Fear and hacking on the bug bounty trail
- 13 November, 2018 10:57
Every bar stool, sofa cushion and deceptively uncomfortable wicker recliner is taken at this trendy, polished concrete co-working space, situated on the thirteenth floor of a central Sydney tower block.
The majority of the men here – they are mostly men, but around a quarter are women – have a beard of some description, most have not yet reached 30 and nearly everyone is wearing a T-shirt, jeans and sneakers.
It could be a scene from almost any city start-up office on a Friday afternoon, except the workers here – each fully engrossed in work at their laptops – have been flown in from five continents, and will eat tonight at Sydney’s most expensive restaurants before wandering back to their beds at the five-star Westin hotel over the road.
For the next few days, the floor is home to Atlassian’s Bug Bash event, the company’s first, for which the 30-odd so-called white hat hackers have been assembled to do what they do best: Find bugs in code.
The company is giving them more than just an all-expenses-paid trip for their troubles. For Atlassian the success of the Bugcrowd hosted event is measured in part by how much bounty money they get to give away. By Sunday night, between them, the bug hunters will have secured $110,000 in prizes.
The money is important – for around a fifth of bug hunters, bounties are their primary source of income – but that’s not what drives most gathered here today. They do it for the sheer thrill.
“It’s tremendous,” says Andre Baptista, known in the security community as 0xACB. The Portuguese 24-year-old describes the reaction he gets when showing his work to developers is usually one of “holy shit – what did you do?”
“The feeling is really great. But you have to be careful. With great power comes great responsibility,” he says with a grin.
Hacking all over the world
Every month since March this year, Baptista and fellow hacker Jose Sousa have been flown to a new city to perform, with two other colleagues from the University of Porto where they all work.
“We’re like a band: ‘C’mon let’s go, let’s go perform in Sydney, let’s go perform here’,” says Baptista, wearing hacker standard issue black T-shirt and jeans.
“I’m loving it; it’s changed my life over the last year,” adds 28-year-old Sousa, otherwise known as JLLiS.
Their invitation to the Sydney event, like for all the hackers present, comes as a result of their impressive track record. The Porto four were headhunted by Bugcrowd following some significant finds with another bug bounty operator, HackerOne.
It’s not cheap to bring them all the way to Sydney in the hope of giving them cash bounties. But for Atlassian it makes good business sense.
“The goal for us is we want finding an issue in any one of our products to be really, really hard. And a way to think about if it’s hard is to have as many people looking as possible, to have the best people looking, and then to make it really lucrative,” says Atlassian chief information security officer Adrian Ludwig.
Atlassian has been offering public bug bounties since last year. The concept has been around for some time, but has taken off in recent years. Google, Microsoft, Facebook, Samsung, Uber, Apple and Tesla all offer money-for-bugs schemes.
Ludwig says Atlassian already does automated source code scanning and invites third parties in to do pen testing, on top of the work of its own security function. But together with the bug bounties and Bug Bash event “these are overlapping protections with the hope that we’ll find everything,” he says.
“It’s a significant expense but one that is worth spending,” adds Jason Haddix, vice president of researcher growth at Bugcrowd. “We’ve see the ROI outweigh the spend exponentially.”
There is also a relationship building and recruitment element to hosting the world’s best security researchers for the weekend. The hackers benefit from being able to collaborate more closely, and put faces to the handles.
“These relationships last more than one day. They last a lifetime,” Haddix adds.
Atlassian on Friday said it had already made a hire – a researcher from China – as a result of their work on the program.
The Portuguese pair’s talents developed early. Baptista began programming aged 10, building websites for fun.
“At high school I enjoyed doing tricks in class, like sending messages from one person to another, controlling the laptop of the professor, doing nasty stuff like opening and closing all the CD drives in the class,” he says.
Sousa excelled academically at IT as a kid, and also enjoyed a bit of mischief, getting around his school’s block on websites like hi5.
“That sparked something and ever since I’ve been interested in security,” he says.
Both pursued their interest at degree level, and now work in security at their university. Proving themselves at events like the Atlassian Bug Bash puts them closer to entering the top few per cent of white hat hackers.
“It’s the road to being elite. It’s a big journey. I’m getting closer and closer,” Baptista says.
That raises the option of doing bug finding full-time. HackerOne says around 12 per cent of its users earn US$20,000 or more a year, while around three per cent make more than US$100,000.
Maintaining the knowledge and skills to stay at the highest level, however, requires a lot of time and focus.
“If I don’t update myself every day I get pushed back,” Baptista says.
Potentially, all of those gathered at the event could make more money on the black market, selling their discoveries for nefarious purposes. But that comes with significant risks.
“That’s the thing, it’s not worth the risk being caught doing black hat. We’re making legal money,” Sousa, who often alerts websites he enjoys to any security holes anonymously and for free, says.
When they find a vulnerability, or gain access to something significant, for the hackers the feeling is a mixture of excitement and sheer terror.
Sousa describes it as: “I’m there, I’m there, oh shit!”
“The fear when you get in – now I have to be careful because I may access some stuff that I’m not supposed to. We have to be careful," he says.
Even in a bug bounty setting "it would be diverging from the scope and usually it doesn’t but it could have legal consequences,” he says.
‘The challenge’ and the buzz of the find is the top motivator for the majority – 44 per cent according to a Bugcrowd survey – of the hackers in Sydney this weekend.
As well as the money and perks, “they want to be among the security elite and get ahead of their peers,” Haddix says.
“I’ve found some massive, really critical ones and the feeling is – you’ve got the power but you’re not going to use it for bad. We have a lot of power,” Baptista adds.
Fortunately for us, they chose to use their powers for good.
“It’s not just about the money,” Sousa says, “it’s about keeping the internet safe for everyone.”