In the past 18 months, video game developer Epic Games has paid more than $3 million to hundreds of hackers online.
Epic, which is headquartered in Cary, North Carolina, and best known for creating the popular game Fortnite, offers tech-savvy individuals money to expose vulnerabilities within its operating systems. The company opened this incentive, called a bug bounty, to invited hackers in 2017. It expanded the program to the public in October 2021 and has since awarded a total of $3.16 million to more than 550 people.
According to the platform HackerOne, which hosts Epic’s bug bounty program, hackers have uncovered 1,240 valid issues at the company. These discoveries fetched $500 on average, though some earned hackers as much as $50,000.
“By working with this community of talented researchers, we are able to strengthen the security of our products and services,” Epic Games spokesperson Emily Bass wrote in an email. “This program includes work across the Epic ecosystem, including Fortnite.”
Cybersecurity experts say more businesses have begun embracing bug bounty programs to broaden their virtual security at a lower price. Like Epic, Raleigh’s fast-growing software firm Pendo launched its own bounty program two years ago, and well-known national companies like Starbucks, Uber, Yahoo, Slack, Paypal and Spotify all crowdsource their cybersecurity to a degree, dangling money to hackers who often work anonymously. Even the U.S. Department of Defense expanded its bounty program, the first in the history of the federal government, in 2021 after reporting initial success.
Hackers who chase these bounties aren’t the nefarious agents behind data breaches or malware attacks. Bug bounty programs instead attract thousands of so-called “white hat” hackers, ethical operators who infiltrate systems with the goal of alerting, not disrupting.
“It’s very difficult to describe what I actually do,” said Deral Heiland, a white hat hacker who works as a principal security researcher at the cybersecurity firm Rapid7. “I break into things and get paid to do it.”
Some companies will prepay hackers to attempt system breaches, which is known as a pentesting (short for penetration testing.) But bug bounties are more of an open call.
“Any time we design and release new software, we use tools to test and address security vulnerabilities at each step of the process,” Chuck Kesler, chief information security officer at Pendo, said in an email through a company spokesperson. “But it’s also really helpful to engage with the security research community once that code is live — our bounty program has hundreds of researchers continuously looking at websites all over the world and identifying issues.”
‘It was controversial when it first came out’
Netscape is credited with creating the first bug bounty program in 1995, but only within the past five years or so have the incentives become common. As businesses move more services online, and bad actors grow more sophisticated, executives have seen the value of having more eyes on their software.
“It was controversial when it first came out,” said Ray Zeisz, senior director of the North Carolina State University Friday Institute for Educational Innovation. “There were people in the industry thinking, ‘Oh, my God, you’re crazy. You’re writing checks to the bad guys.’ But it’s not necessarily what’s happening.”
Zeisz said a few of his closest friends now make livings from white hat hacking. Some ethical hackers were once criminal hackers, including Kevin Mitnick, a prolific corporate network breacher whom the FBI arrested in a Raleigh apartment in 1995.
For companies, bug bounties can prove more economical than hiring additional full-time cybersecurity staff. Zeisz pointed out that the millions Epic Games has paid through HackerOne is only a sliver of its multibillion-dollar annual revenue. And other major brands — including IBM and Fidelity — entice white hats with non-monetary credits that hackers seek out to bolster their cybersecurity resumes — or simply for pride.
Without permission, hacking is a crime, so companies will typically spell out specific rules for how ethical hackers can proceed legally.
Epic, for example, does not permit hacking by anyone employed at the company, recently employed at the company, or who lived in the same household as a current or recent employee. It also doesn’t allow hackers living in countries that the U.S. has issued trade sanctions against, like Cuba, North Korea and Iran.
Formed in 2012, HackerOne is one of the most popular sites for ethical hacking. On the platform, Epic lists four award tiers — low, medium, high and critical — and examples of which discoveries might warrant each bounty amount. Bypassing the company’s payment process is deemed a critical catch that could earn up to $10,000. Crashing a server in Fortnite that the hacker is not a member of also ranks as a critical achievement.
One common infiltration technique is called an injection attack, Heiland explained as “sending data into a site that wasn’t intended to be sent there.” He said he once used an injection attack to gain administrator privileges of a company’s wireless management system. Companies often require ethical hackers to report vulnerabilities they uncover within a short time frame, allowing the business to fix — or patch — the issues before criminals exploit them.
On HackerOne, Epic Games’ top bounty hacker works under the name “Adam” and lists their location as Paris, France. Adam predominately focuses on exposing vulnerabilities at Epic. The company last awarded Adam a bounty on April 6, the 93rd payment Epic has made to the hacker.