The Security Ledger Podcast
Podcast Episode 112: what it takes to be a top bug hunter
In this week’s episode (#112): top bug hunters can earn more than $1 million a year from “bounties” paid for information on exploitable software holes in common platforms and applications. What does it take to be among the best? We talk with Jason Haddix of the firm Bug Crowd to find out. Also: The Internet Society’s Jeff Wilbur talks about the new #GetIoTSmart campaign to educate device makers and the public about Internet of Things security.
Will Hunt Bugs for Cash
As recently as 15 or 20 years ago, security researchers who discovered and reported vulnerabilities in common software like Windows did it mostly for kicks, status within their community or maybe as a high minded gesture of public service.
Today, the best bug hunters can make a million dollars a year or more from their discoveries. What has changed? For one thing: bug bounty programs, which started more than a decade ago and have sprouted like dandelions in the past 10 years. Working through bounty programs, companies like Microsoft, Apple, Google, Twitter and Facebook can direct six figure payouts to researchers who uncover the most serious and exploitable holes.
What does it take to be a great bug hunter? In our first segment, we invited Jason Haddix (@jhaddix), the Vice President Of Trust and Security at bug bounty hosting platform BugCrowd into the Security Ledger Studios to talk about what’s happening on the bug bounty scene and whether -given the big pay days – bug hunting might be drawing more interest as a profession.
Before he joined BugCrowd, Haddix was a BugCrowd customer: one of the site’s top-ranked bug hunters. In this interview he talks to us about the qualities that make someone a good bug hunter and the latest trends in bounty programs.
Get (IoT) Smart
As The Washington Post noted today: in California, a bill that sets cybersecurity standards for Web-connected devices — from thermostats to webcams to cars — cruised through the state legislature and is now awaiting Gov. Jerry Brown’s signature. The bill would make that state the first in the nation to pass legislation to govern security of the Internet of Things.
Outside of The Golden State, however, progress towards IoT security standards has been slow. Part of the reason is the complexity of IoT ecosystems, which involve device manufacturers, software publishers, platform providers like Google and Microsoft as well as regulators and consumers.
The other reasons is that good information on IoT security is hard to come by. But a new program from The Internet Society is trying to bridge the information gap. GetIoTSmart aims to educate both device manufacturers and end users – businesses and consumers – about what makes an Internet of Things device secure, or insecure.
[Read Security Ledger coverage of Internet of Things security standards here.]
To talk about the new program, we invited Jeff Wilbur, the Director of The Online Trust Association, which is part of The Internet Society, in to talk about the new program and how it intended to work.
Jeff Wilbur is the Director at The Internet Society’s Online Trust Association. He was in the studio to talk about the Internet Society’s new GetIoTSmart program.