1

A Case for the Ethical Hacker

Jasper Lu

Lu 1
Introduction
The number of publicized hacking incidents have been steadily increasing in recent years.
Two such incidents that have made national headlines recently are the December 2014 cyberattack on Sony Pictures and the July 2015 Ashley Madison data breaches. These hacking
incidents have caused a multitude of companies to redouble their efforts into strengthening their
cybersecurity. For this purpose, they have begun making use of a new breed of hackers, known
as ethical hackers, to help ensure the strength of their system by using programs such as bug
bounties. On the other end, some hackers have been taking the improvement of cybersecurity
into their own hands by disclosing these vulnerabilities to the public. Because of this increase in
activity of different forms of ethical hacking, it is important to take a step back and judge
whether or not the practices used by these so-called ethical hackers are truly morally
justifiable.
Ethical Hacking
For years now, hackers have bought and sold computer exploits in markets that exist in
the Dark Web, such as TheRealDeal Market (Wired). Known colloquially as zero-day exploits,
these intrusion techniques are ones for which no software patch exists. On the market, they can
sell for anywhere from $5,000 for simple exploits to half a million or more for iOS exclusive
ones (Salon). In response to the amount of zero-day exploits being sold, companies have begun
offering bug bounties to provide a legal avenue through which these hackers could profit.
These programs are targeted at hackers who would put their hacking skills towards a better cause
than just selling exploits.

Lu 2
Just like their malicious counterparts, these so-called ethical hackers use their skills to
bypass a systems defenses. However, rather than take advantage of the vulnerabilities they find,
they document and provide advice on how to fix them. One avenue through which ethical
hackers often report these vulnerabilities to companies is through bug bounty programs. These
programs are crowdsourcing initiatives that reward individuals, often with a monetary award, for
finding a software bug and reporting it to the organization (WhatIs). In some cases, successful
bug bounty hunters end up being headhunted by these companies as well.
When companies do not have such bug bounty programs, hackers who aim to help a
company rather than hurt it turn to other avenues to report bugs. According to computer security
experiment and co-founder of boutique cybersecurity firm Casaba Security Samuel Bucholtz, in
the past, hackers would encourage companies to fix their vulnerabilities through the practice of
full disclosure, in which hackers widely disseminate as much information about system
vulnerabilities and attack tools as possible so that potential victims are as knowledgeable as those
who attack them (TechTarget).
According to Bucholtz, there has been a long-standing debate about whether full
disclosure is the best method to fix things, he says. Responsible disclosure is the standard now:
disclose to the company, then if they refuse to fix it, you have a responsibility to disclose it to the
public.
Before putting software out on the market, companies rely on hiring white hat companies
such as Bucholtzs to ensure there are no egregious securities vulnerabilities. However, as
mentioned earlier, some companies have begun implementing bug bounty programs to
continuously check for vulnerabilities after release by encouraging users to spend their own time
searching for bugs and reporting them to the company.

Lu 3
It is easy to see, when comparing the cost of managing this program to the cost of hiring
a white hat company such as Casaba Security, why so many large companies have begun
implementing such programs. Whereas hiring a white hat company can cost up to $500 an hour
for large companies, with bug bounty programs, a company can get much more value for its
buck. Lets say there are 100 people out on the internet, Bucholtz begins. Each spends 10
hours working. Thousands of hours are spent working on the application. Even at a $10
minimum wage, the company gets at least $10,000 of labor [The] cost savings are huge. In
addition to the cost savings, a company also gets the added benefit of having many different
people with different perspectives looking at the software.
Another form of ethical hacking other than full and responsible disclosure is data leaking.
One high profile example of such a data leak occurred in July 2015, when a group of hackers
calling themselves The Impact Team stole user data from Ashley Madison, a commercial
website which enables extramarital affairs, and leaked it to the public (Krebson Security). The
leak revealed shady tactics of Ashley Madison, as well as exposed the affairs of millions of men.
Another recent hack against Sony Pictures cost the company $15 million dollars total in
investigation and remediation costs (CNET). These hacks, along with several other such highly
publicized hacks, have caused companies to invest more money into strengthening their network
security. More and more, companies are focusing much more on security in general. The trend
isnt going away any time soon, Bucholtz says.
The numbers back up Bucholtzs claim. In early 2014, 60% of US businesses increased
their cybersecurity budget, with 78% of these companies citing recent cyber-attacks as a
significant reason (Help Net Security). This trend has continued since then. Research from
Gartner, Inc., an information technology research firm, shows that the world-wide cybersecurity

Lu 4
market has reached $75 billion in 2015, and is estimated to soar to $170 billion by 2020 (WSJ).
From these numbers, it is clear that, despite the initial damage data leaks do to targeted
companies, they have done much to improve the overall health of the cybersecurity ecosystem,
forcing companies to invest more in their security to stop the many cyber-attacks they are in
danger of facing every day.
Analysis
Given the rise of ethical hacking and its employment by many companies to reach their
aims in the past decade, it is pertinent to judge the morality of such activity. Three scenarios in
particular are of import: whether or not it is ethical for hackers to practice full disclosure, for
companies to employ the use of bug bounties to strengthen their cybersecurity, and for hackers to
leak data to the public, even if for arguably ethical purposes.
On the practice of full disclosure, Burcholtz says that such acts are generally lacking of
ethics. However, he also concedes that there is a big difference between breaking into a
company and breaking into a piece of software that many people use. Whereas in one case, the
company is being harmed by a full disclosure, in the other case, users are actually being harmed
by the lack thereof.
It is easy to form an argument for the latter case through an act utilitarian analysis.
Assuming that the vulnerability found in the software could hurt the experience of its users in
some way, a full disclosure of the vulnerability would help increase the user happiness of some,
at the expense of the others who are damaged as a result of other hackers using the exploits
disclosed. However, as Bucholtz notes, most of the time, people dont tell how to cause a
problem, but just tell people how to protect against them. [This] doesnt prevent people from

Lu 5
reverse engineering, but at least makes it more difficult. If the software has a large user base,
then disclosing in this method will only impact a relatively small amount of users in a negative
manner, while at the same time increasing the overall happiness of the rest. The expense to the
company pales in comparison to this net increase in happiness to a larger amount of people, and
so, full disclosures in this manner are morally justified.
This judgement becomes greyer when analyzed through a social contract method instead.
Whereas the hacker has a social obligation to reduce the risk that other people using the software
face, the hacker also has an obligation to not disclose information without the permission of the
company. If the hackers obligation to also not cause harm to others is taken in to account, then it
is morally wrong for the hacker to practice full disclosure, as full disclosure will allow hackers to
exploit vulnerabilities before giving companies a chance to patch their software.
Responsible disclosure solves this problem of contradictions between obligations. In the
practice of responsible disclosure, ethical hackers first release information about vulnerabilities
and how to fix them to the company handling the software. If the company does not respond
within a reasonable amount of time, then the company has forfeited its end of the social contract
that prevents the hacker from disclosing information, since it did not act on its obligation to
protect its consumers. The contradiction between the hackers separate social obligations is now
gone, and so it is morally correct to practice responsible disclosure.
Bug bounty programs employed by technology companies provide a much more direct
route through which hackers can practice responsible disclosure, with the added bonus of
rewarding those users who discover vulnerabilities or who otherwise would not report such
vulnerabilities at all. With the net increase in happiness to all parties involved here, as shown in

Lu 6
the analysis of the practice of responsible disclosure, it is clear that it is morally justifiable for
hackers to participate in such programs.
It is not so easy to justify the use of bug bounties on the companys end. Bug bounties are
the most cost-effective way for companies to protect against security vulnerabilities, so through a
social contract paradigm, they are encouraged because of the companys social obligation to its
shareholders. However, the reason for the cost-effectiveness of bug bounty programs is what also
makes their use morally wrong through a Kantian analysis. As Bucholtz says, a great majority of
the people who participate in such programs never see a reward, and thus the company is
basically getting free labor (Bucholtz). On account of this, the company is using the
programmers who participate as a means to an end, so using bug bounty programs instead of
hiring a white hat company is morally wrong.
Moving on to the matter of data leaks, Bucholtz says such practices are definitely
unethical. However, because of the nature of leaks such as the Ashley Madison hack, where the
data exposed was of an unethical nature, it would be presumptuous to so readily judge the
practices in this way. Since every publicized hack has far reaching effects, most of which involve
money, the best method in which to analyze this scenario is through an act utilitarian paradigm.
According to British Insurance company Lloyds, the damage from hacks cost companies
$400 billion each year in total (Inc). This damage is spread out over not only the company, but
also with the vast amount of users these companies have. However, the damage could be worse
than this if these companies did not invest in their cybersecurity. As mentioned earlier, publicized
hacks tend to cause companies to react by spending money on strengthening their cybersecurity
so future hacks will not occur, resulting in less loss of money in the future. Still, the costs
incurred by the company by these hackers, namely the costs in strengthening security and in data

Lu 7
loss, are enough to render most hacks and data leaks morally unjustifiable. However, in the case
of a company such as Ashley Madisons, in which the company was clearly conducting unethical
behavior, there is an overall net gain in happiness for most parties involved. In addition to
causing companies to invest more in cybersecurity, the leaks revealed tremendous fraud on
Ashley Madisons end and exposed the affairs of millions of people, increasing net happiness for
the people involved. Thus, data leaks involving a companys unethical behavior is morally
justifiable.
Conclusion
Ethical hacking is a phenomenon caused largely by the activity of malicious hackers. As a
result of the largely publicized hacking incidents in recent years, along with the knowledge of
exploit trading in Dark Web markets, companies have started to incentivize responsible
disclosure among would-be hackers through the use of bug bounty programs. Such activity is
morally justifiable on the users end, but on the companys end, bug bounty programs are in a
morally grey area because they cause the company to treat its users as a means to an end.
Vigilante hacking involving data leaking is another form of ethical hacking that lies in a morally
grey area. These cases are best evaluated on a case by case basis rather than as a general rule, but
in scenarios where the company being hacked is clearly unethical in its practices, they generally
lean towards the morally justifiable side of things, especially when the effects of such activity on
the cybersecurity system is taken into account as well. Recently publicized cyberattacks have
caused companies of all kinds to invest more into cybersecurity in general, and it looks like this
trend is here to stay. As companies invest more into cybersecurity, the ecosystem will also remain
reliant on ethical hackers to discover overlooked vulnerabilities in software and to, in a way,
keep the companies in check.

Lu 8
Worked Cited
"New Dark-Web Market Is Selling Zero-Day Exploits to Hackers."Wired.com. Conde Nast
Digital, 24 July 2015. Web. 25 Apr. 2016.
"Flash Vulnerabilities Causing Problems." Flash Vulnerabilities Causing Problems. ESET, Web.
25 Apr. 2016.
"What Is Bug Bounty Program? - Definition from WhatIs.com."WhatIs.com. Web. 25 Apr. 2016.
Zetter, Kim. "These Notorious Hackers Used Zero-Day Exploits to Install Spyware. Here's How
It Bought Them." Slate Magazine. 24 July 2015. Web. 25 Apr. 2016.
"What Is Ethical Hacker? - Definition from WhatIs.com." SearchSecurity. Web. 25 Apr. 2016.
Heiser, Jay. "Exposing Infosecurity Hype." Information Security. TechTarget Search Security,
Jan. 2001. Web. 25 Apr. 2016.
"Krebs on Security." Krebs on Security RSS. Krebs on Security, 15 July 2015. Web. 25 Apr.
2016.
Musil, Steven. "Sony Pictures Hack Has Cost the Company Only $15 Million so Far." CNET.
CNET, 4 Feb. 2015. Web. 25 Apr. 2016.
"Target Hack Spurred US Businesses to Spend More on Cyber Security - Help Net
Security." Help Net Security. Help Net Security, 24 Feb. 2014. Web. 25 Apr. 2016.
Billings, Mike. "The Daily Startup: Increased Spending in Cybersecurity Drives Funding
Surge." WSJ. Wall Street Journal, 17 Feb. 2016. Web. 25 Apr. 2016.
Yakowicz, Will. "Companies Lose $400 Billion to Hackers Each Year." Inc. Inc, 8 Sept. 2015.
Web. 25 Apr. 2016.

Lu 9
Appendix Interview with Samuel Bucholtz
Tell me more about what you do.
I am a computer security consultant. My company has three partners who run a company that
does computer security consulting. We do a wide range of things: penetration testing,
vulnerability testing, compliance and regulatory work, architecture assessment, infrastructure
assessment. Social engineering tests, malware assessment, reverse engineering, binary analysis.
Anything computer security related, we've probably done it at one point.

What is your opinion of bug bounty programs?

We've supported companies supporting them. Theyre a good thing but pros and cons. A lot of
that comes down to how the program is runwhat perspective youre looking at things.
Perspective of Facebook: Advantage - lots of coverage for not a lot of money. 100s of thousands
of people looking at stuff. Value of not good bugs. Not having to pay for wasted labor.
Pro for people doing review - if you're good, you can make a living out of it. Ones who really
know their stuff can make a decent living. Economic incentive for "lesser people" not so much
there. Not a lot of value for them. A lot of people do it as a side thing. Students who want to
practice would do it, but they can spend time doing more valuable, productive things.

Downside for Facebook - have to have someone receiving emails, triaging, and validating the
bugs are accurate. Handling communications, handling reporting, and payment of people. Even
though might be paying not as much for bugs as hiring a big company, you might have 5 or 10
full time people having to support that project.

Lu 10
Do you think costs more in the long run?
A little bit of both. For example we do lots of work with companies that do bug bounties. They
still hire us before the project goes out to sanity check it to make sure there's nothing egregious.
Then, bug bounty in the long term when it's out in the wild to make sure everything still works.
Get response pretty quick if a change causes issues.
I don't see companies going only bug bounty. Unless you're a large company, you are not going
to be able to pay enough to attract people to your bug bounty. No one's going to bother testing
your stuff. You have a bug bounty but not a lot of value. Need to keep full time employees busy.
If not enough people, then it's not worth it because it's expensive. Value in bug bounty program
starts to decrease.

Would you say companies are sort of taking advantage of people?

People spend a lot of time working without really being rewarded. Could be students or people
who are bored. Are they taking advantage? Sure. They are getting free labor and free work.
However, they are volunteering. The rules of the game are known. Everyone knows the rules of
the game, so not really like being used. However, companies are certainly getting a lot of free
work.

How much would you say companies are saving, if you're only talking about payouts?
Bug bounty - let's say 100 people out on the internet. Each spends 10 hours working. Thousands
of hours are spent testing the application. Even at a $10 minimum wage, the company gets at
least 10,000 dollars of labor. If you find bugs and spend 10,000 on bugs, you're getting a lot of

Lu 11
value. Cost savings are huge. However, most of those people are not really bringing anything to
the table. Question is how many of those people really know what they're doing?

How much would it cost for a white hat company to find these bugs directly?
Us and our competitors, the rates are pretty wide range, but somewhere between $100 and $500 /
hour. Lots of small companies that charge a lot less.

How quickly would you say most bugs are found?

Sometimes, find it pretty quick. Maybe take a few hours after to do the reproduction, show how
much damage could be done. Often, could take a long time. Some can be detected using tools.
Can vary between within the first hour to spending days.

What do you generally do when hammering away for bugs?

I take every input and try every different combination of inputs to see if I can get anything that
isn't supposed to happen to happen.

What do you think of hackers who publish vulnerabilities?

In generally, hacking into companies who don't ask you to is unethical. If you happen to come
across a vulnerability, not intentionally looking for something, the ethical thing is to notify the
company and try to fix it. If they refuse to fix it, at some point the ethical thing is to disclose it to
the public. Long debate about whether full disclosure is the best method to fix things.
Responsible disclosure is the standard now: disclose to the company, then if they refuse to fix it,
you have a responsibility to disclose it to the public.

Lu 12
What is full disclosure?
Full disclosure is revealing to the public. There is actually a mailing list called full disclosure
which has a bunch of disclosures of vulnerabilities.

Do you think full disclosures are ethical?

In general, they are lacking of ethics. Big difference between breaking into a company vs
breaking into a piece of software that you and other people use. Not as bad if breaking into a
software you bought. Most of the time, people don't tell how to cause problem, but just tells
people how to protect against. Doesn't prevent people from reverse engineering but at least
makes it more difficult.

Opinion on Ashley Madison?

Legality - definitely illegal. Ethics? Definitely unethical. Even though known as a cheaters site,
releasing customer's information is definitely unethical. Ashley Madison was doing a very poor
job of doing security. This stuff also revealed shady tactics of Ashley Madison's.

Do you feel like companies are focusing more on security as a result of recent news?
Yes, more and more, companies are focusing much more on security in general. The trend isn't
going away any time soon. Whether this is because of recent hacks or because thats the way it's
moving towards, it's been a long term trend and I don't see any way it's going to decline. I see an
ebb and flow cycle in companies. Theyll see a hack in the news and spend money on security.
Then they'll get lax, get hacked, and then start spending again. Problem is security doesn't
generate revenue. Unless you're a company that is constantly facing hacks, you kind of forget

Lu 13
why you need to invest in security. Unless you constantly spend in it, security is constantly
getting weaker over time. Companies more focused on making money than costs. While they are
sometimes focused on it, they are constantly taking their eyes off the ball.