Author image

Ethical Hacking (Bug Bounty Hunting): What Does It Mean?

New word alert: Bug Bounty Hunting = Ethical Hacking.

Last week, I was invited to a Tech Conference to speak about the various legal issues arising at the intersection between Law and Technology. To start us off was this lady, let’s call her Alice who led a discussion on Cyber Security and boy didn’t she impress! She understood the topic so deeply, so intimately and so precisely that I wondered whether the topic itself, Cyber security, might get the wrong idea and ask for a happy ending from its handler? Haha anyways.

When my mind got back into the room, Alice she was talking about ‘Bug Bounty Hunting’. Picture her in an all-black ensemble, complete with a thick, studded leather belt and stilettoes. I kept wonderin’:
“When is she gonna pull out the gun?”
I could already picture her, harlot-red lipstick, red nails, and a fire-spitter trained to her waist. It had to be there somewhere under that belt, it just had to be. And so, I sat and waited. But to my great disappointment, the moment never came, because first, the chicdee’ didn’t have a gun and second, I had mis-read her whole talk on Bug Bounty hunting. It’s got nothing to do with hunting a bugger down, just imagine that. Nothing!

So, what exactly is Bug Bounty Hunting?

Bug bounty hunting simply means being an ethical hacker who is allowed access into protected code for purposes of checking for errors and malfunctions. As a software programmer with notable skills, you will be shortlisted into a company’s bug-bounty hunting program and you will get paid for every error that you find. It is a safe way of staying ahead of black-market hackers who might be trying to unethically and illegally access your data or source code.

Black Market Hacker vs. Ethical Hacker

Let’s say you are a large Law Firm or corporate holding sensitive client data, which data is worth billions if it is accessed and traded in the black market. With the proper incentives, black market hackers will normally try to infiltrate your system illegally and attempt to access that data.

In order to make better decisions regarding the cyber security measures your firm needs to take in order to protect your systems from hacking, you will need to think like a hacker. That’s where Ethical Hacking (Bug Bounty Programs)come into play.  
Ethical hackers help corporates identify hacking risks and loopholes in their systems and software.  This enables the corporates correct and make upgrades where necessary and make their systems more secure.

Bug Bounty is a reward paid to an Ethical Hacker for identifying and disclosing a potential security risks in a corporate’s web, mobile or systems. The Ethical hacker checks for loopholes in the software and discloses the vulnerabilities and weaknesses to the corporate to ensure the owner of the software takes action on the bugs discovered. The whole point of the exercise is to ensure that a system or software is as secure as possible, in order to fully protect the confidentiality and integrity of data held within it.

Where did it all begin?

The first bug bounty program was introduced in 1995 when a startup called Netscape Communications offered cash and Netscape merchandise to people who reported security bugs in the new beta release of its Navigator 2.0 browser. In the last few years, different companies including Google, Microsoft, Facebook, Yahoo, have started to offer significant rewards to bug bounty hunters to identify bugs within their systems.

Companies are willing to pay sufficiently high a price for the discovered vulnerabilities as the ultimate end user of the unpatched vulnerability is unknowable at the point of sale. It might take an outsider to discover a loophole in the systems of a company which may be a blind spot for its in-house cyber security professionals.

In Kenya, Safaricom launched its first bug bounty program in 2018 through HackerOne, the cyber security company and the telecom’s program partner.

“The reason for starting this program was to encourage hackers to report any bugs/vulnerabilities that they may find in Safaricom’s products and services to Safaricom in a confidential and ethical manner instead of exploiting them or disclosing them to the public,” said Thibaud Rerolle, Safaricom’s then Technology Director.

Now that you understand what Ethical Hacking is all about, we shall be looking at how to draft Agreements for Ethical Hacking.

Written by Elixa on Tuesday May 14, 2024

Permalink -

« Internet Privacy: A Lawyer’s Guide To Online Privacy (Part 2) - Data Controller Vs. Data Processor »

Ready to delve into Elixa's features on a one-to-one?

Request Demo