{"id":14738,"date":"2017-04-26T09:00:32","date_gmt":"2017-04-26T13:00:32","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=14738"},"modified":"2020-04-17T13:17:44","modified_gmt":"2020-04-17T17:17:44","slug":"hunting-bugs-for-humanity","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/hunting-bugs-for-humanity\/14738\/","title":{"rendered":"Make bug bounties great again"},"content":{"rendered":"<p>Since joining Kaspersky Lab nearly two years ago, I have always seen David Jacoby as one of our company\u2019s more outgoing and jovial researchers. In addition to creating security memes for Halloween, he also helped put a human face to the company\u2019s GReAT team and even let a film crew look at his crib (MTV style).<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/Emtjo3eeOD0?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>On top of those things to make you say, \u201cGee, David seems like a super cool guy,\u201d Jacoby may have one-upped himself at this year\u2019s <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/sas-2017\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Security Analyst Summit<\/a> (The SAS). It all started with the following statement to kick off his day 2 session:<\/p>\n<p>\u201cWe have so much money in this industry \u2026 we have so much money, but we do so little. When was the last time you did something good?\u201d<\/p>\n<p>From there, he hopped into the story of a weekend project with Frans Ros\u00e9n (Detectify) where the they would hunt bugs for charity. The initial goal that the duo set was $11,000. Although they fell short of their goal, they found out something more interesting.<\/p>\n<p>\u201cIt was actually quite cool, we\u2019d contact companies that would never ever participate in a bug bounty program \u2014 they\u2019d say they didn\u2019t have the budget,\u201d Jacoby said. \u201cBut I wound up talking to company\u2019s marketing departments \u2014 which did have money and wanted to help charities.\u201d<\/p>\n<p>From those conversations arose the idea of pro bono penetration (pen) testing in a 24-hour window by Jacoby, Ros\u00e9n, and three other researchers. In lieu of payment, the researchers requested a donation to a charity of the company\u2019s choice.<\/p>\n<p>\u201cEveryone we called wanted to do this. It was amazing,\u201d Ros\u00e9n said.<\/p>\n<p>For Bahnof, a Swedish ISP, the idea really resonated. Jacoby noted that they now donate money to charity in exchange for pen tests on a monthly basis.<\/p>\n<p>\u201cIt\u2019s proof that people want this,\u201d Jacoby said.<\/p>\n<p>This talk on an altruistic bug bounty program stuck with our team as well, and we decided to reach out and talk some more with Jacoby on this.<\/p>\n<p><b>Kaspersky Daily:<\/b> Do you think a charitable component would have more white hats doing social good?<\/p>\n<p><b>David Jacoby:<\/b> To be honest, I don\u2019t think it will change people\u2019s mindsets about participating in, for example, bug bounties. I do think that it might open up other kinds of partnerships between vendors and charities or security companies, and this might in the long run involve more people.<\/p>\n<p>Also, doing social good should be a fundamental thing in our life. We only have one life, why not make is as good for everyone as we can?<\/p>\n<p><b>Kaspersky Daily:<\/b> In your talk, you noted: We even had one company that wanted to use the money and give it to children to attend security conferences. Do you think that having a program to encourage security in youth that you could encourage more white hats and better security in, say, the Internet of Things?<\/p>\n<p><b>David Jacoby:<\/b> My view of the IoT is very negative, because most IoT devices are created by companies who are not in the IT industry \u2014 they can be in the home appliance or entertainment industry \u2014 so I don\u2019t think it will make any difference.<\/p>\n<p>When I think about security conferences, I get this weird feeling \u2014 we are teaching people who are already in the IT industry fun things, and we charge a ridiculous amount for each ticket. If we really want to make a difference, we should invite, for example, students who will soon be our colleagues. Why should we teach the people who already know IT? It doesn\u2019t really make any sense.<\/p>\n<p><b>Kaspersky Daily:<\/b> Do you think adding a charity component to a bug bounty program for lesser bugs could increase people participating in the overall programs? <\/p>\n<p><b>David Jacoby:<\/b> I hope it would. I want to change the world \u2014 or at least try. My vision is to add charity programs to more or less anything. I\u2019ll give you an example: In Sweden you have recycling machines for empty soda cans, etc. Those machines have two buttons, one called Donate, and another one allows you to get cash.<\/p>\n<p>If I want to donate the money, I should. The same goes for anything. We should be creative and come up with more of these ideas!<\/p>\n<p>Speaking of bug bounty programs, Kaspersky Lab recently <a href=\"https:\/\/usa.kaspersky.com\/about\/press-releases\/2017_Kaspersky-Lab-Extends-Bug-Bounty-Program\" target=\"_blank\" rel=\"noopener noreferrer\">expanded the company\u2019s bug bounty program with Hacker One<\/a> to include more products, and increased some of the bounties.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>David Jacoby of Kaspersky Lab hunts bugs to help humanity.<\/p>\n","protected":false},"author":636,"featured_media":14740,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2684],"tags":[2006,1290,1797,605,337,1980],"class_list":{"0":"post-14738","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-special-projects","9":"tag-bug-hunting","10":"tag-csr","11":"tag-david-jacoby","12":"tag-great","13":"tag-sas","14":"tag-sas-2017"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hunting-bugs-for-humanity\/14738\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hunting-bugs-for-humanity\/11069\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hunting-bugs-for-humanity\/8674\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hunting-bugs-for-humanity\/9124\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hunting-bugs-for-humanity\/10456\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/hunting-bugs-for-humanity\/10220\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hunting-bugs-for-humanity\/14661\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hunting-bugs-for-humanity\/6955\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hunting-bugs-for-humanity\/7303\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/hunting-bugs-for-humanity\/6656\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/hunting-bugs-for-humanity\/10114\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/hunting-bugs-for-humanity\/15432\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hunting-bugs-for-humanity\/14738\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hunting-bugs-for-humanity\/14738\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/sas\/","name":"SAS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14738","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/636"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14738"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14738\/revisions"}],"predecessor-version":[{"id":34995,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14738\/revisions\/34995"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/14740"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}