Coles bitten by the hacker bug
Ever wanted to hack the Coles website or other software applications? The giant Australian retailer is not only inviting would-be hackers to find breaches in a number of its online assets, it will also pay them if they are successful.
Coles is one of a growing list of companies that are using bug bounty programs to augment their regular software security testing. Bug bounties are a form of penetration testing that calls on the skills of freelance computer security professionals to join organised bug hunts designed to uncover weaknesses in websites and online applications. Anyone who discovers a weakness is encouraged to discreetly inform the target organisation and is given a financial reward.
In the case of Coles, it is managing its bug bounty program through the Australian start-up Bugcrowd. According to Coles' group general manager for IT, Conrad Harvey, Bugcrowd caught his attention during an investor session organised by the Startmate incubator program. Within 48 hours Coles had signed up to the service, and its first bug bounty was launched the following Saturday.
Mr Harvey said Bugcrowd gave Coles access to security testing skills that it could otherwise not reach, particularly in newer fields such as Android apps. He said the service would also be used to help secure other customer-facing applications and would act as an additional layer of security alongside Coles' existing protocols and procedures.
Bugcrowd's growing list of customers includes Rabobank, BigCommerce and Google. It recruits security testers and manages the bug bounty program, ensuring everyone is treated fairly.
Company co-founder Casey Ellis is currently in the US raising Bugcrowd's first round of capital. He said the company had taken off much faster than anticipated after he and business partner Serg Belokamen launched it late last year.
He described BugCrowd as bringing balance to the economic advantage possessed by "the bad guys".
"For companies like Coles or Google or Rabobank, every time they get their stuff tested they have to pay someone for their time, regardless of whether they find something or not," he said. "When you look at the bad guys, there's a lot more of them, there's a lot more diversity in the skill set, but the economics are that they don't get paid until they find something and exploit it."
Numerous companies are competing in the bug bounty market, including Melbourne-based Bugwolf. Founder Ash Conway said he expected to announce several large client wins soon.
Business security specialist Nick Ellsmore, who has worked as an adviser to Bugcrowd, estimated the Australian market for penetration testing was worth about $300 million a year.