Bounty platforms use 'white hat' hackers to prevent China's cyber attacks

A "white hat" hacker explains cyber security technology at the China White Hat Conference in Shenzhen, Guangdong province, on March 30, 2017. [Photo provided to chinadaily.com.cn]

More than 800 Chinese "white hat" hackers gathered in Shenzhen, South China's Guangdong province, on Thursday, to attend the China White Hat Conference held by 360 Business Security Group's Butian Vulnerability Response Platform (Butian).

Unlike movie-fueled myths, most of them looked like ordinary young people in their early 20s rather than cynical, mysterious computer "nerds".

Not yet acquiring much attention from the public, "white hat" hackers are a group of computer wizes who use hacking skills to identify the security loopholes in corporation or government computer systems to help them prevent cyber attacks.

Qi Xiangdong, chairman of 360 Business Security Group, speaks to media in Shenzhen, Guangdong province, on March 30, 2017. [Photo provided to chinadaily.com.cn]

Qi Xiangdong, chairman of 360 Business Security Group, one of China's leading online security service providers, said at the conference that a total of 31,633 "white hats" have registered on Butian since 2013, discovering more than 200,000 vulnerabilities.

Butian, established in March 2013, is China's first bounty vulnerability response platform.

Aiming to act as a bridge connecting corporations with "white hats", it has developed a unique Security Response Center model, which refers to using cash awards offered by corporations to encourage "white hats" to identify loopholes for them.

The 2016 China Internet Security Report released by the 360 Cyber Security Center said that Butian found more than 37,000 loopholes last year on over 30,000 websites.

According to the report, 93.9 percent of the loopholes were process cases that could have been effectively used or invaded.

"In terms of technical skills, there is no essential difference between 'white hats' and malicious hackers, which means without a good communication channel between corporations and 'white hats', corporations may find it tricky to tell whether the attacks suffered by their computer systems are of ethical will or malicious intentions," Qi told China Daily's website.

Qi said for corporations, the platform is able to guarantee the reputation of certified "white hats", while "white hats" are offered a consistent platform to make money.

"More than 4,000 corporations have registered on the platform, issuing cash awards of nine million yuan ($1.3 million) to 'white hats' in total," he added.

A 24-year-old "white hat" nicked named "U Shen" said he has earned 110,000 yuan for discovering loopholes since he joined the platform in 2013.

Ling Yun, information security director of China's biggest online travel agency Ctrip.com, said to cover the shortage of full-time cyber security personnel, the company also hired third-party platforms such as Butian to discover its vulnerabilities.

"We set the usual price of a loophole at 3,000 yuan. Sometimes it can reach 8,000 yuan. Last year, we approximately spent one million yuan on rewarding 'white hats' from all platforms," Ling said.

Cyber attacks along with data fraud or theft are ranked as one of the top 10 risks people are likely to face in 2017, according to the Global Risks Report 2017 released by the World Economic Forum.

HackerOne COO Wang Ning (left) and Bai Jian, director of Butian Vulnerability Response Platform, speak to media in Shenzhen, Guangdong province, on March 30, 2017. [Photo provided to chinadaily.com.cn]

In the US, HackerOne is the largest vulnerability coordination and bug bounty platform. The startup, established in 2012, is also one of the world's first cyber security firms to utilize crowd-sourced security and hackers.

HackerOne COO Wang Ning told China Daily's website that the platform's network now consists of around 110,000 "white hats" from more than 140 countries, of which around 1,000 are from China.

She said the company is serving more than 800 clients and around 180,000 loopholes have been discovered.

"Our business model is like a marketplace connecting businesses with 'white hats'. Every time corporations pay 'white hats' bounties, they also pay us fees for the platform's service. 'White hats' at our platform have earned more than $15 million in bounties," Wang said.

Unlike HackerOne, Butian remains as a public-interest platform, according to Bai Jian, director of the platform.

"Chinese enterprises' maturity on cyber security issues and the related laws and regulations are still weak. At present, if the platform itself makes money, it may lose the trust of some corporations of low maturity. Only by putting the commercial interest aside, we can go further," Bai said.

In 2014, Qi Xiangdong said, compared with the US, the awareness of the importance of internet security at a corporate level was underdeveloped in China.

"Now their awareness has improved significantly, especially after President Xi Jinping spoke on establishing China's national big data center last year," Qi said.

"However, there is still a large gap between China and US or other European countries. While the input of cyber security accounts for around 15 percent of the total IT investments in US, it is only one to three percent in China," Qi said.

He believes it will take five to 10 years for China to catch up with developed countries. "The potential of China's cyber security industry is huge. I expect its scale will increase from 20 billion yuan to 450 billion to 500 billion yuan in the future," Qi said.

He emphasized talents like "white hats" will play crucial roles in the development of the industry.