Six hackers made over $1 million this year for squashing security bugs, yet just five years ago this possibility seemed remote at best.
HackerOne CEO Mårten Mickos is on a mission, but it’s perhaps one he’d rather wasn’t needed. His company keeps minting millionaires (six and counting), paying big money to snuff out big problems in software. “As long as there are software vulnerabilities, there will be millionaire hackers!” Mickos said. Even better, he was quick to add, “And think of the hundreds of millions saved by fixing vulnerabilities and preventing breaches.”
Indeed. The more our world is built with software, the more it will get hacked. Yet this hacker-fueled approach to software security took years to gain acceptance, and perhaps not for the reasons we might suppose.
SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
In the beginning was the security bug
Five years ago the HackerOne board met to discuss progress, as recounted by co-founder Jobert Abma. At the time, the fledgling business was growing, but not all that fast. At a board meeting they tallied up their results: 100 hackers had submitted at least one valid vulnerability in the past month, which equated to roughly $100,000 in bounties paid by HackerOne. Not bad, but nothing to suggest how big this could get.
Just a few years later, the board met again to review the business. This time $100,000 had jumped to $1,000,000 in bounties paid, with incoming submissions of valid security vulnerabilities climbing to 20 per day. Clearly, things were moving in the right (or wrong, depending on your perspective) direction. Companies were starting to sense that “what hat” hackers might help them best “black hat” crackers, but there remained some issues HackerOne (and others like it) still needed to overcome, according to Abma:
Hackers’ efforts were not yet widely appreciated. Our plan was to convince as many companies as possible that hackers were here to help them in their security efforts. There was no market for any of this, so we had to build it. Many companies were not ready. It wasn’t just that. Hackers worked alone. Hackers struggled to find each other. There was no hacker community as we know it today.
At the heart of HackerOne were three fundamental tenets the company believed would come true:
Ignoring hackers will be viewed as negligence.
Security will be collaborative.
Transparency will breed trust.
To make this true, it set out in quasi-open source fashion to build a community of hackers. But in this case, the community wasn’t submitting pull requests to collaborate on code, but rather has been working together to uncover and suggest fixes for security bugs. Lots (and lots) of bugs.
The rise of the millionaire hacker
To date HackerOne has raised $110 million, but the more impressive number will come next year, when the company expects to pay out over $100 million in bug bounties (cumulative)—so far, HackerOne has paid out $65 million in bounties. The company’s hacker community has reported over 7,000 security vulnerabilities. Over 5,000 hackers sign up to squash even more bugs each week.
This is where security is heading, and fast. As impressive as HackerOne’s current statistics may be, for every security vulnerability its community finds, there are hundreds (thousands?) more that go undetected. As with open source, the point for companies isn’t to figure out how to write perfect code—that’s never going to happen. Instead, they need to figure out how to deal with a world filled with software bugs. As Mickos has opined, “Companies don’t stand out by being breached or not. They stand out by how fast they detect and how quickly they fix.”
As organizations seek to differentiate themselves through software innovation, hacker communities like HackerOne’s will be required to ensure the security of that software. Expect more millionaire hackers. Many, many more.
To go deeper on bug bounties, check out “How the Air Force used a bug bounty program to hack its own cloud server” and “Do bug bounties help open source security?” on TechRepublic.