When Ali Tutuncu found a vulnerability in Capital One Financial Corp.'s software in March, the company fixed the flaw in 20 days. An independent security researcher, Tutuncu said the bank thanked him and added him to its page of fame.
"They did not pay financially," he said. "Still, it was a nice experience."
Capital One is among a relatively small group of major companies that are encouraging the typically anti-establishment hacker community — and security researchers, too — to find potential vulnerabilities in their computer networks before malicious hackers do. Some of the programs offer cash rewards, called "bug bounties," of as much as $200,000.
The bank is crediting its Responsible Disclosure Program with helping them track down a Seattle woman who had allegedly infiltrated their computer network. Paige Thompson, 33, allegedly accessed data on more than 100 million people, including names, addresses, dates of birth and about 140,000 Social Security numbers.
That's a black eye for a company that's touted its tech savviness, and the hack sent Capital One shares tumbling. But it appears the damage could have been worse: Capital One said it was unlikely the information was used for fraud or disseminated to others.
Thompson was charged on July 29 with computer abuse and fraud. Her arrest marks a major success for cyber tip lines, and one that is likely to encourage other companies to start their own. Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, said he couldn't recall a tip that was wrapped up so quickly.
"From the time they submitted to the time it was shut down to the time there was an arrest, there's no example I think that comes close to that," he said.
Alex Rice, co-founder and chief technology officer of HackerOne Inc., which manages "hacker-powered security" platforms for Capital One and other companies, said, "Usually vulnerability disclosure programs are not uncovering criminal activity. But it is phenomenal that it works out that way."
Jennifer Bayuk, a former risk cybersecurity executive at several major banks including JPMorgan Chase & Co., said if banks don't already have vulnerability disclosure programs, they are likely looking at them now. "They're probably looking at the Capital One news and meeting with legal as we speak."
There appears to be plenty of room for growth. A 2018 HackerOne report concluded that 93% of the world's largest public companies don't have a policy to handle "critical bug reports" submitted by outsiders.
The tip that led to Thompson's arrest came in on July 17, when an unnamed "external security researcher" emailed Capital One's disclosure program saying that leaked data was being stored on a publicly accessible file at GitHub, which allows users to manage and store software projects.
Capital One provided few details when asked about its cyber tip line. A public page about the bank's program at HackerOne shows that it has received at least 30 reports of security flaws since it started in January. HackerOne declined to say how many of those reports were validated security flaws.
"White Hat" hacker programs have been around for years, but they have become more formalized as the volume and severity of threats have increased. Some companies manage their own vulnerability disclosure efforts. Companies like HackerOne and BugCrowd offer services to analyze incoming tips and, if warranted, pass them on to their client's security team.
"You have to filter it out pretty carefully before you realize what's real and what's not," said Dave Aitel, chief technical officer at Cyxtera Technologies, which provides security for computer networks and cybersecurity services.
Vulnerability disclosure programs allow companies to crowd source security, tapping researchers with a diverse background of skills to stress-test computer infrastructure.
The programs run from invitation-only disclosure programs to tip lines that are open to all comers.
The amount of the bug bounties depends on the quality of the information provided by the tipster and the severity of the hack, and rewards range from a couple hundred dollars to hundreds of thousands of dollars.
Even if Capital One offered cash rewards, it's not clear that the unnamed tipster would have netted a huge reward. That's because the information provided was more of a headsup about leaked data, rather than a detailed report outlining a major flaw, Aitel said.
"You're not gonna make a ton of money saying, 'Hey, I think someone has your information on a GitHub account,' " he said. "They might send you a thank-you T-shirt. They definitely owe you a thank-you T-shirt."