The Results of Ethical Hacker Community Collaboration

Part 1 | Part 2

Sri Shivananda: Ray, you mentioned community diversity in part one of our conversations. How diverse is the hacker community? Is there a particular place – or places – in the world these hackers come from?  

Ray Duran: The hacker community is indeed very diverse both in location and personas – HackerOne reported that hackers from 146 countries submitted reports in 2019. Basically, every country that has an internet connection likely has someone that is participating in these programs. We have some researchers that seek bug bounties as their full-time security job, and we have people that do it as a hobby. We have people that have never submitted a bug before and who are not even security-focused in their personal or professional lives. We've had PayPal customers who have seen something a little off, weren't sure how to report it, and went through our bug bounty program. On a personal note, that type of interaction is awesome because if he or she finds a true problem, maybe that becomes the inspiration for them to pursue a career as a security engineer. But even if it doesn't, it still brings a potential risk to our attention that we can address. Even if it's not even necessarily in the scope of what we would normally consider, it enables a customer to come and tell us about an issue, and then we can get it into the right hands and get it fixed. Hackers can be anyone – from system admins to people that have barely touched a computer.  

Sri: Essentially there's no specific background required to be a hacker. They may be someone that got introduced into the program because they're passionate about breaking things in an ethical manner. For some, it may truly be about making a living and I imagine that in some parts of the world the bounty they receive is probably significantly larger than what they make as an income. For others it might be a side job; for some, it can be the job that gives them a vacation.  

Ray: Exactly. I’ve had some proud moments in seeing lives changed in a meaningful, positive way. It’s always great to hear stories from ethical hackers that have been able to pay for something that they wouldn’t have been able to or improve their financial situation. We have examples of hackers who have been able to buy their parents a house, get out of debt, and even pay for their wedding with the bounty, and so on. There’s a real personal touch to this work, and we are insanely grateful for those who are a part of our hacker community. The risk that we've been able to mitigate, and customers we have to help protect as a result of their hard work and persistence, ultimately, is a great reward for us.  

Sri: As a company, we benefit as well because there is a cybersecurity workforce gap in the world. There is a lot of competition to hire in this area and this community of hackers helps us fill this gap. I imagine that instead of reactively dealing with issues, this can also help us catch things proactively and avoid issues. In the world of quality, we call it “shifting left”. Are there other benefits to having a bug bounty program? 

Ray: We get a lot of value internally from these submissions because they allow us to trace back all the way through our lifecycle processes to find the root cause. A particular hacker may have identified one component of an issue but if we trace it back far enough – and our teams are highly skilled in this – we can do a root cause analysis. This allows us to look at the bigger picture and determine if this a framework-level solve, or if it is something that is potentially a systemic issue. This allows us to step back before we roll out additional implementations of a feature to make sure it's secured.  

Sometimes an impacted feature may be related to a vendor product we are using. We can review the submission and also encourage the researcher to also bring it to that vendor. Even if the vendor doesn’t have a bug bounty program, they’ll likely be very appreciative of the researcher bringing it to their attention.  

Sri: Tell me a little about the process for researchers to publish their findings and PayPal’s approach to disclosures. How does it work? 

Ray: There is a process to publish responsibly to disclose the issue raised in a bug bounty submission. Here’s how it works: when creating bug bounty submission, you’ll see a drop-down menu that says, “I would like to disclose this issue”, which queues up the submission for us to review. In the review process, there are many factors we have to take into account. The first, and perhaps most crucial factor, is if it is responsible to disclose the issue, or if by disclosing said issue it will create even bigger security risk not just for PayPal but potentially for other vendors. If that is the case, we will not allow disclosure or might ask a hacker to wait to disclose until we implement a fix. If the issue involves a vendor product, it does not make sense for us to allow a hacker to disclose the bug that could then be exploited by malicious actors. Another factor we consider is the level of sensitivity of the data they want to release. The decision whether or not to allow disclosure does not have to do with the severity of the bug, but rather if disclosing it we will cause greater harm or risk to others, our customers, or our partners. 

We understand however that there are times when our validation process may cause impatience, and it may appear we aren’t taking a submission seriously, leading to frustration. We always acknowledge the submission, but we need to review and go through our internal processes to fully vet the bug in question. It can be hard sometimes for hackers to understand how much work has to be done before we can click the “yes” button and allow them to disclose. And sometimes, the matter isn’t in PayPal’s control. If you use the example I provided about the bug being on a vendor feature, that vendor might want to see the patch rolled out first before we could allow for disclosure. If our researchers want a status update, they can ask for one via the ticket. They can also ask the HackerOne team for updates.  

We do our best to make sure disclosure is possible and are even willing to help make it happen. In the last year, we’ve had hackers like James Kettle, Director of Research at PortSwigger, give talks at security industry conferences like Black Hat and DEF CON about the bugs they have submitted to us.  

Sri: Shifting gears, I think it is important for companies and ethical hackers to think about the relationship as long term and building mutual trust and credibility. The companies need to be there for hackers and vice-versa. That’s how the community thrives. In fact, I think I heard that we have a “Hall of Fame” for hackers?  

Ray: Yes, it’s on the platform and is a real-time leaderboard tracking the stats of our leading ethical hackers. A hacker can go to the activity page and see the people who have earned the most bounty, who have earned the most points based around the severity of their findings, and who has earned “thanks” for valid submissions. Beyond that, we often try and call out specific hackers when we do media outreach or if we publish a blog. 

Sri: Do we have anyone who works at PayPal who participates in bug bounty programs to help other companies?   

Ray: Yes, for example, Riaz Mohamed, who works in one of our penetration testing teams is a fantastic security engineer. He’s even done some work for the Singapore government via a bug bounty program. A lot of the researchers on the platform are security engineers at companies and the expertise they are sharing in their spare time to help other companies and governments make the world more secure for all of us.  

Part 1 | Part 2