Hacking for Good
We start the new year of 2020 with great prospects. First of all, 2019 turned out to be a massive success for hacker-powered security. HackerOne paid out over $35,000,000 in bounties to hackers all over the world. These bounties are the thank-yous from nearly two thousand companies and government agencies for tens of thousands of valid vulnerability reports voluntarily submitted by willing and able security experts. There may be no more effective way of reducing cyber risk than coordinated vulnerability disclosure and bug bounties.
The 600,000+ hackers in our network represent 52 quadrillion neurons focused on finding flaws so that they can be fixed. That’s a cybersecurity brain trust of astronomical proportions available to anyone ready to ask for it. It represents an order of magnitude more good will and constructive action than there is bad will, cynicism and apathy in the entire cyber world. Hackers hack for good - for the good of you and for the good of our entire digital society.
As we step into 2020, everyone seems to agree that hackers are needed.
The US federal government stands ready to instruct all civilian federal agencies to implement vulnerability disclosure programs. Corporate boards are asking their CEOs how the company is leveraging ethical hackers. Leading corporations such as Microsoft, Intel, Goldman Sachs, Starbucks, Hyatt Hotels, General Motors, Uber, Lyft, Dropbox and many others have made hacker-powered security an essential part of their security programs.
Hacker-powered pentests, vulnerability disclosure policies and bug bounty programs are becoming essential components of proper cyber hygiene, advocated by leading authorities on cybersecurity such as NIST and the various ISAC groups. In Europe, the EU Commission and UK’s NCSC are pushing for hacker-powered security. In Asia, Singapore’s government is ramping up their programs. This is a global movement with hackers from anywhere in the world helping organizations anywhere in the world.
As a security role model for the entire corporate world, Slack Corporation (with a market cap of around $12 billion) summarized their security program in three and only three essential items when going public in the spring of 2019. Quoting their S1 filing:
- Organizational security including personnel security, security and privacy training, a team of dedicated security professionals, policies and standards, separation of duties, and regular audits, compliance activities, and third-party assessments;
- Secure by design principles by which we assess the security risk of each software development project according to our secure development lifecycle and create a set of requirements that must be met before the resulting change may be released to production; and
- Public bug bounty program to facilitate responsible disclosure of potential security vulnerabilities identified by external researchers and reward them for their verified findings.
A few years ago, corporations would routinely reject bug bounty programs, their CISOs claiming they can’t invite strangers to hack their systems. Today, everyone knows that cybercriminals aren’t waiting for any invitation; they are already and constantly trying to break in. By inviting ethical hackers, on the other hand, you can find and fix the flaws before the bad guys get to them. And even more so, it seems that this is the most effective way of detecting vulnerabilities broadly enough and fast enough. Just through HackerOne, over 150,000 valid security vulnerabilities have been reported over the years to companies and government agencies. With those holes plugged, the risks of data breach have been significantly reduced.
It used to be extremely complex and time consuming to run a bug bounty or vulnerability disclosure program. The job for the customer to fix the bugs is still there, but the operation of the program has been made significantly easier in the past year. Advanced software automation, sophisticated customer services from triage to program management, and more firmly established hacking practices and rules of conduct are making it possible today for any organization to benefit from the help offered by those who hack for good.
A hacker is “one who enjoys the intellectual challenge of creatively overcoming limitations”. That’s a mindset we all carry. Everyone has a hacker within. When we acknowledge the hacker mindset and harness it for the benefit of society, we will be able to resolve the challenges of digital trust that are currently causing societal distress and harming our economy.
Our goal must be a digital world that everyone can trust. To get there, we must all be hackers - creatively overcoming limitations. We must work together. Hacking is for good. It is for the good of society.
In this year of 2020, we at HackerOne will push this agenda forward with all our might. We expect to receive a quarter of a million vulnerability reports from hackers. Total hacker rewards paid will exceed $100 million. The hacker community will grow 1 million strong. Thousands of organizations will launch hacker-powered security programs.
Everyone is invited to sign up as a hacker. In this vast base, we look for the most committed and talented hackers and bring them to our customers’ most demanding and intriguing attack surfaces. On the hackers’ path to excellence, we offer them education, competition, collaboration and a community of like-minded people. The mission is to empower the world to build a safer internet. It can be done when it is done together. And it will be done.
Thank you, hackers, for a fantastic 2019! The new year promises to be greater and still more significant in the world of hacker-powered security. By hacking more we will make the world more secure.
Marten Mickos
CEO, HackerOne
The 7th Annual Hacker-Powered Security Report