Make bug bounties great again

Special Projects Threats

Since joining Kaspersky Lab nearly two years ago, I have always seen David Jacoby as one of our company’s more outgoing and jovial researchers. In addition to creating security memes for Halloween, he also helped put a human face to the company’s GReAT team and even let a film crew look at his crib (MTV style).

On top of those things to make you say, “Gee, David seems like a super cool guy,” Jacoby may have one-upped himself at this year’s Security Analyst Summit (The SAS). It all started with the following statement to kick off his day 2 session:

“We have so much money in this industry … we have so much money, but we do so little. When was the last time you did something good?”

From there, he hopped into the story of a weekend project with Frans Rosén (Detectify) where the they would hunt bugs for charity. The initial goal that the duo set was $11,000. Although they fell short of their goal, they found out something more interesting.

“It was actually quite cool, we’d contact companies that would never ever participate in a bug bounty program — they’d say they didn’t have the budget,” Jacoby said. “But I wound up talking to company’s marketing departments — which did have money and wanted to help charities.”

From those conversations arose the idea of pro bono penetration (pen) testing in a 24-hour window by Jacoby, Rosén, and three other researchers. In lieu of payment, the researchers requested a donation to a charity of the company’s choice.

“Everyone we called wanted to do this. It was amazing,” Rosén said.

For Bahnof, a Swedish ISP, the idea really resonated. Jacoby noted that they now donate money to charity in exchange for pen tests on a monthly basis.

“It’s proof that people want this,” Jacoby said.

Hunting bugs for humanity

This talk on an altruistic bug bounty program stuck with our team as well, and we decided to reach out and talk some more with Jacoby on this.

Kaspersky Daily: Do you think a charitable component would have more white hats doing social good?

David Jacoby: To be honest, I don’t think it will change people’s mindsets about participating in, for example, bug bounties. I do think that it might open up other kinds of partnerships between vendors and charities or security companies, and this might in the long run involve more people.

Also, doing social good should be a fundamental thing in our life. We only have one life, why not make is as good for everyone as we can?

Kaspersky Daily: In your talk, you noted: We even had one company that wanted to use the money and give it to children to attend security conferences. Do you think that having a program to encourage security in youth that you could encourage more white hats and better security in, say, the Internet of Things?

David Jacoby: My view of the IoT is very negative, because most IoT devices are created by companies who are not in the IT industry — they can be in the home appliance or entertainment industry — so I don’t think it will make any difference.

When I think about security conferences, I get this weird feeling — we are teaching people who are already in the IT industry fun things, and we charge a ridiculous amount for each ticket. If we really want to make a difference, we should invite, for example, students who will soon be our colleagues. Why should we teach the people who already know IT? It doesn’t really make any sense.

Kaspersky Daily: Do you think adding a charity component to a bug bounty program for lesser bugs could increase people participating in the overall programs?

David Jacoby: I hope it would. I want to change the world — or at least try. My vision is to add charity programs to more or less anything. I’ll give you an example: In Sweden you have recycling machines for empty soda cans, etc. Those machines have two buttons, one called Donate, and another one allows you to get cash.

If I want to donate the money, I should. The same goes for anything. We should be creative and come up with more of these ideas!

Speaking of bug bounty programs, Kaspersky Lab recently expanded the company’s bug bounty program with Hacker One to include more products, and increased some of the bounties.