Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF)
These hackers are finding security bugs–and getting paid for it. That’s changing the dynamics of cybersecurity.
This download provides the magazine version of the article as a free PDF for registered TechRepublic and ZDNet members. The online version of this story is available here.
From the story:
The first time Katie Paxton-Fear found a bug, she thought it was just luck.
One of her friends had signed her up for an event in London, where hackers aim to find the vulnerabilities in a particular piece of software.
Without any experience of cybersecurity beyond being a programmer and developer, she found one bug, then another. “To be fair, I thought it was a fluke,” she says. But since then she’s found 30 more security bugs.
“It’s kind of like playing Sherlock Holmes,” says Paxton-Fear.
“You feel like a detective, going in rooting around and saying, ‘That looks interesting’, and having a stream of clues,” she says. “And, when you get all the pieces neatly together, and it works and there’s a bug there–it’s the most thrilling experience ever.”
But unlike a hacker looking for vulnerabilities to cause damage or steal data, Paxton-Fear is a bug bounty hunter. The bugs she finds are reported to the companies that write the code.
That allows these organisations to fix the problems before malicious hackers find the same weaknesses. And the bug hunters get paid for each one they find.
As such she’s part of a growing industry that allows security researchers to hack into organisations’ software–with their permission–and then report the weaknesses they discover in return for a financial reward.
It’s a different way of approaching computer security, but one that is proving increasingly popular. One key feature is these security researchers will approach a target from the same perspective as a potential attacker.
In that sense, bug bounty hunters are both the detective Holmes and also at least in part his nemesis, Moriarty, although Paxton-Fear says she sees herself more as Sherlock because by finding the bugs and reporting them, she’s helping improve security.
“I’m doing the right thing,” she says.
Not that doing the right thing takes away the thrill: Paxton-Fear found herself shaking when she wrote up the report to detail her first bug.
Download the PDF to read the rest of the story.