Martin Giles says freelance cyber sleuths can help companies find flaws in their code, but the bug hunters could fall foul of anti-hacking laws.
They are the Ubers of the digital security world.
Instead of matching independent drivers with passengers, companies like Bugcrowd and HackerOne connect people who like to spend time searching for flaws in software with companies willing to pay them for bugs they find.
This cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry.
Some still have jobs and hunt bugs in their spare time, while others make a living from freelancing.
They are playing an essential role in helping to make code more secure at a time when attacks are rapidly increasing.
The best freelance bug spotters can make significant sums of money.
HackerOne, which has more than 200,000 registered users, says about 12 per cent of the people using its service pocket $20,000 or more a year.
Around three per cent make more than $100,000.
The hackers using these platforms hail mostly from the United States and Europe, but also from poorer countries.
More and more large companies like GM, Microsoft, and Starbucks are now running ‘bug bounty’ programs that offer monetary rewards to those who report bugs in their software.
Platforms like Bugcrowd can help by alerting the hacking community to programs being launched and handling things like payments.
Chief Information Security Officer for Motorola Mobility, Richard Rushing says he really likes crowdsourcing bug searches because it means lots of eyes are constantly scrutinising code.
Independent cyber sleuthing is a realistic career path, if you can live cheaply.
Moreover, at a time when experts are forecasting that 3.5 million cybersecurity jobs worldwide will be vacant by 2021, freelancers can ease some of the strain on internal teams.
Still, the platforms face a couple of big challenges.
One is to keep expanding the pool of talented bug hunters.
Another is to establish greater legal clarity about what tools and techniques ethical hackers can safely use.
Popular tactics such as using injection attacks, which involve inserting code into software applications that could change the way the programs are executed, could potentially lead to prosecution under anti-hacking laws.
There have already been cases where security researchers and reporters have faced possible legal action for unearthing and reporting vulnerabilities in companies’ code.
It would take only a couple of high-profile lawsuits to have a chilling effect on the industry.
To address the talent challenge, the crowdsourcing platforms are publishing far more content to help hackers upgrade their skills and to attract more people to gig work.
Bugcrowd just unveiled Bugcrowd University, which offers free webinars and written guides.
The platform is also working with experienced ethical hackers to help it spot and train promising freelancers.
The best recruits are curious, tenacious, and willing to adapt fast.
Bugcrowd’s talent spotter, Phillip Wylie says the technology is evolving so quickly that it’s often hard to catch up with it.
HackerOne is also publishing more training material and coaches independent bug hunters in soft skills like how to communicate more effectively with corporate IT departments.
On the legal front, the platforms are pushing for more ‘safe harbour’ language to be inserted in contracts governing bug bounties.
The aim is to get companies to be clear that if hackers follow the rules of engagement within reason, they won’t wind up being taken to court.
Chair of Bugcrowd, Casey Ellis says some countries, like the United Kingdom and Germany, also have strict anti-hacking laws that could be used to stymie ethical hacking.
Such laws are needed to prevent hackers of all kinds from causing havoc.
The challenge ahead is to strike a sensible balance between protecting ethical hackers and shielding companies from rogue ones out to cause harm.
Getting this right won’t be easy, but given the dire talent shortage in the cybersecurity world, it’s an issue that we urgently need to address.
*Martin Giles is the San Francisco Bureau Chief of MIT Technology Review, where he covers the future of computing and the companies in Silicon Valley that are shaping it.
This article was first published at www.technologyreview.com.
