Hackers Paid to Do Right Thing
In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. Soon, they had found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter and 95 other companies’ systems. They called their list the Hack 100.
2011年,兩名20出頭的荷蘭駭客列出100家高科技公司,作為嘗試駭入的目標。他們很快便發現臉書、谷歌、蘋果、微軟、推特和另外95家公司系統的漏洞。他們稱這張清單為「100駭」。
When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police.
他們警告這些公司的高管時,約三分之一的人置若罔聞。另有三分之一言謝卻未補漏。剩下的三分之一則趕忙解決問題。這兩位駭客運氣不錯,沒有人報警。
Now the duo, Michiel Prins and Jobert Abma, are among the four co-founders of a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them.
這個雙人拍檔,米歇爾.普林斯和喬貝.阿布馬,現在是舊金山一家新創科技公司四位創辦人中的兩人。公司意在有網路安全問題的企業與駭客間充當中人,這些駭客和他們一樣,只想解決而非製造問題。
They hope their outfit, called HackerOne, can persuade other hackers to report security flaws, rather than exploit them, and connect hackers with companies willing to pay a bounty for their finds.
他們希望他們的公司「駭客一號」能說服其他駭客通報安全漏洞,而不利用漏洞惡搞,並幫願支付發現漏洞賞金的公司與駭客牽線。
In the last year, the start-up has persuaded some of the biggest names in tech – including Yahoo, Square and Twitter – and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.
一年來,這家新創公司已說服雅虎、廣場.推特之屬科技界大咖,以及銀行、石油業者等你絕對想像不到的一些公司,採用他們提供的服務。他們還說服創投公司「駭客一號」具有賺大錢的潛力。「駭客一號」從媒介成功的每筆獎金抽佣二成。
“Every company is going to do this,” said Bill Gurley, a partner at Benchmark, which invested $9 million in HackerOne. “To not try this is brain-dead.”
「基準」公司投資900萬美元於「駭客一號」,合夥人之一比爾.格利說:「每家公司都會需要這種服務。不這麼做,就是腦死。」
Hackers who find new holes in corporate systems can, depending on their severity, expect six-figure sums to sell their discovery to criminals or governments, where those vulnerabilities are stockpiled in cyberarsenals and often never fixed. Alternatively, when they pass the weaknesses to companies to get them fixed, they are ignored or threatened with jail.
駭客在企業系統內找到漏洞時,將他們的發現賣給罪犯或政府,漏洞嚴重時可獲六位數的賞金,這些漏洞積存在政府的網路武器庫而且往往從未修補。或者,他們會將這些漏洞告知公司,希望他們修漏,但對方可能相應不理,或揚言讓他們吃牢飯。
“We want to make it easy and rewarding for that next group of skilled hackers to have a viable career staying in defense,” said Katie Moussouris, HackerOne’s chief policy officer, who pioneered the bounty program at Microsoft. “Right now, we’re on the fence.”
「駭客一號」政策長凱蒂.穆蘇里斯說:「我們希望讓未來一群高竿駭客能以(網路)守衛為業,順利且有足夠回報。」穆蘇里斯協助微軟首創賞金計畫,她說:「現在,我們還沒搞定。」
Mr. Prins and Mr. Abma started HackerOne with Merijn Terheggen, a Dutch entrepreneur living in Silicon Valley. The three met their fourth co-founder through the Hack 100 effort when they sent an email alerting Sheryl Sandberg, Facebook’s chief operating officer, of a vulnerability in Facebook’s systems. Ms. Sandberg didn’t just thank them, she printed out their message, handed it to Alex Rice, Facebook’s product security guru at the time, and told him to fix it. Mr. Rice worked with them to fix the issue, paid them a $4,000 bounty and joined them a year later.
普林斯、阿布馬與住在矽谷的荷蘭企業家梅莉珍.特赫根一起創辦「駭客一號」。三人在完成「100駭」的過程中遇到第四位共同創辦人。當時他們寫了一封電郵給臉書營運長雪柔.桑德伯格,告以臉書的一個漏洞。桑德伯格不僅致謝,還印出他們的訊息交給當時的臉書產品安全大師亞歷克斯.賴斯,要他解決問題。賴斯和他們一起補漏,付給他們4000美元賞金,更在一年後加入了他們。
Tech companies began rewarding hackers five years ago when Google started paying hackers $3,133.70 for bugs (31337 is hacker code for “elite”). Since then, Google has paid as much as $150,000 for a single bounty and doled out more than $4 million to hackers. Mr. Rice and Ms. Moussouris helped pioneer the bounty programs at Facebook and Microsoft.
高科技公司5年前開始獎賞駭客,谷歌開始時,每一漏洞支付3133.70美元(31337在駭客代碼中意為「精英」)。其後,谷歌付出的單筆最高獎金是15萬美元,且迄今已支付駭客逾400萬美元。賴斯和穆蘇里斯協助臉書和微軟創設了賞金計畫。
“A lot of companies have hackers – they just don’t know it,” Mr. Terheggen said. “The bad guys are on there already. The good guys don’t show up unless you invite them.”
特赫根說:「很多公司都有駭客,只是他們不知道。壞人已在那裡。好人不會出現,除非你邀請他們。」
About 1,500 hackers are on HackerOne’s platform. They have fixed around 9,000 bugs and received more than $3 million in bounties.
「駭客一號」平台約有1500駭客,共已修漏約9000處,領賞約300萬美元。
HackerOne competes with the bounty programs its founders helped start at Facebook, Microsoft and Google. HackerOne also competes with Bugcrowd, a similar start-up that charges companies an annual fee to manage their programs. Bugcrowd works with young companies like Pinterest and institutions like Western Union.
「駭客一號」和他們創辦人協助臉書、微軟和谷歌設置的獎金計畫一起競爭客戶。「駭客一號」也和「蟲群」競爭,這家新興公司以收取年費方式替企業管理程式。「蟲群」的合作對象包括年輕公司如新社群媒體 Pinterest,以及「西聯匯款」這類的機構。
“Every technology has vulnerabilities, and if you don’t have a public process for responsible hackers to report them, you are only going to find out about them through attacks in the black market,” Mr. Rice said. “That is just unacceptable.”
賴斯說:「每一種技術都有弱點,若沒有一個公眾參與機制可讓駭客舉報漏洞,你只能透過黑市攻擊發現這些漏洞,這是令人無法接受的。」
(王麗娟譯)
留言列表
