Friday, 15 November 2013

Point out ‘zero-days’ to Microsoft or Facebook and collect your bounty

Zero-days by definition are previously unknown vulnerabilities to applications, online platforms or computer systems. The name originates from the simple fact that when an attack occurs, exploiting an unknown vulnerability, the developers have zero days to take preventive action.

Companies like Microsoft, Google, Yahoo! or Facebook run regular “bounty hunts” to encourage (ethical) hackers to track bugs and point out potential vulnerabilities in exchange of a cash prize. For firms like Facebook it is absolutely essential to secure knowledge and details of potential weaknesses before they hit the black market and fall into the hands of cyber-criminals. Therefore bounties are becoming higher, generating greater participation from researchers and cyber-security enthusiasts.  

Last week, it was announced that Microsoft and Facebook teamed up to sponsor the HackerOne programme, which rewards ethical hackers who ‘contribute to a more secure internet’.

Facebook’s Product Security Lead, Alex Rice, said even if companies tend to compete with each other, their security teams should not be rivals, as they have a common competitor: The bad guys.  

Zero-day attacks bear enormous technological threats, however they don’t stop there. According to internet security expert Graham Cluley companies also risk a PR catastrophe if hackers were to exploit an unknown vulnerability.

But then why don’t companies just hire the best security experts and pay them loads of money? Well, they do. However, as long as codes are written by man the potential of human error will always be there.