These days, when an unexpected email turns up offering lots of cash, most people just assume it is a scam and delete it. But Mark Litchfield opened one such a message and it led him on a journey that, so far, has netted him about $1.5m (£1.15m) – all of it legitimate.
The email was from one-time web giant Yahoo, now owned by Verizon Media, and offered Mr Litchfield several thousand dollars as a reward for finding a bug in its website code. The email was a surprise because he had pretty much forgotten about finding the bug. “I submitted a bug to Yahoo and thought that was the end of it,” he told BBC News. “And then I got this email saying, ‘Hey, we’ve got some money for you. Do you want it?'” “That’s when I realised that there was money to be made in this.”
Yahoo, like a growing number of large companies, pays up when people find loopholes in its web code that could be exploited by malicious hackers. Through bitter experience, Yahoo has learned what happens when bugs are missed. In 2013 and 2014, it suffered two massive breaches. Data on more than one billion users went astray.
It stepped up its bug-hunting efforts in the wake of those breaches – which is where Mr Litchfield and others like him come in. Those ethical hackers sign up with companies such as Hacker One, Bug Crowd, Synack and others who run the bug bounty programmes on behalf of companies. And, according to Mr Litchfield, anyone can do it. “I can’t code – at all,” he said. “Yet I’ve managed to be extremely successful, so literally anyone could do this.” Well, maybe.
Mr Litchfield may not code but he has other technical skills. He turned to bug hunting after years of working in the security industry, where he became an expert on the protocols that govern how computers swap data. Finding bugs in the way data is transported has netted him the bumper payouts.
For anyone looking to blaze a similar million-dollar trail or even just start a career in cyber-security, knowing that Mr Litchfield has decades of experience to call on can be disheartening. It was a feeling familiar to anyone looking to break into the security industry, said James Lyne, head of research at the Sans Institute.
The gap between the experts and the beginners could seem too vast to cross, he said. For a long time, it had been only those lucky enough to discover a real affinity for cyber-security work, who persevered and would hunt for bugs even if they were not getting paid to do it, who found a place in the industry, he said.
That was Mr Lyne’s experience and is one common among the pros, many of whom have an “origin” story of how they accidentally, or with the help of a mentor, made it. “I was one of the people that lucked out and learned in the industry,” he said. There was a growing need for that haphazard selection process to change, said Mr Lyne, given the massive skill shortage in the cyber-security industry.
“You need to find a way for someone who does not know they love it to connect with it,” he said. Many governments, including the UK’s, have set up educational schemes that try to give schoolchildren a taste of cyber-security to see if they like it. Mr Lyne helped create the UK’s scheme, Cyber Discovery, which in its first year had more than 25,000 school children take part. The cartoonish appearance puts a friendlier face on tricky cyber-security skills “It’s a teaching tool and a sorting hat,” said Mr Lyne. The Cyber Discovery programme “gamifies” the day-to-day work of the pros. It turns finding security loopholes, tracking hackers, analysing documents for clues and other basic skills into engaging games.
It also gets children familiar with the tools many cyber-pros use day-to-day. Participants get points when they complete a section. And the top performers get to attend residential courses that help them hone their skills further. Bug bounties, said Mr Lyne, were another way that keen amateurs could take their first steps into a cyber-career.
“It’s an easier in to the industry and a way to prove your skills,” he said. Ian Glover, head of the Crest organisation, which certifies the skills of ethical security testers in the UK, is a supporter of bug bounties too – again as a way for people to get a glimpse of what it is like to defend networks and defeat bad guys for a living.
“The money side of it is not as much of a motivation as you might imagine,” he told BBC News – while a few people made a lot of money, most did not. “It’s more about trying to solve the challenges, getting into the industry and getting recognition by your peers.” But anyone taking part in a bug bounty hunt should realise the job of a cyber-security worker demanded far more in terms of skill and expertise,” Mr Glover said.
And companies should have a whole host of other well administered defences in place long before they think about letting bounty hunters have a sniff. Alongside defences embedded in networks and threat-analysis teams should go exercises such as penetration tests that do a more in-depth job of ensuring a system is broadly proof against attack. “Bounties should be the end of the process, not the beginning,” Mr Glover said.