Ethical Hackers taking the bugs to the bank
Present days, when an unexpected email turns up offering lots of cash, most people just assume it is a scam and delete it.
But Mark Litchfield opened such a message and it led him on a journey that, so far has netted him about $1.5m (£1.15m) – all of it legitimate.
The email was from one-time web giant Yahoo, now owned by Verizon Media, and offered Mr. Litchfield many thousand dollars as a reward for finding a bug in its website code.
The email was a surprise because he was pretty much forgotten about finding the bug.
“That’s when I realized that there was money to be made in this.”
Yahoo, like a growing number of large companies, pays up when people find mistakes in its web code that could be exploited by malicious hackers.
Those ethical hackers sign up with companies such as Hacker One, Bug Crowd, Synack and others who run the bug bounty programmers on behalf of companies.
And, according to Mr. Litchfield, anyone can do it.
“I can’t code – at all,” he said. “Yet I’ve managed to be very confidence, so literally anyone can do this.”
Mr. Litchfield may not code but he has known other technical skills. He turned to bug hunting after some years of working in the security industry, where he became an expert on the protocols that govern how computers swap data.
Catching the bug
The gap between the experts and the beginners could seem too vast to cross, he said.
“I was one of the people that lucked out and learned in the industry,” he said.
“You need to find a way for someone who does not know they love it to connect with it,” he said.
Many governments, including the UK’s, have set up educational schemes that try to give school’s children a taste of cyber-security to see if they like it.
Mr. Lyne helped create the UK’s scheme, Cyber Discovery, which in his first year had more than 25,000 school children take part.
“These are teaching tool and sorting hat,” said Mr. Lyne.
The Cyber Discovery programmer “gamifies” the day-to-day work of the pros.
It turns finding security loopholes, tracking hackers, analyzing documents for clues and other basic skills into engaging games.
Participants get points when they complete a section.
Bug bounties, said Mr. Lyne, were one more way that keen amateurs could take their first steps into a cyber-career.
“It’s an easier in to the industry and a way to prove your skills,” he said.
Ian Glover, head of the Crest organization, which certifies the skills of ethical security testers in the UK, is a supporter of bug bounties.
But anyone taking part in a bug bounty hunt should realize the job of a cyber-security worker demanded far more in terms of skill and expertise,” Mr. Glover said.
And companies should have a whole host of other well administered defenses in place long before they think about letting bounty hunters have a sniff.