To protect themselves from cyber attacks, big companies like Nubank, C6, TIM and OLX are joining a worldwide trend and looking for “bounty hunters” to break into their systems. The objective is to find flaws or vulnerabilities that could be the gateway for criminals to steal or “hijack” data, which implies millions of losses for companies.
Called “bug bounty”, the awards programs involve platforms with thousands of experts, known as “good hackers” or “ethical hackers”. These professionals have a mission to scour companies’ systems and find weaknesses legally. If they manage to break through the company’s security, they receive rewards of up to R$15,000 in Brazil – abroad, the amounts are much higher, and may exceed US$100,000, depending on the discovery.
Around here, these programs still face a certain distrust from entrepreneurs, who fear they will become more vulnerable. But with the growth of digitization during the pandemic and the consequent multiplication of cyber attacks, many companies had to look for new alternatives. Nubank, for example, has just launched its program with rewards starting at $150.
“Security has been one of the pillars of our operation since the company’s first day,” says the bank’s Information Security Engineering manager, Rodrigo Santos. He says that, last year, the institution had already started an unpaid test with Hacker One – one of the biggest bug bounty platforms in the world. In this test, 15 faults considered valid were reported.
In the current program, the company opted for the private modality, in which a number of professionals are chosen to look for system vulnerabilities. In public mode, any expert from the hacker community can take the tests. “Since this culture is not yet fully disseminated in Brazil, companies are afraid and enter programs lighter”, says the founder of BugHunt, Bruno Telles, operational director of the Brazilian platform.
Created in March 2020, the company has around 7,000 registered hackers and 25 active programs. Telles says reward programs are just getting started in Brazil, but should gain traction in coming years as digitization advances. In addition to private companies, governments should also start to embrace this solution as a way to protect themselves against cybercriminals.
According to a report by Fortinet, a digital security company, in the first half of this year alone, Brazil suffered around 16.2 billion attempts of virtual attacks. The country is the fifth with the highest number of ransomware – a virtual attack in which the criminal only gives access to the system by paying a ransom -, according to data from Roland Berger consultancy. And the problems are not restricted to just one sector. It has been widespread.
“The best way to protect yourself is to test your flaws. I usually have an internal team to do this type of work, but now I can also count on hackers from all over the world”, says José Santana, responsible for the information security area at C6 Bank. The bank’s bug bounty program has 842 researchers (hackers) authorized to keep an eye out for any holes the bank’s system might have.
Since adopting the solution, in 2019, the institution has already paid around US$ 25,000 (R$ 136,000) in rewards, with an average of US$ 696 (R$ 3,800) per award. Santana explains that if the payoff is too low, few hackers will be interested in the opportunity, since testing can take a while.
“The higher remuneration, in fact, attracts more people, but there are those who want to earn points to rise in the ranking of those who find faults the most. These accept lower amounts”, says Telles. Payments follow a problem severity table. The more critical, the higher the reward.
In the United States, this is a multi-million dollar market. Giants such as Google and Apple have programs that offer $1 million to anyone who manages to make an attack on their security systems. In 2017, Google alone paid $3 million in security programs.
“I believe that bug bounty programs actually bring an independent profile (for systems analysis). I only see advantages”, says the technology director at OLX Brasil, Raúl Rentería. In his opinion, with this solution, the company is able to have access to professionals who are outside the company’s day-to-day activities and who are able to see other aspects of the problem.
This year alone, hackers have reported 32 bugs on the OLX system. Of these, 17 have been approved or are under review. The company’s rewards can reach R$10,000, depending on the level of failure. He says that the company has internal employees who also test the group’s security programs. “But that look from the outside, which hunts fails in every corner, is important.”
This external look made Manoel Abreu Netto, 37, report more than 300 reports with flaws and vulnerabilities in the system of various companies. He doesn’t like to talk about values, but says it’s advantageous. He’s been a “good hacker” for three years.
Graduated in Computer Science, Netto divides his time between a job in public administration and bug bounty platforms. He has already won three international system vulnerability challenges that have earned him three trips to Argentina and the United States. Information is from the newspaper The State of São Paulo.
+ Horoscope: check today’s forecast for your sign
+ Video: Driver leaves Tesla car on autopilot and sleeps on SP highway
+ Food stamps: understand what changes with new rules for benefit
+ See which were the most stolen cars in SP in 2021
+ Expedition identifies giant squid responsible for ship wreck in 2011
+ Everything you need to know before buying a crockpot
+ Discovered in Armenia most eastern aqueduct of the Roman Empire
+ US agency warns: never wash raw chicken meat
+ Passenger attacks and pulls out two stewardess teeth
+ Aloe gel in the drink: see the benefits
+ Lemon-squeezing trick becomes a craze on social media
+ Lake Superior: the best freshwater wave in the world?
#Good #hackers #rewarded #testing #large #companies #systems #ISTOÉ #MONEY