用市場化手段“收編”黑客

The upshot of the information age is that “software is eating the world”. In a rush to create digital code and services, companies competing to be the first to market do not prioritise cyber security — even though security problems and software bugs are a known certainty. When even secure organisations experience data breaches and security incidents, it is clear they need all the help they can get.

信息時代的結局是，“軟件正在吞噬這個世界”。企業競相推出數字代碼和服務，而不以網絡安全爲重，即便大家都知道必然會有安全問題和軟件缺陷。在理應安全的組織都遭遇數據失竊和安全事故的時候，企業顯然需要它們能夠獲得的一切幫助。

Surprisingly, software giants now encourage hackers to hack them. Companies such as Google, Microsoft and Facebook have been doing this since 2010, in what are called “vulnerability reward programmes”, or more commonly “bug bounty programmes”. In an echo of the American wild west, companies offer independent security researchers the chance to win rewards and recognition for identifying critical security problems — software vulnerabilities that could put us all at risk.

令人意外的是，軟件巨頭現在鼓勵黑客對它們進行攻擊。谷歌(Google)、微軟(Microsoft)和Facebook等公司自2010年以來一直在這麼做——通過所謂的“漏洞獎勵計劃”，或者叫“漏洞懸賞計劃”(bug bounty program)。貌似帶有美國“狂野西部”時代歷史回聲的是，公司向獨立的安全研究員提供一個機會，讓他們通過找到關鍵的安全問題（可能讓我們全都處於風險之中的軟件漏洞）而贏得獎金和認可。

While 2016 may have been “the year of the hack”, including the huge denial-of-service internet outage in the US in October, 2017 could be “the year of the friendly hack”. There are more bug bounty programmes in traditional industries, outside Silicon Valley.

儘管2016年可能被稱作“黑客之年”，包括去年10月份美國發生的拒絕服務攻擊造成互聯網大面積癱瘓事件，但2017年可能是“友好黑客攻擊之年”。硅谷以外的傳統行業推出了更多的“漏洞懸賞計劃”。

MasterCard, Johnson & Johnson and even the Pentagon are inviting hackers to work with them and test their systems for vulnerabilities. By rewarding hackers for their discoveries, these organisations can learn from their findings, prevent security breaches, and even recruit top cyber security talent .

萬事達(MasterCard)、強生(Johnson & Johnson)甚至五角大樓都邀請黑客與他們合作，測試系統漏洞。這些組織對發現漏洞的黑客給予獎勵，從而能夠從他們的發現總結收穫，堵住安全漏洞，甚至招聘到一流的網絡安全人才。

This explains why leading companies are willing to pay out millions of dollars in rewards. According to Bugcrowd, which manages many programmes for other companies, in the past few years Google, Facebook, Yahoo, Microsoft and Mozilla paid friendly hackers a total of more than $13m in bounties.

這解釋了領先公司爲何願意支付鉅額賞金。爲其他公司管理許多懸賞計劃的Bugcrowd表示，在過去幾年裏，谷歌、Facebook、雅虎(Yahoo)、微軟和Mozilla爲友好黑客支付了總計逾1300萬美元的賞金。

The idea of a bug bounty is not new: in 1995 Netscape offered rewards to users who found bugs in the trailblazing Navigator 2.0 web browser. Now, thousands of ethical hackers help hundreds of organisations find software bugs, using the power of many to make us all safer. Rewards range from T-shirts to 1m airline miles or a $200,000 single reward that Apple offers for certain discoveries.

對報告漏洞給予獎勵的想法並非什麼新鮮事：1995年，網景(Netscape)曾爲發現開拓性的Navigator 2.0網頁瀏覽器漏洞的用戶提供獎勵。現在，數以千計的守法黑客幫助數百家組織找到軟件漏洞，用衆人的力量讓我們大家更安全。獎勵從T恤衫和100萬航空里程不等，蘋果公司(Apple)曾爲某些發現提供20萬美元單筆賞金。

Bug bounties are becoming more widely accepted because the benefits they provide can greatly outweigh the risks: never before has it been so easy for hackers to legitimately report findings to the companies affected by them and get rewarded without breaking the law — a hacker-specific take on the “gig economy”, if you will. It is also a cost-effective way to find security bugs for the companies in question, as empirical economic research has proven.

爲發現漏洞提供獎勵日益獲得廣泛認可，因爲他們提供的益處遠遠超過了風險：黑客們從未這麼容易地合法向公司報告漏洞，並且不用違法就能獲得回報——不妨稱之爲黑客版的“零工經濟”。正如實證經濟研究證明的那樣，這也是相關公司發現安全漏洞的經濟方式。

Some of the best bug hunters end up being offered full-time corporate positions. These are hackers from all over the world, whose location, access to college education or finances may never have afforded them the chance of an interview — with the result that companies would have missed out on their incredible talent.

一些最優秀的漏洞獵手最終獲得了企業全職職位的錄用通知。這些黑客來自世界各地，由於所處位置、獲取高校教育的條件或者資金問題，本來永遠得不到面試機會，使公司錯失他們的卓越天賦。

The latest corporate benefit, one suggested by the Berkeley Technology Law Journal, is that bug bounty programmes can become a corporate governance “best practice” mechanism. Having such programmes in place can help directors exercise their “duty to monitor” digital assets.

《伯克利技術法律雜誌》(Berkeley Technology Law Journal)指出，企業還能獲得一個益處，那就是漏洞懸賞計劃可以成爲一種企業治理的“最佳實踐”機制。實行此類計劃有助於董事們履行其“控管數字資產的責任”。

Finally, you might ask: won’t criminals take advantage of these programmes? The truth is they seldom require an incentive to hack. They are already at it, making millions illegally. These programmes allow individuals who spot a problem to do the right thing and give companies a chance to sort it out, while getting legitimate payment and recognition. The process represents a practical way to harness the impact of thousands of security researchers who are helping to build a much-needed “immune system” for our connected age. That gives me hope.

最後，你可能會問：犯罪分子會不會利用這些計劃呢？真相是，他們很少需要從事黑客活動的動機。他們已經在大搞黑客活動，非法獲取鉅額收益。這些計劃讓發現問題的個人做正確的事情，也讓公司有機會解決問題，同時讓報告問題的人獲得合法報酬和認可。該過程代表着駕馭數以千計安全研究員力量的可行方式，他們正在幫助打造我們這個互聯互通時代亟需的“免疫系統”。這給了我希望。