To protect themselves from cyber attacks, big companies like Nubank, C6, TIM and OLX are joining a worldwide trend and looking for “bounty hunters” to break into their systems. The objective is to find flaws or vulnerabilities that could be the gateway for criminals to steal or “hijack” data, which implies millions of losses for companies.
Called “bug bounty”, the awards programs involve platforms with thousands of experts, known as “good hackers” or “ethical hackers”. These professionals have a mission to scour companies’ systems and find weaknesses legally. If they manage to break through the company’s security, they receive rewards of up to R$15,000 in Brazil – abroad, the amounts are much higher, and may exceed US$100,000, depending on the discovery.
Around here, these programs still face a certain distrust from entrepreneurs, who fear they will become more vulnerable. But with the growth of digitization during the pandemic and the consequent multiplication of cyber attacks, many companies had to look for new alternatives. Nubank, for example, has just launched its program with rewards starting at $150.
“Security has been one of the pillars of our operation since the company’s first day,” says the bank’s Information Security Engineering manager, Rodrigo Santos. He says that, last year, the institution had already started an unpaid test with Hacker One – one of the biggest bug bounty platforms in the world. In this test, 15 faults considered valid were reported.
In the current program, the company opted for the private modality, in which a number of professionals are chosen to look for system vulnerabilities. In public mode, any expert from the hacker community can take the tests. “Since this culture is not yet fully disseminated in Brazil, companies are afraid and enter programs lighter”, says the founder of BugHunt, Bruno Telles, operational director of the Brazilian platform.
Created in March 2020, the company has around 7,000 registered hackers and 25 active programs. Telles says reward programs are just getting started in Brazil, but should gain traction in coming years as digitization advances. In addition to private companies, governments should also start to embrace this solution as a way to protect themselves against cybercriminals.
Increase in attacks
According to a report by Fortinet, a digital security company, in the first half of this year alone, Brazil suffered around 16.2 billion attempts of virtual attacks. The country is the fifth with the highest number of ransomware – a virtual attack in which the criminal only gives access to the system by paying a ransom -, according to data from Roland Berger consultancy. And the problems are not restricted to just one sector. It has been widespread.
“The best way to protect yourself is to test your flaws. I usually have an internal team to do this type of work, but now I can also count on hackers from all over the world”, says José Santana, responsible for the information security area at C6 Bank. The bank’s bug bounty program has 842 researchers (hackers) authorized to keep an eye out for any holes the bank’s system might have.
Since adopting the solution, in 2019, the institution has already paid around US$ 25,000 (R$ 136,000) in rewards, with an average of US$ 696 (R$ 3,800) per award. Santana explains that if the payoff is too low, few hackers will be interested in the opportunity, since testing can take a while.
“The higher remuneration, in fact, attracts more people, but there are those who want to earn points to rise in the ranking of those who find faults the most. These accept lower amounts”, says Telles. Payments follow a problem severity table. The more critical, the higher the reward.
In the United States, this is a multi-million dollar market. Giants such as Google and Apple have programs that offer $1 million to anyone who manages to make an attack on their security systems. In 2017, Google alone paid $3 million in security programs.
“I believe that bug bounty programs actually bring an independent profile (for systems analysis). I only see advantages”, says the technology director at OLX Brasil, Raúl Rentería. In his opinion, with this solution, the company is able to have access to professionals who are outside the company’s day-to-day activities and who are able to see other aspects of the problem.
This year alone, hackers have reported 32 bugs on the OLX system. Of these, 17 have been approved or are under review. The company’s rewards can reach R$10,000, depending on the level of failure. He says that the company has internal employees who also test the group’s security programs. “But that look from the outside, which hunts fails in every corner, is important.”
This external look made Manoel Abreu Netto, 37, report more than 300 reports with flaws and vulnerabilities in the system of various companies. He doesn’t like to talk about values, but says it’s advantageous. He’s been a “good hacker” for three years.
Graduated in Computer Science, Netto divides his time between a job in public administration and bug bounty platforms. He has already won three international system vulnerability challenges that have earned him three trips to Argentina and the United States.
Success profile is self-taught who started early
Gregório Gomes’ first experience as a hacker was in his adolescence, at 12 years old. In order to be able to spend more time in front of the computer, he had to circumvent parental rules, discover passwords and change some settings. It was at this time that he realized how easy he was in the area, as he learned almost everything on his own. “I was always on the computer and consumed a lot of external information”, says Gomes.
At 16, he was already on some of the most important bug bounty platforms in the world trying to legally hack into the systems of large companies.
On a foreign platform alone, it handled more than 500 company calls and detected some major system problems, with rewards of up to $5,000.
In one of them, he discovered a flaw considered critical, in which the company’s system ended up cloning people’s credit cards, in a kind of chupacabra. In general, he says, loopholes are “systems legacies.” “Every website has a default build by a developer. If you don’t adjust and change the settings, it’s easy to explore the system.”
With the experience acquired as a “good hacker”, he provided services for companies such as Easy Taxi and Uber until he created his own startup.
In early 2017, he opened the Data Refinery, a company specializing in the collection and analysis of digital information.
With access and knowledge, he was able to navigate the so-called dark web and get information from this underworld to the business environment.
In April 2021, the company was sold to Modal, and Gomes became the institution’s Data Engineering manager.
But the bounty hunter has not abandoned the origins. At 27, he is still subscribed to platforms and is still trying to break into other companies’ systems. “Today I do it as a hobby. In the past it was the way to earn money. Either you do it for good or for bad.”
16-year-old Andres Alonso Bie Peres is a beast in the bug bounty. At 14, he earned $25,000 from Facebook for discovering a flaw in Instagram.
Like Gomes, Andres also learned everything practically on his own. At the age of 10, he took a course in graphic design. Curiosity drove him deeper into the internet. He discovered that he could make money by hacking into the business system and decided to study the subject.
With the money he earned from Facebook, he bought more equipment and used a part to create a company that teaches the activity.
Launched in August, the company already has 500 students, who pay R$ 397 for an annual subscription. The current goal is to have 2,000 students in one year. In the meantime, he continues to hunt for rewards.
Reference: CNN Brasil