Personal Capital, a data aggregator and personal financial management app provider, recently launched a program in which it pays hackers to find something wrong with its software source code.
Personal Capital is not the first to offer a “bug bounty.” USAA, Simple, PayPal, Western Union, and Mastercard are among the financial companies that already have such programs. But it is still a relatively new tactic.
“Most banks and financial technology companies don’t even offer an email address to which outside security researchers can confidentially send issues they might come across,” said Sean Sposito, senior security analyst at Javelin Strategy & Research.
Some elements of Personal Capital’s program make it stand out, including its use of a replica or sandbox version of its code to let hackers pick holes in it without exposing users’ data. And the company pays above-average rewards to those who find critical vulnerabilities.
Taken collectively, these programs not only help keep financial services providers secure, but they are providing people with a hacker mindset a respectable (and legal) way to make a living.
Bug squashing at Personal Capital
Personal Capital began running a private bug-bounty program with the cybersecurity firm Bugcrowd 18 months ago.
Chief information security officers “always worry” about the possible vulnerabilities of their code, said Maxime Rousseau, who holds that job for Personal Capital. “At Personal Capital, we always say trust is our currency.”
Two million people use Personal Capital to aggregate their financial information from banks, credit card issuers, robo advisers and other financial services providers.
“They’re sharing their passwords with us and trusting us with their data, and we have to make good on that,” Rousseau said. “We like to set a high standard for our platform around security.”
Rousseau’s team felt it had exhausted the potential of the traditional penetration-testing and vulnerability-scanning tools they were using.
“We really wanted to raise the bar further to a place where we need human creativity and human minds applied to this,” he said.
Letting hackers in
Bankers have to confront a lot of questions when they consider bug-bounty programs: Who are these people we’re inviting to break into our systems? What are their true motives? And what are they really going to do once they find some kind of software vulnerability?
“We talked about that at great length and had a few conversations with our general counsel about it,” Rousseau said. “The net net for us is, if somebody is malicious and has ill intent towards the platform, there’s nothing that really stops them from hacking our public website now. And so we want to people to have a place where they can try this, and if they do find something, they let us know.”
Personal Capital created a sandbox for the bug-bounty program. It is a replica of the live environment, but with no customer data.
“The crowd can play in that sandbox and find real issues, but without any concern for users and clients,” Rousseau said.
Casey Ellis, founder and chief technology officer of Bugcrowd, said this is a bit unusual.
Some customers go out to the open internet and allow white-hat hackers to take a crack at their production systems, he said. Others have created a protected environment the way Personal Capital has. Still others keep their bug-bounty program private, and only allow in researchers Bugcrowd has approved.
“Personal Capital is ahead of the curve on this one,” Ellis said. “It is a very good thing to get ahead of the curve and be so proactive.”
Personal Capital also draws hackers’ attention to the security issues it cares most about.
“Account takeover, which is a huge thing in the financial services industry, is a No. 1 thing for us,” Rousseau said. “We don’t want to have any account takeover.”
Ellis notes that software is written by humans and is therefore fallible.
“You can do everything you can to reduce the risk or mitigate the risk of vulnerabilities,” he said. “But making sure that you’ve got this backstop in place to double-check that and to give you feedback on improvements that can be made, that’s where the openness of the model really comes into play.”
Personal Capital tells the hackers about updates to its software and solicits their feedback.
“The more these programs turn into a running conversation between builders and breakers, the more you can incentivize the hacker community to come in and help,” Ellis said.
Personal Capital is generous with the rewards it pays to those who find something wrong with its software: $3,200 for each top-priority vulnerability.
The average “bounty” among financial services companies is $887 per vulnerability, Ellis said.
“A person that wants to do bug bounty has quite a few options, and so we’re competing in a sense for attention with these programs,” Rousseau said. “We want to make sure we stay ahead and we’ve captured attention and bring quality researchers to the platform. And if you’re looking at the recent news of data breaches and security incidents, $30,000 a year in rewards for an issue that could have resulted in a data breach is incredibly cheap.”
Sposito agreed that qualified white-hat hackers are a scarce resource.
“There are only a relatively small number of highly experienced, and highly sought-after, hackers that are capable of reporting critical vulnerabilities,” he said. “So the best reason to launch such a program is to build trust with customers, regulators and independent security researchers.”
One hacker found a vulnerability in Personal Capital’s code that Rousseau suspects the company would never have discovered on its own.
“No tool would have found that, no [quality assessment] would have found that,” he said. “It was really a unique, crowd-only thing. And we were very excited to know about that and fix it.”
Turning hackers away from crime
There are people who make a living off of bug-bounty rewards, Ellis said.
“There are even stories of kids in different countries that are buying their parents cars to say thank you for the computer science degree,” he said.
“If you’re a successful researcher and you get a few bounties recognized, you might make $10,000 in a matter of a few months,” Rousseau said. “If you’re somewhere like India, that can be pretty significant. It’s nice to be able to help like that. It’s also nice to be able to provide a platform where people can develop their skills. There are younger people that want to go into security. How do you learn this in a safe environment?”
Ellis concurred, adding: “And not inadvertently wander off into sketchy territory that sets you off for a life of crime.”
He told the story of a child who hacked the lunch line system at his elementary school and got suspended for it.
“When we heard that story, my initial reaction was, that’s awesome,” Ellis said. “I respect the innovation and critical thinking that goes into that. But obviously there was a lot of tension around that. We invited him to come into the office and spent some time with this kid.”
Many young digital natives have impressive hacker skills, he noted.
“But their moral compass isn’t fully formed,” Ellis said. “So they’re not making a deliberate decision to become a ‘bad guy,’ they’re just kind of wandering off into the bad end of this whole thing. We have the opportunity to capture that and divert it back into a productive and legal career path and help some of these folks actually end up avoiding a life of crime potentially.”