You may have seen headlines recently about researchers, ethical hackers and even kids being paid for flaws they discovered in operating systems, software and even online games. If so, you may have asked yourself, “How can I get paid to hack?”
The answer is simple, but there are a few important nuances and legal kinks to be clear on. First, it is never legal or encouraged to violate laws, end user license agreements (EULA) or copyright protections. Those who would be classified as criminal or unethical hackers are not being paid by companies for their hacking discoveries. In the same way, a thief who robs a convenience store will not be rewarded by the clerk if he points out that the freezer is leaking.
What you want to focus on is known as responsible disclosure. This is a concept, not a rule or law, that those who discover mistakes or vulnerability in technology should privately inform the vendor of the issue and then provide the vendor sufficient time to respond — before the flaw is made public. The period of time to keep an issue confidential is negotiated by the discoverer and the vendor. This time frame could be weeks or as long as six months.
However, just because you inform a vendor of an issue does not ensure that they will pay for that information. You need to accept the fact that you may be thanked for your services but not compensated.
Not all companies support responsible disclosure. Some have the perspective that setting a time limit for public release is a form of blackmail and that requesting payment for disclosures is a form of extortion. Thus, you need to know the perspective of the company in question before you approach them.
In many cases, Internet-based or focused organizations will have some form of press release or legal statement on their stance in regards to flaws and vulnerabilities. You should also search discussion forums for perspectives on a company prior to reaching out to them directly. DO NOT disclose any flaws or exploits — just inquire about their stance on issue disclosure.
If you are not satisfied that a company actually wants disclosure from outsiders, it is likely in your best interest to keep yourself out of harm’s way. Some companies have brought lawsuits against outsiders disclosing their flaws (both responsibly disclosed and inappropriately publicly released). If a company seems to be lawsuit prone and you are internally urged to inform them of an issue, find an anonymous route or a trusted intermediary (e.g., a lawyer) to bring your information to the organization.
If you discover the organization is friendly toward disclosure of vulnerabilities, then use their prescribed channel for submitting your information. Be sure to read their legal terms and follow their guidelines to the letter. Failing to do so could result in you missing out on a reward — or worse, ending up in court.
If you find flaws in software through reasonable experimentation or by accident via regular use, then by all means seek out the organization for disclosure (again, assuming they are generally friendly toward such disclosure). However, if you perform actions that would be considered unethical or illegal, then not only would you likely be held responsible for your crimes, you would not be rewarded for your disclosures.
If you are interested in getting paid to hack, the first organization I recommend that you direct your efforts toward is Google. Google’s Vulnerability Reward Program was established in 2010 and will pay for verified exploits up to $20,000. There are some rules and restrictions, such as a six-month blackout period for public disclosure. However, if your exploit is verified, not only will you be compensated, Google will post your name on their Hall of Fame board.
My goal here is to encourage you to responsibly report bugs and flaws that you discover during normal, regular valid use of a product. However, if you choose to go treasure hunting for flaws, then be careful about picking targets, as some companies are supportive of intentional flaw discovery while others perceive it as malicious hacking and may attempt to prosecute.
Certified Ethical Hacker v8