The Biggest Bounties Uber, Facebook, Microsoft and More Have Paid Hackers
From Uber to GM, companies are willing to pay hackers big bucks for finding glitches in their systems.
Hacking gets a bad rap, mostly because people tend to focus on those out to do harm. But there are many so-called "white hat" hackers who try to uncover vulnerabilities. Many of today’s biggest tech and media firms have launched “bug bounty” programs offering to pay these hackers -- or anyone -- big bucks to report vulnerabilities in their systems.
With bug bounties becoming so mainstream, companies are emerging dedicated to finding these flaws. Startup HackerOne checks for bugs in companies’ operations, and in February, it announced a $40 million series C funding round.
Companies outside of tech have also launched their own bug bounty programs. In 2016, the U.S. Army launched its program, “Hack the Army,” and companies such as Starbucks and GM have also made it a part of their operations.
"Bug bounty are now an essential part of the software life cycle," HackerOne’s CEO Marten Mickos told Fortune.
In January, Facebook awarded its biggest bounty yet -- $40,000 to a security researcher who discovered a glitch in its photo editing software, ImageMagick. In October 2016, the company posted to Facebook that it had paid out more than $5 million in bug bounties over the past five years.
Check out the biggest bounties that hackers have collected from some of the leading names in tech.
In August 2016, security researcher Anand Prakash found a glitch in Uber’s code that allowed users unlimited free rides. After reporting it through Uber’s bug bounty program, which awards hackers up to $10,000 for discovering system vulnerabilities, the company gave Prakash permission to test for the bug in the U.S. and India. As a result, he found that the bug impacted both markets.
When inserting their payment information, the bug let users submit an invalid method of payment, such as “abc” or “xyc” and avoid being billed for a ride.
Uber has since fixed the issue and paid Prakash $5,000 for his discovery.
Facebook awarded Russian security researcher Andrew Leonov $40,000 for finding a flaw in its photo editing software ImageMagick. The bug, which was originally discovered last year by Facebook’s security team, was temporarily patched up, but Leonov found a flaw in their handywork, making Facebook’s servers vulnerable to “remote code execution.”
While on the web, Leonov was presented with a “share on Facebook” pop-up box and he noticed that the page’s image failed to load properly. After some digging, he found that “Facebook had used a vulnerable ImageMagick library in its image converter,” reports Fortune.
Leonov then found a way to break through Facebook’s firewall with his own code, and afterwards reported the bug to the company. He was awarded the biggest bounty Facebook has ever given out, which he received through bug bounty startup Bugcrowd.
In 2014, Facebook paid Brazilian security researcher Reginaldo Silva $33,500 for reporting a major vulnerability that would have risked users’ login credentials. The bug was related to code used for the authentication system OpenID, which lets people use the same log-in credentials on various platforms. The glitch would have allowed hackers to access files and open network connections on Facebook’s servers. Today, Silva works as an engineer at Facebook.
Bug hunters come in all shapes, sizes -- and ages. In March 2016, Facebook awarded a 10-year-old Finnish boy $10,000 for finding a weakness in its photo sharing app Instagram. The boy, identified only by his first name, “Jani,” is the youngest person to ever receive a bounty from the social media giant -- in fact, he’s too young to even have his own Facebook or Instagram accounts.
Jani, who learned to code from YouTube videos, discovered a way to delete user comments from Instagram accounts. “I wanted to see if Instagram’s comment field could stand malicious code. Turns out it couldn’t,” he said.
In 2016, a security researcher who goes by “avicoder” uncovered the now-defunct Vine’s entire source code -- the confidential backbone of an app or program. Luckily, avicoder reported his finding to Twitter, the issue was immediately fixed and he or she was paid $10,080.
In 2013, Microsoft paid James Forshaw, a security vulnerability researcher for Context Information Security, $100,000 for finding a bug in its preview version of the Windows 8.1 operating system. Forshaw discovered a “new mitigation bypass” technique that helped him get around the software’s defense walls.
This wasn’t the first time Microsoft paid someone wads of cash for discovering a flaw in its systems. Over the past few years the company has run contests offering cash prizes to people who find bugs and offer solutions to fix them. In 2012, Vasilis Pappas, a PhD student at Columbia University at the time, won $200,000 in the company’s Blue Hat security contest. Pappas came up with “kBouncer,” which blocks anything that looks like an ROP attack from running, reports Business Insider.
Google has had a bug bounty program since 2010. In fact, up until 2015, the company hosted an annual Pwnium contest offering cash prizes to people who find vulnerabilities in its products. Today, like many other tech companies, Google has switched to a year-long rewards program instead. And Stephan Somogyi, product manager of security and privacy at Google, said the company paid out more than $2 million to more than 300 security researchers for finding bugs.
In 2015, security researcher Peter Pi was recognized as the top researcher for Android vulnerabilities, discovering more than 26 bugs and being rewarded $75,750 for his efforts.
The same year, Zimperium security researcher Joshua Drake was rewarded more than $50,000 for uncovering a number of Stagefright bugs, which are Android bugs that allow hackers to control users’ devices remotely.