These hackers are finding security bugs–and getting paid for it. That’s changing the dynamics of cybersecurity.
The first time Katie Paxton-Fear found a bug, she thought it was just luck.
One of her friends had signed her up for an event in London, where hackers aim to find the vulnerabilities in a particular piece of software.
Without any experience of cybersecurity beyond being a programmer and developer, she found one bug, then another. “To be fair, I thought it was a fluke,” she says. But since then she’s found 30 more security bugs.
“It’s kind of like playing Sherlock Holmes,” says Paxton-Fear.
“You feel like a detective, going in rooting around and saying, ‘That looks interesting’, and having a stream of clues,” she says. “And, when you get all the pieces neatly together, and it works and there’s a bug there–it’s the most thrilling experience ever.”
But unlike a hacker looking for vulnerabilities to cause damage or steal data, Paxton-Fear is a bug bounty hunter. The bugs she finds are reported to the companies that write the code.
SEE: Security Awareness and Training policy (TechRepublic Premium)
That allows these organisations to fix the problems before malicious hackers find the same weaknesses. And the bug hunters get paid for each one they find.
As such she’s part of a growing industry that allows security researchers to hack into organisations’ software–with their permission–and then report the weaknesses they discover in return for a financial reward.
It’s a different way of approaching computer security, but one that is proving increasingly popular. One key feature is these security researchers will approach a target from the same perspective as a potential attacker.
In that sense, bug bounty hunters are both the detective Holmes and also at least in part his nemesis, Moriarty, although Paxton-Fear says she sees herself more as Sherlock because by finding…