How to make big bucks hunting cyber bugs

 This month the US government is launching its first-ever bug bounty programme - a 20-day scheme for cybersecurity savvy citizens to have a go at finding flaws in the Department of Defense's public websites before the illegal hackers do.

There is a $150,000 (£106,000) pot for rewarding the finders of significant bugs.
Unauthorised hacks make headlines and can have catastrophic consequences for the organisation that suffers a breach, so many seek to crowdsource their security in addition to employing their own in-house experts, offering financial rewards - known as bounties - as an incentive.
Bugs are officially big business.

 Image caption Uber launched its first bug bounty programme in March 2016 
 
Last month Uber announced that it too was entering the bug bounty arena with a scheme of its own, while firms like Facebook and Microsoft have been running them for years.
Microsoft's top reward is currently up to $100,000 (£70,699) for "truly novel exploitation techniques against protections built into the latest version of our operating system" - or anything that bypasses all the security systems on the Windows platform.
Generally a bug bounty programme will pay a reward based on how significant the find is.
Facebook has so far paid out nearly $1m in bounties but the average pay-out in 2015 was $1,782 per bug - and its most prolific bug hunters were in India, Egypt, and Trinidad and Tobago, the social network says.

Job opportunities

"By having bug bounty programmes, companies make sure the best hackers look at their code," says computer scientist Gianluca Stringhini, assistant professor at University College London.
"The more eyes look at the programme, the more bugs they find.
It's also a way for these companies to identify talent."
There's no doubt that if you're a successful part-time bug hunter you might even get a job out of it - security researcher Chris Vickery got his current role after doing just that.
"When I found one of the databases of [software firm] MacKeeper, they turned around and said 'OK, we want to hire you to give us tips about data breaches'," he said.
"That was an awesome response."

                            Image caption Many security researchers bug hunt in their spare time.
 
So how do you go about it?
Belgian bug hunter Arne Swinnen is currently ranked number two in Facebook's so-called white hat hall of fame - a surprisingly long list of the people who have helped it make its various platforms more secure by finding and telling it about vunerabilities before the cybercriminals exploit them.
Mr Swinnen has a day job but in his spare time has netted around $15,000 (£10,604) finding system weaknesses in the last few months.
"Some bugs that I've found they took me a couple of days, others only take five minutes. My biggest bug so far got me $2,500 (£1,767) and only cost me five minutes of my time."
He started out by looking at Facebook-owned Instagram after researching bugs online and identifying that fewer bug bounty hunters appeared to have it in mind.
"I looked to see what it had - website, mobile apps - I looked at their functionalities, and then started to look for vulnerabilities," he explains.

Mr Swinnen admits it isn't exactly his girlfriend's idea of a holiday - but it can be lucrative.
"It's my hobby, I like hunting, if you find something it's really a thrill," he told the BBC.

Right side of the law

Of course many companies without designated schemes will generally be appreciative of some security support. There are a few issues to be aware of though if you plan to fish in the wild, as it were - not least that unauthorised access of a system is illegal in many countries.
"In the UK, under the Computer Misuse Act, unauthorised access is a criminal offence - even if the door is wide open," says cybersecurity expert Prof Alan Woodward from Surrey University.
"You have to understand the law and how far you can push it. You also need to understand how the industry works because there are what you might think of as best practice [guidelines] - it's what responsible disclosure is all about."

 

Image caption Under UK law, unauthorised access of an IT system is illegal.

Prof Woodward also warns about the responsibilities associated with handling any data you might find floating around, that perhaps isn't as encrypted or secure as it should be.
"You have a duty of care to whoever that data belongs to or is about," he adds.
"Some hackers perhaps feel they are above that but they are not.
"You have to be careful, it is a minefield - there is a fine line between probing for vulnerabilities and unauthorised access."

Stay alert

It is also a minefield for companies, especially small businesses who may well lack both the expertise and the resources to manage this global army of white hats - and the hackers hot on their heels.
"In general the problem is that when someone designs a programme they expect the user to play nicely.
"But an attacker could present an input that nobody thought about and that could make the programme play completely differently," says Gianluca Stringhini.
His basic advice to all firms is simple.
"Keep up with the news, see what new attacks are out there, make sure that whenever a new vulnerability is disclosed they update their systems - and keep an eye for general weird activity," he says.
Members of staff should also take note, he adds.
"You have systems you might develop but they might have holes - system administrators need to keep that in mind but so do end users, their data may not be safe.

Top 5 Future Technologies

Fresh blow to China's troubled tech giant LeEco

The Coo1 Dual smartphone is a collaboration between Coolpad and LeEco

The Chinese smartphone-maker Coolpad has unexpectedly warned of a sales slump, causing its shares to fall by nearly 10%.It blamed tougher economic conditions and "fierce competition in the domestic smartphone market" for its troubles.
The news is a fresh blow to its biggest shareholder LeEco, which had recently increased its stake in the business.Earlier this month, one of LeEco's co-founders warned of its own financial problems following a push into the US.

Partnership phone
Coolpad's stock dropped to a four-year low after it announced that sales had fallen by 43% over the first 10 months of 2016. It now expects to post a £3bn Hong Kong dollar ($386.8m; £313.2m) loss for its financial year as a whole.
LeEco became the firm's biggest shareholder in June, when it raised its stake in the company to 28.9%.
The two companies subsequently teamed up to release the metal-cased Cool1 Dual smartphone in August.
But the device struggled against rival handsets from other Chinese tech firms including Huawei, Oppo and Vivo.
"Chinese manufacturers used to be able to rely on their home market to give them unprecedented scale," commented Ben Wood from the tech consultancy CCS Insight.
"However, this year the Chinese market has plateaued and we are starting to see some of the casualties as a result."

American ambitions

  In June, the privately-owned company bought 49 acres (19.8 hectares) of land from Yahoo in Santa Clara, California for a reported $250m.

In July, it revealed it was buying the US TV-maker Vizio for $2bn.
Then last month, the Beijing-based company held a high-profile launch event in San Francisco, where it announced it was to start selling a wide range of own-brand products in the US.
These include a range of 4K TVs, two smartphones, a virtual reality headset, a set-top box with its own streaming TV platform and an Android-enabled smart bicycle. It also planned for its concept car to drive itself on to the stage, but the vehicle was damaged en route to the event.

"LeEco has outsize ambitions," noted the Recode tech news site at the time.
"The company literally describes itself as Apple, Netflix, Amazon and Tesla all rolled into one."
But on 7 November, Bloomberg revealed that LeEco's co-founder Jia Yueting had written to its 10,000-plus workers warning that its finances had come under pressure.
"We blindly sped ahead and our cash demand ballooned," the internal memo said.
"We got over-extended in our global strategy. At the same time, our capital and resources were in fact limited."
 Mr Yueting added that he was reducing his salary to 1 yuan ($0.14; 11p) and would now pursue a slower growth plan.

Eleven days later, Faraday Future confirmed that it had halted work on a huge factory in Las Vegas due to build a second vehicle bankrolled by LeEco.
"We are acknowledging that there has been a temporary work stop at the site," a spokesman told the Las Vegas Review Journal.

"Part of the re-evaluation and refocusing of our efforts on producing the car were a result of the restructuring and re-evaluation of finances from Jia.
"Faraday Future and LeEco operate as strategic partners, but the finances of the two companies are completely separate."

Rerouted plans

Faraday Future had caused a stir earlier in the year when it unveiled a futuristic concept electric car at the CES tech show and claimed it would bring a separate design to market by 2018.

It had promised to show off the production vehicle at this January's CES.
It is unclear whether this is still planned.
"It would appear to be the case that LeEco has overstretched itself in multiple areas," said Mr Wood.
"Our bet is that it will now have to retrench and perhaps one of those investments will have to be sacrificed."