When Ali Tutuncu found a vulnerability in Capital One Financial Corp.’s software in March, the company fixed the flaw in 20 days. An independent security researcher, Tutuncu said the bank thanked him and added him to its page of fame.
“They did not pay financially,” he said. “Still, it was a nice experience.”
Capital One is among a relatively small group of major companies that are encouraging the typically anti-establishment hacker community -- and security researchers too -- to find potential vulnerabilities in their computer networks before malicious hackers do. Some of the programs offer cash rewards, called bug bounties, of as much as $200,000.
The bank is crediting its Responsible Disclosure Program with helping them track down a Seattle woman who had allegedly infiltrated their computer network. Paige Thompson, 33, allegedly accessed a massive amount of data: more than 100 million people, including names, addresses, dates of birth and about 140,000 Social Security numbers.
That’s a black eye for a company that’s touted its tech savviness, and the hack has sent Capital One Shares tumbling 11% in the last week. But it appears the damage could have been worse: Capital One said it was unlikely the information was used for fraud or disseminated to others.
Thompson was charged on July 29 with computer abuse and fraud. Her arrest marks a major success for cyber tip lines, and one that is likely to encourage other companies to start their own. Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, said he couldn’t recall tip that was wrapped up so quickly.
“From the time they submitted to the time it was submitted, to the time it was shut down to the time there was an arrest, there’s no example I think that comes close to that,” he said.
Alex Rice, co-founder and chief technology officer of HackerOne Inc., which manages “hacker-powered security” platforms for Capital One and other companies, said, “Usually vulnerability disclosure programs are not uncovering criminal activity. But it is phenomenal that it works out that way.”
Jennifer Bayuk, a former risk cybersecurity executive at several major banks including JP Morgan Chase & Co., said if banks don’t already have vulnerability disclosure programs, they are likely looking at them now. “They’re probably looking at the Capital One news and meeting with legal as we speak.”
There appears to be plenty of room for growth. A 2018 HackerOne report concluded that 93% of the world’s largest public companies don’t have a policy to handle “critical bug reports” submitted by outsiders.