The tip that led to Thompson’s arrest came in on July 17, when an unnamed “external security researcher” emailed Capital One’s disclosure program saying that leaked data was being stored on a publicly accessible file at GitHub, which allows users to manage and store software projects.
Capital One provided few details when asked about its cyber tip line. A public page about the bank’s program at HackerOne shows that it has received at least 30 reports of security flaws since it started in January. HackerOne declined to say how many of those reports were validated security flaws.
“White Hat” hacker programs have been around for years, but they have become more formalized as the volume and severity of threats has increased. Some companies manage their own vulnerability disclosure efforts. Companies like HackerOne and BugCrowd offer services to analyze incoming tips and, if warranted, pass them on to their client’s security team.
“You have to filter it out pretty carefully before you realize what’s real and what’s not,” said Dave Aitel, chief technical officer at Cyxtera Technologies, which provides security for computer networks and cybersecurity services.
Crowdsourcing Security
Vulnerability disclosure programs allow companies to crowdsource security, tapping researchers with a diverse background of skills to stress test computer infrastructure. Ethical hackers and security researchers with specialized skills may discover a flaw that a company’s internal security team missed, or a flaw that may have not been included within the scope of a bank’s security risk assessment, Bayuk said.
The programs run from invitation-only disclosure programs, which are often used by companies in regulated spaces like financial services and health care, to tip lines that are open to all comers. It’s seen as an alternative to traditional “penetration testing,” where companies hire outside firms to test the security of its networks.
Some companies, like Capital One, provide policies agreeing not to prosecute security researchers for finding bugs in its systems as long as they abide by specific protocols.
Still, inviting hackers to rummage through a computer network isn’t without some risks, since they could come across customer identities or even potentially damage the system, Bayuk said. If a hacker or security researcher were to come across personally identifiable information on Capital One’s services, the company advises them to immediately purge the data and contact the company, according to the program guidelines.
Some financial intuitions stop short of offering financial rewards due to a fear it could encourage criminal behavior, Bayuk said.