The upshot of the information age is that “software is eating the world”. In a rush to create digital code and services, companies competing to be the first to market do not prioritise cyber security — even though security problems and software bugs are a known certainty. When even secure organisations experience data breaches and security incidents, it is clear they need all the help they can get.
信息时代的结局是,“软件正在吞噬这个世界”。企业竞相推出数字代码和服务,而不以网络安全为重,即便大家都知道必然会有安全问题和软件缺陷。在理应安全的组织都遭遇数据失窃和安全事故的时候,企业显然需要它们能够获得的一切帮助。
Surprisingly, software giants now encourage hackers to hack them. Companies such as Google, Microsoft and Facebook have been doing this since 2010, in what are called “vulnerability reward programmes”, or more commonly “bug bounty programmes”. In an echo of the American wild west, companies offer independent security researchers the chance to win rewards and recognition for identifying critical security problems — software vulnerabilities that could put us all at risk.
令人意外的是,软件巨头现在鼓励黑客对它们进行攻击。谷歌(Google)、微软(Microsoft)和Facebook等公司自2010年以来一直在这么做——通过所谓的“漏洞奖励计划”,或者叫“漏洞悬赏计划”(bug bounty program)。貌似带有美国“狂野西部”时代历史回声的是,公司向独立的安全研究员提供一个机会,让他们通过找到关键的安全问题(可能让我们全都处于风险之中的软件漏洞)而赢得奖金和认可。
While 2016 may have been “the year of the hack”, including the huge denial-of-service internet outage in the US in October, 2017 could be “the year of the friendly hack”. There are more bug bounty programmes in traditional industries, outside Silicon Valley.
尽管2016年可能被称作“黑客之年”,包括去年10月份美国发生的拒绝服务攻击造成互联网大面积瘫痪事件,但2017年可能是“友好黑客攻击之年”。硅谷以外的传统行业推出了更多的“漏洞悬赏计划”。
MasterCard, Johnson & Johnson and even the Pentagon are inviting hackers to work with them and test their systems for vulnerabilities. By rewarding hackers for their discoveries, these organisations can learn from their findings, prevent security breaches, and even recruit top cyber security talent .
万事达(MasterCard)、强生(Johnson & Johnson)甚至五角大楼都邀请黑客与他们合作,测试系统漏洞。这些组织对发现漏洞的黑客给予奖励,从而能够从他们的发现总结收获,堵住安全漏洞,甚至招聘到一流的网络安全人才。
This explains why leading companies are willing to pay out millions of dollars in rewards. According to Bugcrowd, which manages many programmes for other companies, in the past few years Google, Facebook, Yahoo, Microsoft and Mozilla paid friendly hackers a total of more than $13m in bounties.
这解释了领先公司为何愿意支付巨额赏金。为其他公司管理许多悬赏计划的Bugcrowd表示,在过去几年里,谷歌、Facebook、雅虎(Yahoo)、微软和Mozilla为友好黑客支付了总计逾1300万美元的赏金。
The idea of a bug bounty is not new: in 1995 Netscape offered rewards to users who found bugs in the trailblazing Navigator 2.0 web browser. Now, thousands of ethical hackers help hundreds of organisations find software bugs, using the power of many to make us all safer. Rewards range from T-shirts to 1m airline miles or a $200,000 single reward that Apple offers for certain discoveries.
对报告漏洞给予奖励的想法并非什么新鲜事:1995年,网景(Netscape)曾为发现开拓性的Navigator 2.0网页浏览器漏洞的用户提供奖励。现在,数以千计的守法黑客帮助数百家组织找到软件漏洞,用众人的力量让我们大家更安全。奖励从T恤衫和100万航空里程不等,苹果公司(Apple)曾为某些发现提供20万美元单笔赏金。
Bug bounties are becoming more widely accepted because the benefits they provide can greatly outweigh the risks: never before has it been so easy for hackers to legitimately report findings to the companies affected by them and get rewarded without breaking the law — a hacker-specific take on the “gig economy”, if you will. It is also a cost-effective way to find security bugs for the companies in question, as empirical economic research has proven.
为发现漏洞提供奖励日益获得广泛认可,因为他们提供的益处远远超过了风险:黑客们从未这么容易地合法向公司报告漏洞,并且不用违法就能获得回报——不妨称之为黑客版的“零工经济”。正如实证经济研究证明的那样,这也是相关公司发现安全漏洞的经济方式。
Some of the best bug hunters end up being offered full-time corporate positions. These are hackers from all over the world, whose location, access to college education or finances may never have afforded them the chance of an interview — with the result that companies would have missed out on their incredible talent.
一些最优秀的漏洞猎手最终获得了企业全职职位的录用通知。这些黑客来自世界各地,由于所处位置、获取高校教育的条件或者资金问题,本来永远得不到面试机会,使公司错失他们的卓越天赋。
The latest corporate benefit, one suggested by the Berkeley Technology Law Journal, is that bug bounty programmes can become a corporate governance “best practice” mechanism. Having such programmes in place can help directors exercise their “duty to monitor” digital assets.
《伯克利技术法律杂志》(Berkeley Technology Law Journal)指出,企业还能获得一个益处,那就是漏洞悬赏计划可以成为一种企业治理的“最佳实践”机制。实行此类计划有助于董事们履行其“控管数字资产的责任”。
Finally, you might ask: won’t criminals take advantage of these programmes? The truth is they seldom require an incentive to hack. They are already at it, making millions illegally. These programmes allow individuals who spot a problem to do the right thing and give companies a chance to sort it out, while getting legitimate payment and recognition. The process represents a practical way to harness the impact of thousands of security researchers who are helping to build a much-needed “immune system” for our connected age. That gives me hope.
最后,你可能会问:犯罪分子会不会利用这些计划呢?真相是,他们很少需要从事黑客活动的动机。他们已经在大搞黑客活动,非法获取巨额收益。这些计划让发现问题的个人做正确的事情,也让公司有机会解决问题,同时让报告问题的人获得合法报酬和认可。该过程代表着驾驭数以千计安全研究员力量的可行方式,他们正在帮助打造我们这个互联互通时代亟需的“免疫系统”。这给了我希望。