alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

Cyberextortion reaches new heights with bug poaching

Listen to this podcast

In this Risk & Repeat podcast, SearchSecurity editors discuss how a cyberextortion campaign is targeting enterprises that don't have official bug bounty programs.

Hackers have found new cyberextortion methods beyond ransomware, and that includes bug poaching attacks.

According to recent findings by IBM Security, an active cyberextortion campaign has targeted 30 different organizations over the last year with bug poaching, which is when hackers discover and exploit security vulnerabilities within enterprises that don't have proper bug bounty programs. The hackers then inform the enterprises and demand payment of approximately $30,000 in return for disclosing how they breached the companies and returning any stolen data.

The IBM report raises questions about the ethics around bug hunting and bug bounty programs. Is this bug hunting? Or are the enterprises to blame for not having actual bug bounty programs? And should the enterprises pay the extortion fee?

In this episode of SearchSecurity's Risk & Repeat podcast, site editors Rob Wright and Peter Loshin discuss those questions and more on the topic of bug poaching and cyberextortion. They also discuss other recent news around Network File System security, OEM software risks for PC users and a security alert regarding a common medical software program.

Next Steps

Risk & Repeat: Symantec vulnerability raises big questions

Risk & Repeat: The search for bitcoin creator Satoshi Nakamoto continues

The pros and cons of enterprise bug bounty programs