Connect with us

Infosecurity

The Truth About Bug Bounty Programs: Security Solution or Marketing Stunt?

Published

on

The Rise of Rewarded Security Research

What happens when companies start paying hackers to break their software? The cybersecurity landscape has witnessed a dramatic transformation as bug bounty programs have evolved from rare experiments into mainstream security strategies. Today’s tech giants actively court the same researchers they once threatened with lawsuits.

This shift represents more than just a change in corporate attitude. Over 200 organizations now operate these reward-based vulnerability disclosure systems, fundamentally altering how security flaws are discovered and reported. However, the question remains: do these initiatives genuinely enhance security, or do they simply transfer responsibility to external researchers?

How Bug Bounty Programs Actually Work

The mechanics behind these programs are surprisingly straightforward. Companies establish clear guidelines for security researchers, outlining which systems can be tested and what types of vulnerabilities qualify for rewards. In return, researchers receive legal protection and financial compensation for their discoveries.

The financial incentives can be substantial. Google‘s Project Zero initiative demonstrates corporate commitment to this approach, while Microsoft has distributed over $500,000 in rewards. Critical Android vulnerabilities command $2,000 base payments, with functional exploits potentially adding tens of thousands more.

But money isn’t the only motivator. Many researchers participate for reputation building, speaking opportunities, and the intellectual challenge of outsmarting sophisticated security systems.

The Security Impact: Promise vs Reality

Proponents argue that bug bounty programs create a race between ethical researchers and malicious actors. Every vulnerability discovered through legitimate channels theoretically reduces opportunities for cybercriminals to exploit the same flaws.

HackerOne reports impressive statistics: over 17,000 bugs resolved and nearly $6 million paid to 2,200 researchers through their platform alone. These numbers suggest significant security improvements across participating organizations.

However, critics raise important concerns about the underlying approach. Are companies using these programs as substitutes for rigorous internal security testing? The evidence suggests that fundamental development practices remain unchanged, with security still taking a backseat to rapid release schedules.

The Psychology of Motivation in Security Research

Understanding what drives security researchers reveals complex psychological dynamics. Research in behavioral psychology indicates that intrinsic motivation—the satisfaction derived from solving challenging problems—often proves more powerful than external rewards.

This creates an interesting paradox. While financial incentives attract participants to bug bounty programs, they might actually diminish the pure intellectual drive that motivates the most effective researchers. The transition from passionate hobby to paid work can fundamentally alter the researcher’s relationship with their craft.

Consequently, the most successful programs recognize that community engagement extends beyond simple financial transactions. Building relationships with talented researchers often leads to ongoing consultancy arrangements and recruitment opportunities.

Market Forces: White Hat vs Black Hat Economics

The economics of vulnerability research present a stark reality check. Black market prices for zero-day exploits frequently exceed legitimate bounty rewards by orders of magnitude. A critical vulnerability that earns $2,000 through official channels might command $50,000 or more on underground markets.

This disparity raises questions about whether bounty programs genuinely redirect researchers away from malicious activities. Individuals willing to sell vulnerabilities illegally are unlikely to be swayed by comparatively modest legitimate rewards. Instead, these programs primarily benefit researchers who were already committed to ethical disclosure practices.

The persistence of active exploit markets, despite growing numbers of bounty programs, suggests that determined attackers continue finding and weaponizing vulnerabilities independently of white hat efforts.

Beyond Bounties: The Real Value Proposition

The most significant benefit of bug bounty programs may lie not in their immediate security impact, but in their role as talent identification and community building tools. Organizations that view these initiatives as recruitment pipelines often achieve better long-term security outcomes than those focused solely on vulnerability discovery.

This approach transforms reactive bug hunting into proactive security partnership. Companies can identify exceptional researchers and engage them for specialized consulting work, creating deeper security assessments than typical bounty submissions provide.

Building on this foundation, forward-thinking organizations are integrating bounty programs with comprehensive security development lifecycles rather than treating them as standalone solutions.

The Verdict: Progress with Limitations

Bug bounty programs represent genuine progress in security research legitimization. They provide legal frameworks for beneficial activities that previously existed in regulatory gray areas. The recognition and financial support offered to researchers has undoubtedly encouraged more individuals to pursue ethical security research careers.

Nevertheless, these programs cannot solve the fundamental challenge of secure software development. As long as organizations prioritize speed over security in their development processes, vulnerabilities will continue emerging regardless of post-release discovery methods.

The absence of measurable decreases in circulating exploits, despite proliferating bounty programs, suggests that determined attackers remain unaffected by these initiatives. True security improvements require addressing root causes in development practices, not just symptoms in deployed software.

Ultimately, bug bounty programs work best as components of comprehensive security strategies rather than primary solutions to software vulnerability challenges.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

‘Selfish Bravado’ Behind TfL Cyber-Attack, Judge Says as Pair Jailed for Five Years

Published

on

TfL cyber-attack

Two men who breached Transport for London’s systems in 2024, stealing data from millions of Oyster card users and forcing the shutdown of key accessibility services, have been sentenced to five years and six months in prison.

Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty in June 2026 to unauthorized acts under the UK’s Computer Misuse Act. The judge at Woolwich Crown Court, Justice Turner, said the attack was driven partly by “selfish bravado” — not purely by money.

The case is the second criminal prosecution of its kind under the CMA in the UK. And it’s the largest cybercrime prosecution ever brought before British courts, according to the National Crime Agency (NCA).

How the TfL cyber-attack unfolded

Flowers was 17 and Jubair 18 when they first broke into TfL systems on August 31, 2024. They held access for three days.

Their entry point? Partial employee credentials bought from “well-known online criminal marketplaces and forums,” a senior NCA officer confirmed. Then came social engineering: multiple attempts to reset two-factor authentication (2FA) for TfL staff accounts.

“It took multiple attempts to successfully reset that 2FA, so they were persistent — as we know they are,” the officer said. Once inside, the pair escalated privileges, moving deeper into TfL’s network.

Telegram messages between the two showed they knew they’d accessed the database of Oyster cardholders. They even streamed their progress live to an online audience, the judge noted.

£29m in damages — and a near miss for the UK economy

The TfL cyber-attack cost the transport body £29 million ($38 million) in direct losses and recovery. TfL also reported an additional £10 million ($13.5 million) in lost income.

While the hackers never shut down trains or buses, the operational fallout was severe:

  • The Oyster refund system was compromised, forcing TfL to close applications for Oyster photocards for children and young people.
  • The Dial-a-Ride booking system — used by people with disabilities — was taken offline.
  • Live Tube data on apps like TfL Go and CityMapper was suspended.
  • Over 27,000 TfL employees had to reset their passwords in person.
  • Some staff worked from home for the whole of September 2024.

In total, between seven and 10 million people across the UK were affected. Had the attackers succeeded in disabling the transport network, the NCA estimated the cost to the UK economy could have reached £56 billion ($75 billion).

Scattered Spider: from teenage hackers to a major threat

Flowers and Jubair are believed to be part of Scattered Spider, a hacking group linked to attacks on Marks & Spencer and Co-op in 2025. Scattered Spider emerged from a loose collective known as The Com, which also spawned groups like Lapsus$ and ShinyHunters.

The NCA describes Scattered Spider as “the most significant cybercrime threat to the UK in recent years.” Their tactics? Phishing, voice phishing (vishing), SIM swapping, and ransomware.

Jubair’s record is extensive: 22 prior convictions, starting at age 14. In 2023, he received a Youth Rehabilitation Order for offences linked to Lapsus$. He is also wanted by US authorities for alleged cybercrimes involving the theft and extortion of millions of dollars.

Flowers had a history too. In October 2023, West Midlands Police issued him a cease-and-desist notice. He was offered training on computer misuse laws — and turned it down. After his arrest for the TfL hack, he was granted bail but violated conditions twice: once in October 2024 and again in May 2025. He also received a formal warning in March 2025.

Sentencing: youth, neurodiversity, and high expertise

Justice Turner weighed mitigating factors — the defendants’ youth and diagnosed neurodiversity — against aggravating ones, particularly their “high expertise,” which meant they likely understood the full impact of their actions.

The five-and-a-half-year sentences reflect that balance. Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, called the prosecution “the culmination of nearly two years of painstaking work by the NCA, Crown Prosecution Service (CPS) and our policing partners.”

“Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” Foster added.

What this means for UK cybercrime in 2026

The NCA warns that the threat from serious organized cybercrime to the UK remains “very high” in 2026. While a small number of attacks come from UK-based individuals motivated by notoriety, the vast majority are launched by criminals abroad, driven by financial gain.

The TfL cyber-attack case sets a significant precedent. It shows UK courts are willing to hand down long sentences for cyber intrusions — even when the perpetrators are teenagers. And it underscores the vulnerability of critical public infrastructure to determined, socially engineered attacks.

For TfL, the recovery continues. For the millions of Londoners whose data was exposed, the question remains: how many more attacks like this are coming?

Continue Reading

Infosecurity

Taiwan Charges Two Businessmen for Allegedly Helping Chinese Espionage Campaign

Published

on

Chinese espionage campaign

Two Taiwanese Executives Accused of Feeding Accounts to Chinese Hackers

Taiwanese prosecutors have formally charged two local businessmen for allegedly running a company that supplied hacked messaging accounts to Chinese state-backed cyber operators. The case, announced Tuesday by Taiwan’s Ministry of Justice Investigation Bureau, adds a concrete legal dimension to what researchers describe as a sprawling, years-long phishing campaign.

The suspects are accused of collecting and leasing accounts for LINE, the dominant messaging app in Taiwan and much of East Asia. Investigators say the accounts were rented to Xiamen Empress Information Technology, a Chinese firm they link to the Chinese Communist Party’s cyber apparatus, for roughly 1,100 yuan ($162) per account. The goal was simple: impersonate real journalists to trick politicians, academics, and activists into downloading malware.

The Fake Reporter Trap: How the Scheme Worked

According to the bureau, the company’s director gathered LINE accounts registered with Taiwanese mobile numbers — a crucial detail, because locals trust numbers from their own country. Chinese operators then used those accounts to pose as reporters from outlets including the International Consortium of Investigative Journalists (ICIJ).

The fake journalists would request interviews or ask targets to contribute articles. Standard phishing fare. But the twist came next: the attackers pushed a fake encrypted communications app, claiming it was needed to protect sources. Instead, it deployed malware designed to take over the victim’s computer.

Prosecutors searched the company’s offices and other locations during two operations earlier this year. This week, they issued deferred prosecution orders against the two executives, charging them with violations of Taiwan’s Personal Data Protection Act and other offenses.

A Campaign Backed by Research

The charges line up with findings published earlier this year by the ICIJ and researchers at The Citizen Lab, based at the University of Toronto. That report documented a Beijing-linked phishing campaign targeting journalists, democracy activists, and members of Uyghur, Tibetan, Hong Kong, and Taiwanese communities abroad.

The Citizen Lab said the operation relied on more than 100 malicious internet domains over nine months. The researchers noted something else unusual: mistakes in some phishing emails suggested the attackers may have used artificial intelligence to automate message generation and target selection. It’s a sign that even state-backed hackers are experimenting with AI tools to scale their operations.

“The attackers noted that journalists routinely use secure messaging tools to protect confidential sources and encouraged victims to download the fake software,” the Investigative Bureau said in its statement.

Why LINE Accounts Were the Key

LINE is deeply embedded in Taiwanese daily life — used for everything from work chats to family groups. A message from a local number on LINE carries instant credibility. By renting accounts that already had Taiwanese registrations, the Chinese operators bypassed the first line of suspicion.

For about $162 per account, they got a digital identity that felt real. It’s a low-cost, high-impact tactic. The suspects allegedly acted as middlemen, collecting the accounts and selling access to the Chinese firm. Prosecutors did not name the company or the executives, citing ongoing investigations.

China’s Denials and the Broader Context

Beijing has repeatedly denied conducting cyber-espionage against foreign governments and civil society organizations. The Chinese foreign ministry did not immediately respond to a request for comment on the Taiwanese charges.

But the case is part of a pattern. Over the past two years, researchers have documented multiple campaigns using stolen or rented messaging accounts to target Taiwanese officials and pro-democracy activists. The use of fake journalist personas is particularly insidious — it exploits the trust that reporters rely on to do their jobs.

The charges also come amid heightened tensions between Taiwan and China. Taipei has increasingly cracked down on what it calls “cross-strait espionage networks” operating through shell companies and tech intermediaries.

What’s Next for the Accused?

The two businessmen face potential prison time if convicted under Taiwan’s Personal Data Protection Act, which carries penalties of up to five years for serious violations involving organized crime or foreign intelligence ties. The deferred prosecution orders suggest they may be cooperating with investigators.

The case serves as a warning to companies operating in gray areas: renting out local digital identities to foreign entities — even if disguised as legitimate business — can land executives in criminal court. And for the rest of us, it’s a reminder that not every friendly message from a local number is what it seems.

For more on how to spot phishing attempts, check out our guide on identifying fake journalist outreach. And if you’re a journalist or activist using secure messaging apps, consider reading our breakdown of safe communication tools for high-risk environments.

Continue Reading

Infosecurity

ClickLock Stealer: New macOS Malware Locks Your Mac Until You Type Your Password

Published

on

ClickLock Stealer

A new macOS stealer called ClickLock Stealer is making the rounds, and it has a nasty trick: it crashes essential apps in a loop until you type your password. Researchers at Group-IB spotted the malware, which combines a classic social engineering lure with a brutal coercion routine.

Published on June 16, the Group-IB report details how ClickLock Stealer has hit at least 100 victims across 33 countries in roughly two months. More than half of those targets are in Europe. The first sample appeared on VirusTotal on June 9 with zero detections.

This isn’t your average info-stealer. It’s modular, aggressive, and designed to make your machine unusable until you give up the goods.

The ClickFix Lure: Paste a Command, Lose Your Data

It all starts with a ClickFix page. Victims are tricked into copying a command and pasting it into Terminal. The page might pretend to be a Cloudflare verification or a browser update. Once pasted, an orchestrator script kicks in.

That script hides the cursor and plays a fake Cloudflare progress animation. Meanwhile, it downloads four separate components from two compromised WordPress sites. The user thinks they’re waiting for a verification to complete. In reality, their machine is being armed.

The Four Modules of ClickLock Stealer

The malware is built in pieces, each with a specific job:

  • Keychain stealer: Queries macOS for the Chrome Safe Storage key. That’s the AES key that decrypts passwords and cookies stored in Chrome’s offline database. Once obtained, the attacker can dump everything.
  • Credential module: Pops up a fake password dialog built in AppleScript. Here’s the clever (and terrifying) part: it validates the entered password against the local directory service. If you type the wrong password, the dialog just sits there. Only the correct password gets sent to the operator. No typos allowed.
  • Cryptocurrency module: Scans for more than 30 wallet extensions, including MetaMask and Phantom. It extracts encrypted vault fields from LevelDB storage. Crypto assets are a prime target.
  • GSocket backdoor: Installs an open-source reverse-shell tool, reused with roughly 80% of its original code. On macOS, it disguises itself as an iCloud process. This gives the attacker persistent remote access.

Kill Loops: The Coercion Tactic

If you type your password on the first prompt, the attacker gets it along with a system fingerprint. Game over. But what if you cancel? That’s where the coercion begins.

The orchestrator installs two LaunchAgents. These ensure that both credential modules relaunch every time you log in. Then the kill loops start.

A tight cycle terminates Finder, Dock, browsers, Terminal, and Activity Monitor. This cycle runs for up to 83 hours. Your desktop becomes a frozen mess. You can’t click anything. You can’t open a window. The only way to stop the madness is to type your password.

Meanwhile, a parallel loop kills NotificationCenter for about six hours. This suppresses Gatekeeper warnings. You won’t see the security prompts that might normally alert you to malicious activity.

Everything exfiltrates over Telegram. Three separate Telegram bots handle the stolen data. There’s no dedicated command-and-control server. Modules forge timestamps and delete themselves after execution, leaving only the GSocket backdoor behind.

A Broader Shift in macOS Malware

ClickLock Stealer doesn’t exist in a vacuum. The broader macOS stealer ecosystem is evolving fast. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025. Just this week, Jamf Threat Labs documented CrashStealer, which uses a signed dropper to bypass Gatekeeper entirely.

Attackers are getting more aggressive. They’re not just stealing data quietly anymore. They’re willing to break your machine to get what they want.

How to Protect Yourself

Group-IB has clear advice. Treat any website that instructs you to paste a command into Terminal as an active attack. Legitimate services never ask you to do this.

If your desktop suddenly starts killing applications and you haven’t entered a password, don’t give in. Force-shutdown the machine. Boot into Safe Mode (hold Shift during startup). Run a malware scan. The password you refuse to type is the one that keeps your data safe.

For more on similar threats, read about Atomic Stealer macOS ClickFix attacks that bypass Apple security warnings.

Continue Reading

Trending