discover. Since May 1998, when the L0pht hacking collective famously told a panel of senators it could shut down the internet in 30 minutes, hackers have been warning private and public industry that their systems are at risk. Hackers say that through much of the '90s and early 2000s their attempts to inform companies about the bugs they found were met with dismissal or lawsuits. But as breaches of major corporations went from occasional headline to daily occurrence, boardrooms were faced with the knowledge that the technology they had built their companies upon was not secure. The bugs and vulnerabilities hackers had once traded among themselves suddenly became a possible commodity, and hackers were faced with the option of selling some of those vulnerabilities on the black market for millions or trying to forge a way forward in a corporate world that had previously rejected them.
For some hackers, the key moment in their struggle for acknowledgment came earlier this year when, at Def Con, widely regarded as the world’s largest hacker conference, a company CTO got onstage.
At the end of a nearly hour-long demonstration on how hackers could remotely unlock the doors of Tesla’s Model S, start the vehicle, and drive away, Kevin Mahaffey and Marc Rogers, who hacked the car, got a standing ovation as they invited Tesla CTO J.B. Straubel to the stage.
Afterwards a queue formed of young hackers eager to learn more about a new program Straubel announced to reward hackers who found vulnerabilities in the company’s new car models. But near the back of the room, Daniel White ducked his head and muttered an expletive. At the ripe age of 38, White considered himself an old-school hacker. The sight of a CTO onstage at Def Con was something he thought he’d “never see this lifetime,” he told BuzzFeed News.
“I’ve had my face pressed up against a computer for more than half my life," said White. "When I got started there were none of these rewards for finding exploits. We were doing it because it was fun. Now it’s a business. I see these guys and this CTO onstage and I want to know, who is working for who?”
Chris Rock, an Australia-based hacker who presented at Def Con just two hours after the Tesla talk, was also conflicted about how to disclose the vulnerability he had discovered. Only in his case, it was a vulnerability that could leave thousands declared dead.
Rock’s “I will kill you” presentation offered step-by-step instructions on how to abuse holes in the system used by most states to notify authorities about a deceased person. At one point in the presentation, he pointed out that should he want to, he could declare multiple people dead at once.
Rock had given this talk along similar lines before in Australia, yet authorities there had still not fixed the gaps in the system he had discovered.
“What I discovered and went through in my talk was specific to Australia, but it’s a global model,” Rock told BuzzFeed News. "Most countries follow the same model, so you could really declare someone dead anywhere." He said he was hoping that by presenting in a high-profile conference such as Def Con, he could spur state authorities to act faster to fix the security gaps. “I spent a year of my life researching this," he said. "And I don’t even want to be paid. I’d like them to acknowledge and fix it. The acknowledgment part is really enough for most of us.”
Rock said he worked on the project for fun, and that part of what drove him was imagining how the flaws in the system would allow hackers to create virtual people. “I imagined how this was going to affect my kids when they got older,” he said, “and there were virtual people out there messing with the system, committing crimes.”
If he wanted to, he said, he could have sold what he discovered on the black market to cybercriminals looking to defraud social security services and create new identities. But Rock, who makes a living as a penetration-tester, offering companies his services to test their own vulnerabilities to a hacker such as himself, said he cared more about doing the right thing. He was sure, he added, that some cybercriminals had independently figured out the same process he was using and were taking advantage of the holes in the system.
White, who calls himself an “independent hacker” and is currently searching for work, said that for many hackers, the decision to sell their exploits on the black market (or through what is known as the Dark Web) is not taken lightly.
“If you already have a job and make a living then you do the right thing," he said. "But if you are struggling, and you’ve just spent a year of your life figuring this shit out, I mean, would you not take $50,000 for it?”
"I spent a year of my life researching this. And I don’t even want to be paid. I’d like them to acknowledge and fix it."
In the heart of San Francisco’s SOMA district, arguably one of the most expensive neighborhoods in the United States, sits the office of HackerOne. Amid the startups and high-tech firms jostling for space in this tiny corridor of the city, HackerOne is a new breed of company offering an innovative approach to keeping its clients secure — by hiring hackers to try to infiltrate their businesses and then report back on what they find.
“I think the idea that the friendly hacker out there could help you rather than be malicious is something people have only begun to appreciate recently,” said Michiel Prins, co-founder of HackerOne.
HackerOne already counts Yahoo, Square, and Twitter among its clients. When a firm enlists the services of HackerOne, it can choose whether or not the hackers make their findings public.
In this video, designed to introduce new clients to the service, hackers are shown as part of a company’s defenses rather than a potential threat.
These initiatives, known as bug bounty programs, are not new to tech companies. Facebook has been running one since 2011, and has hired many of its top security professionals from among the hackers who reported the most bugs.
Reginaldo Silva, who worked as a software engineer in Brazil, heard about Facebook’s bug bounty program in 2012. Today, he helps manage it.
"Bug bounty programs gave me a way to balance my day job and with my passion for security,” Silva said. “As I discovered more and more bugs, the security community and recruiters started to pay attention.”
Other companies, like GitHub, have even turned their bug bounty programs into a game, offering a leaderboard and badges for hackers who report the most interesting vulnerabilities to the company.
Shawn Davenport, GitHub’s vice president of security, gave BuzzFeed News a run-through of a recent hacking case at its San Francisco office, which is modelled to look like the situation room of the White House.
“From the day of the bug being reported to us fixing it and the hacker who found it getting paid was three days,” said Davenport. "That’s a great turnaround for us, and for them."
Both GitHub and HackerOne say that while some of the best hackers who work on their programs can make a nice living through reporting bugs, more needs to be done to make sure hackers work through company programs rather than selling their exploits elsewhere.
“There is always more to do to expand this, but we are really happy with the way the program has grown organically,” said Davenport. "People report bugs and get rewards and then they invite their friends to do it too."
Shashank Kumar is a 19-year-old engineering student at the Vellore Institute of Technology in Vellore , Tamil Nadu State in India. Kumar, who managed to pay for his entire college degree from the bug bounty programs he worked on while in high school, is busy these days convincing his fellow students to do the same.
“I used to do it just, you know, for fun,” said Kumar, speaking with BuzzFeed News by phone. "Finding bugs in websites was fun." He said he first heard about hacking through friends who told him that there were procedures by which you could get someone else’s password. “I started googling, and as I googled, I found out about bugs and exploits and hacking.”
His parents, he said, were worried, especially when his grades started slipping as he spent more and more time on bug bounty programs.
“I got my first payment from PayPal," said Kumar. "Since then I have founds bugs with Google, Cisco, and Nokia. The payment I got from them was so nice, I was able to finance my entire engineering study through it."
Both HackerOne and GitHub tell similar stories of teens in other countries using the payment from bug bounty programs to fund their education, buy a car, or in some cases, even buy their first house.
“I think that for some it is the rewards but for others, I would say for most, it is the acknowledgment that their contribution had some sort of impact,” said Alex Rice, CTO of HackerOne. “If you look back at the history of hacking, in the last 20 years there was a lot of personal risk that came with doing this kind of work, with finding vulnerabilities at big companies. You didn’t know if you would be warmly received, ignored, or slapped with a lawsuit.”
Rice reflected back on how things were for him and his group of friends 10–15 years ago when they discovered a bug in a system.
“There was no avenue to report this stuff, let alone get rewarded for reporting it,” said Rice, who said many hackers would operate with a full disclosure policy in the hopes that at least some companies would see the problems and patch the holes in their systems. “We made everything public at the same time, so that criminals and good guys alike were seeing it. Then hackers got a bad name because the criminals were often faster to act on this stuff than the good guys… The whole process didn’t work.”
Most hackers today still operate on the principle that once a vulnerability is discovered, it should be made public as soon as possible. At Def Con, discussion of ethical disclosures focused on how many months, or weeks, a company should be given to patch its systems before hackers went public with what they found.
"You have to ask yourself, [do I] give away practically for free to a bug bounty program or do I get a million bucks?"
“In the olden days if you had a vulnerability you could trade it with your buddies for their vulnerability," said Jeff Moss, the founder of Def Con and its sister conference Black Hat. "But there was no monetary value. As the internet grew and e-commerce grew, there was suddenly a real value on one you were finding.” In Las Vegas each year, Moss's presence has a near-celebrity status among the over 10,000 hackers who gather there and who know Moss by his moniker, the Dark Tangent.
He sees discussion about ethical disclosure and the rise of bug bounty programs in recent years as positive steps, but thinks there is still a long way to go.
“If you are only looking at the number [of] hours you put into it vs. reward you get, I don’t think it will ever take off,” Moss said. “It’s the rest of it — the public recognition, the résumé-building, the acknowledgment from your peers — that makes hackers want to take part in this and report what they find responsibly.”
Moss said bug bounty programs were offering up ever-larger rewards but that hackers had to question who they were working for. On Monday, cybersecurity firm Zerodium announced that it was offering up a $1 million reward for hackers who discover a weakness in Apple’s newest operating system. The company, which is known for seeking out security vulnerabilities in software and platforms and selling them to the highest bidder — often a nation state — did not answer requests for comment on who it was selling the Apple bugs to.
“So you know China will pay one million for an iOS bug, and so will others,” Moss said. “And you have to ask yourself, [do I] give away practically for free to a bug bounty program or do I get a million bucks?”