Perhaps the strangest thing about Philippe Harewood is how not strange he appears at first glance. You might expect the No. 2 hacker in the world (as ranked by Facebook) to be docile and oafish; in fact, Harewood is funny, attractive, and, well, completely normal, his easy laugh shimmering all the way from his webcam in Trinidad and Tobago to my laptop in London.
“My first computer was Windows 3.1,” he says. “I wasn’t really interested in programming back then, but I was interested in computers. My brother and I used to play games — to try to get each other banned from Facebook. Like he’d post thousands of wall posts on my wall so my email would fill up with spam notifications. It was just giggles.”
Harewood is known as one of the good guys in the hacking game. Hackers, much like warring nations or Disney characters, have arranged themselves into two broad categories: those who help protect data, and those who breach security to access it illegally. In more technical tongues, these two variations of hacker are described as whitehat and blackhat. The twin terms stem from old Western movies, where the heroes wore white cowboy hats, and the villains donned black ones.
Whitehat hackers like Harewood search for and report bugs to websites like Facebook or Google in exchange for cash. The sport of catching programming glitches, known as bug bounty hunting (there’s that Western movie theme again), draws hackers from around the world. Catching a bug can be rewarding business, in dollars — Facebook pays at least $500 for each valid bug — and as a status symbol within the hacking fraternity. Facebook, Twitter, and Google publish lists of the best bug hunters every year, and every year, according to Facebook, the reports filed by the hunters grow more sophisticated.
These hackers protect the data of ordinary people from vulnerabilities on platforms like Facebook or Twitter, which spend millions of dollars trying to protect the user data they collect. Whitehat hackers are in part driven by the same thrill of hunting that their blackhat peers get from exposing the holes in systems created by monolithic technology behemoths. But whitehats find bugs to protect vulnerable data; they don’t exploit the data. One of the biggest bugs reported to Facebook last year, for instance, allowed hackers to change a user’s password, thereby granting access to a Facebooker’s personal messages, credit or debit card details, and personal photographs. It was a costly fix for Facebook: The social media giant paid $15,000 to the bug hunter who reported it.
For many years, the word hacking has become closely linked with criminality and anti-social behavior. Google “hacker” and you’ll see many versions of the stereotype: a white male in a hoodie bent over a laptop sitting in a dark basement, his face lit up by the fluorescent light from the computer screen. This image, in some form or another, has stuck.
But in reality, bug hunters like Philippe Harewood are popping up everywhere. According to Facebook’s latest report (Facebook provides the most detailed analysis of bug hunting compared to other bounty programs), the largest number of bug reports in 2015 came from India, Egypt, and Trinidad and Tobago, in that order.
Bug hunting is to these individuals more about protecting data than it is earning a paycheck. It’s a matter of principle.
Part of the explanation for what draws hackers to bug hunting may be economic. It can provide a decent income in places where tech jobs are hard to come by. Still, many whitehat hackers are intelligent and entrepreneurial enough to find stable, full-time work. Some of them pursue bug hunting as a hobby. Bug hunting is to these individuals more about protecting data than it is earning a paycheck. It’s a matter of principle.
Whitehats are not without their own social codes. Deference is given to those at the top of bounty lists, whereas enormous contempt is reserved for those who are thought to plagiarize ideas or exaggerate their skills.
Some whitehats have a Skype group where they can come together and share ideas, Harewood says (though he doesn’t really participate). In a social order where finding bugs is a sort of currency, sharing ideas has its downsides. “I used to publish my ideas on a blog,” Harewood says, “but I realized that people would just copy my ideas and claim them as their own, so I stopped doing it.”
Bug hunters have clustered to sites like Facebook and Twitter, both of which have official bounty programs, because they’re known to be fair when it comes to handing out rewards. “They pay very fairly,” Harewood says, citing a time when the company rewarded him with a bonus of $500 after finding additional problems in their backend because of a bug Harewood reported. “I didn’t even know those issues were there, I didn’t even report them. But they still paid me the bonus, so that’s cool.”
Harewood dismisses the idea that he could make more money from hacking illegally. “It’s not worth the effort,” he says. Companies have given hackers enough financial incentive to work to protect data rather than exploit it.
Since bounty programs first started to harness the talents of amateur hackers around the world, bug hunting has gone mainstream. Many hobbyists have turned it into their full-time jobs and top bug hunters are getting recruited in Silicon Valley. Harewood counts among the hobbyists turned pros; he now earns about the same as a Facebook staffer.
As more of the whitehat fraternity gets pulled in to staff security teams, bug hunting is getting tougher. Take Google’s Project Zero, a team of former hacking elites who now work full-time for Google, looking for fundamental coding flaws not just in Google’s own products, but in various companies, backed by the logic that a safe, well-protected Internet will draw more people online. “The finesse is really a whole other level compared to the average bounty hunter out there,” Harewood says. “Finding the bugs Google Project Zero does requires a very deep understanding of how code works.”
Google is starting to carve a path that other big tech firms may follow. With that large corporate backing, easily found bugs, or minor bugs for which security teams have already implemented checks, will soon vanish. That means hunters must say goodbye to the “low hanging fruit” of their trade, as Harewood explains. That could ultimately prove beneficial to Harewood. Without the smaller bugs to catch, the amateurs won’t be able to keep up.