Ethical hacking: how to make money, not problems with the law

The search for vulnerabilities is reminiscent of a lottery in which you can either hit the jackpot with a round sum or lose everything, including freedom. And this is not a question of luck, but a clear understanding of the boundaries of ethical hacking. We decided for you to make out on your fingers how to pick bugs in other people's systems legally.

Bug hunter in a million

Ethical hacking is a legitimate form of hacking, with which you can find errors in foreign systems and draw the attention of developers to them. This is done by white hackers (White Hat). They are opposed by other hackers (Black Hat) - criminals who use their knowledge with malicious intent. If the former are looking for vulnerabilities in order to patch a security breach, the latter seek to break it in order to compromise.

The most popular form of ethical hacking is the Bug Bounty reward program. They are more than twenty years old. These services will allow companies to timely detect and eliminate bugs in their products before attackers learn about them.
')
Usually this happens as follows: the company announces a competition for finding vulnerabilities in their systems and the amount of remuneration. After this, the information infrastructure (device / program / application) of the company begins to be probed from all sides by numerous experts (pentesters). In some cases, corporations announce the start of a closed program. In this case, the organizer himself chooses potential participants and sends them invitations and conditions of participation.

There are two large platforms that help vulnerability researchers and companies who want to test their services meet : HackerOne and Bugcrowd . They, in fact, aggregate all the programs of IT companies, and registered service participants can choose what they are interested in. Now both platforms bring together thousands of information security specialists from different countries. By the way, even government agencies use similar services. For example, the Pentagon chose HackerOne to launch its Hack the Pentagon program.

There are a lot of money in the bug bounty contests. Last year, HackerOne published a report on Hacker-Powered Security , from which it follows that in 2017 the average reward for the found bug was more than $ 1,900. Over the past 4 years, white hackers paid more than $ 17 million for the 50 thousand errors found.

In general, thank you for the bug bounty model that stands for Netscape Communications Corporation. Their Netscape Bugs Bounty service, launched in the mid-90s, made it possible to search for flaws in the Netscape Navigator browser for a fee. The company was one of the first to guess that only thousands of other IT specialists who are able to find problem areas for money can be better than their developers. The idea of ​​the program was such a success that its model was very soon adopted by well-known IT corporations.

Russia also does not stand aside. Not only large companies (Yandex, Mail.ru, Kaspersky Lab), but also the state turn for help to white hackers. This year, a centralized program will be launched in our country to find vulnerabilities in government IT systems and vendors. By the end of 2020, it is planned to spend 800 million rubles on it. And this is a very revealing initiative: in the world, ethical hacking has long become more popular and more profitable than crime: in contrast to unauthorized hacking, for which the real term shines. On bug bounty-programs you can earn good and, most importantly, honest money.

When hacking can bring to court

Finding vulnerabilities is not just a game where you found what you like, chose a weapon tool, found a bug and won a prize. This is a whole procedure that has its own charter. Step to the left - and “long live our court, the most humane court in the world.” What is the matter?

If the company does not have a bounty bug program, it is better not to tempt fate. For example, an 18-year-old hacker found himself in a difficult situation and was arrested for finding a vulnerability on the website of the Hungarian transport company Budapesti Közlekedési Központ (BKK). Using the “developer tools” in the browser, the researcher made a number of changes to the source code of the page and thus managed to trick the system, “lowering” the price of tickets: from $ 35 to 20 cents. The young hacker did not exploit the vulnerability and honestly informed the company about the bug. But instead of gratitude, they filed a statement with the police.

The conclusion from this case is simple: you only have to participate in official bug bounty competitions, where all the procedures are clearly regulated. Otherwise - wait for the call. The principle “I will quietly hack, I’ll just look out of curiosity, and then I will ask for money for my work” - it will not work. To do this, even have their own term - Gray Hat .

Curiously, conflicts can even be with those companies that have their own bounty programs. It is worth remembering the case when security specialist Synack Wesley Weinberg found three vulnerabilities in the Instagram infrastructure, thanks to which he got access to almost all the confidential data of the application. And if for the first bug he received a prize of $ 2.5 thousand, then for the second and third he had to sweat. Facebook representatives told the researcher that he had violated the rules of the Bug Bounty program. In an official statement issued by representatives of the social network, it was emphasized that Weinberg had no right to extract user and system data. His actions were considered highly unethical. From the unpleasant consequences of the company he was protected by media attention.

Conclusion: be more attentive to the list of vulnerabilities that fall under the bounty bug, follow the policy of responsible disclosure and not try to gain access to personal data.

The Criminal Code warns

Russian hackers should remember that the Criminal Code of the Russian Federation is harsh to any attempts to break into someone else's infrastructure. And the punishment can be obtained immediately under three articles (art. 272 , 273 , 274 ), which threaten not only fines, but also a real term for improper access to computer information, the spread of malware and violation of the rules for storing, processing and transmitting information.

While in the Russian legislation there are no clear definitions of what actions to work with network resources are criminalized. Therefore, the question of the boundaries of ethical hacking is very blurred. And this uncertainty creates a situation in which any dubious behavior falls under the attention of the special services.

Even if your goal is to train or train skills, you should not be thoughtlessly engaged in active reconnaissance activities, for example: iterate through site directories, use a proxy (burp) to manipulate requests, scan ports, use vulnerability scanners .

Legal hacking: without trial

Now let's talk about the legal side of the issue. To get money and fame for bug bounty, you must carefully read the rules of the competition, which runs the company. For Russian programs there may be additional requirements for participants, for example, “only for Russian citizens” or “only for tax residents of the country”. Important: the competition itself should be aimed at achieving socially useful goals. If this condition is not met, the event from the competition turns into criminal activity.

Also in the official documentation of the bug bounty program, the requirements for participants, dates and information on products for testing should be indicated. The organizer must indicate the principle of transmission of information on identified vulnerabilities and the order of its disclosure for general access, criteria for assessing vulnerabilities and, of course, information about the award. And this is the most pleasant.

Who earns how much? Russian bag-hunter Ivan Grigorov said in an interview that “according to some top hunter reviews, for them 25 thousand dollars a month is not a problem”. Another example is Baghanter Mark Litchfield, who told how he earned more than $ 47,000 in search of vulnerabilities in a month.

There are also one-time especially large payments. So last year, Microsoft announced the launch of the bug bounty program for Windows with a maximum premium of $ 250,000. The money was promised for vulnerabilities in the hypervisor and the Microsoft Hyper-V kernel, which allow remote code execution. A little earlier, Facebook paid Russian security information officer Andrei Leonov $ 40,000 for one critical vulnerability found.

Google once transferred to experts more than $ 6 million, and Facebook for five years of its existence, bug bounty paid $ 5 million to respectable hackers.

---

The numbers above confirm that now bug bounty has become a good addition to work, or even the main source of income for pentesters. To successfully participate in such programs, you need to know the methods for finding and operating vulnerabilities, primarily in web applications, and to comply with ethical standards and the rules established by the company.

In any case, get trained and become a white hacker is much safer and more profitable than going into crime. The need for ethical hackers is constantly growing, and given the avalanche-like growth of new IT areas - the blockchain, big data, IoT - this need will only increase.