If you haven’t heard of bug poachers, it is time to familiarize yourself with them.
Bug poacher is the term for cybercriminals who search for and exploit weaknesses in companies’ security, but instead of stealing data, they extort their victims; bug poachers make companies pay to learn how they got into the system.
Bug poacher or security researcher
In our industry, the line between ethical hacking and crime can be blurry. In fact, many bug poachers think they are doing companies – and the industry – a favor. They argue that they are protecting companies from the real crime of a data breach. Bug poachers believe they are forcing companies to invest in something they already should be – security researchers.
And they may not be wrong.
Like we said, the ethical line is blurry, but from one point of view they are the vigilantes of our industry. They are protecting companies from their own lack of security. But then some may ask, why do they mask themselves and charge money instead of just becoming a security researcher? Because it can be safer to hide than openly do the job of a security researcher. The case of security researcher Justin Shafer is the perfect example. He reported a security vulnerability he found to a dental office and was hit with criminal charges for “exceeding authorized access.”
Spotting your own security vulnerabilities
Here is a grim security vulnerability statistic: according to the Global Information Security Workforce Study published by (ISC)2, 30% of companies never scan for vulnerabilities in their software. It is no wonder there is so much for bug poachers to find!
So what is the solution to bug poachers? Employ your own security researchers and appreciate them versus punishing them for doing their job.
A good security researcher considers their job a 24/7 role. Vulnerabilities don’t work on a 9-5 schedule. A good researcher is not just scanning for vulnerabilities in your security network, but following their instincts and hitting your system hard just like a hacker would. Finally, a good security researcher is well connected. They know where to get news of new software weaknesses as soon as they are discovered so they can patch your company’s software before the weakness even hits the mainstream news.
The bottom line is that one way or another, vulnerabilities will be found; it is just a matter of whether or not you want control over who finds them.