When General Motors (GM) decided to start a bug bounty program—paying hackers to find computer bugs in the company’s information systems—they purposely tried to avoid other companies’ mistakes with such programs. Uber ended up paying hackers more than ten times the amount that they had originally allotted, partly to avoid hackers destroying customer data they had downloaded.61 Uber made changes to their bug bounty program after that, making it more clear what hackers should not do. Uber’s experience showed the potential problems that can occur when hackers try to profit from the problems they find.
GM didn’t want to face the challenges involved in overpaying, underpaying, or getting into arguments whether a payment was deserved for its bounty hackers. In fact, GM didn’t pay bounty hackers at all at first. During the first stage in the GM program, hackers who reported bugs were given a direct link to GM’s security team. “Having that reporting system in place sent the message to hackers that the company was serious about security,” said Jeff Massimilla, a GM cybersecurity executive. After two years of building relationships with hackers, GM started paying for bugs. Just two years later, the select group of hackers in the company’s bug bounty program had found 700 bugs.
GM’s bug bounty program is only one part of its three-prong approach to cybersecurity.
What are the other prongs? Their staff includes twenty-five to thirty “white hat hackers” who sometimes are called ethical hackers.62 White hat hackers’ work focuses on ensuring that a company’s information systems aren’t subject to security breaches. GM also works with third-party companies that hire more white hat hackers.
They have to use the bounty program and third-party companies in addition to full-time internal hackers, since there is a shortage of white hat hackers.
White hat hackers not only need technical skills, but they also need to be trusted to work for the benefit of the companies that employ them. People with hacking skills often would rather not work for just one company and like flexibility and working from home.
GM’s three-prong approach also was designed to catch more bugs. “If you have so many different perspectives coming together, it’s very different than having your own internal hackers who are all probably trained using the same processes,” said Massimilla.

DISCUSSION QUESTIONS
18-1. Bug bounty programs and hiring white hat hackers are forms of information controls. What are other forms of information controls mentioned in the chapter?
18-2. When a bug is found through a bug bounty program, do you think managers are more likely to take immediate corrective action or basic corrective action?
What are the reasons for your answer?
18-3. What are the dangers versus the benefits of hiring hackers? Why have companies decided that there are more benefits than dangers in accomplishing the process of controlling via hiring hackers?