If triaging vulnerability reports was a martial art, Zach Dando would be sensei master. Zach runs the triage team at HackerOne and we recently sat down with him to glean insight into how he has HackerOne’s Security Analysts clicking on all cylinders.
Hi Zach! Please introduce yourself and tell us what your role is at HackerOne
My name is Zach Dando, and I run the triage services here at HackerOne. My technical title is Manager of Triage Services, but basically my job is to remove barriers for our talented Security Analysts so that they can do their jobs, and provide quality and fast triage for our customers.
Can you define for us what bug triage is in your own words?
"Bug triage” is the process by which we decide which bugs live, and which bugs die. We are the EMTs of the bug world. Our team will assess a submission, gather any additional intel if necessary and make a determination if that bug will survive to move on to the remediation teams to be fixed.
Our Security Analysts are there during the lifetime of the bug, to make sure that it gets all the necessary care and attention it deserves. From the time a submission comes through our doors, to the time the remediation team implements a fix, we are there every step of the way to make sure everything goes smoothly.
So you oversee the triage Security Analyst team, could you tell us a little about them: What are some of their backgrounds? Are they hackers themselves? Feel free to brag! :)
I am lucky to have a great team of talented Security Analysts working for me. They really make my job easy! Every one of them is a skilled hacker in their own right, and most of them have come from the community themselves. When they aren’t triaging reports on our platform, they are spending time on their own bug bounty hunts. We have talented self-taught hackers right out of school and some veteran hackers that have been bug hunting for years. I’m proud to say that they’re all even better hackers than I am!
Do you have certain SLAs, any response time numbers you can talk about?
With the recent expansions to the team, some workflow changes, and realignment of our resources, I can say that within the past three months, we have reduced our response times by more than 80%! We have listened to our customers and our community and our focus on faster responsiveness has really paid off. We love to hear feedback, good or bad, so that we can take that information and directly act on it!
What skills make a good triager?
When we do triage, we don’t just look at a report and say “yep, that looks good” or “nope, not a bug”. Our team will test the bug for validity, work with the hacker to make sure that we have all the information that our customers need, and then we will work with the customer all the way until they have resolved the bug, answering questions and gathering information for them. Security Analysts at HackerOne need to have a good attention to detail, the technical chops to reproduce any report that comes across their inbox, and great communication skills.
Can you talk a little bit about “bounty management” and programs that are “fully managed”? Why do companies work with your team on managing bounty tables and payouts?
We often have companies that are new to hacker-powered security. Bounty management allows us to help customers who choose to award bounties to make competitive bounty payments in a timely manner, and we’ll help them come up with a payment structure that will fit within their budget. By having our team do triage and bounty management, the only thing that a team has to worry about is remediating the valid bugs that we forward on to the team.
You report up to our VP Customer Success, Barry Duplantis. That organization in HackerOne is all about making our customers successful and providing them with world-class service. Can you dive into what are some keys to providing exceptional customer service, from your point of view?
When I first got started in this industry, I thought that “Customer Success” was just a corporate buzzword way of saying customer service, but now that I’ve been a part of this team I can see just how wrong that was. Our team is dedicated to helping our customers get the most out of our service. We don’t just deal with problems when they arise, but start by building a relationship with each of our customers, learning about their company, their security experience and their goals for their bug bounty program. We then take all that information (and vast amounts of data analytics) to proactively come up with a plan that is tailored to each of our customers’ programs to help them maximize the return on their bug bounty program.
Doing triage means you work hand-in-hand with a company’s security team, can you talk a little bit about how you manage that process? Any regular meetings? Typical communication?
We try to make our team a seamless part of each company's bug bounty team. Before we even get started, I will meet with them to get a sense of how they intend to use our platform and what they expect from our triage team. This allows us to build a custom workflow within the platform that fits in like a puzzle piece. Does your company want to use standardized language for all responses? We can do that. Do you want to mark reports as triaged so you can assign reference numbers? We can do that. Do you want us to handle reports/hacker communication/bounty management, so that you only need to look at the complete valid reports for remediation? We can do that.
What impresses you the most about the hacker community?
I am consistently impressed with the findings that our managed programs receive. Even working as an AppSec Engineer for years, I constantly see new and creative ways to get through the latest security patches, and bugs that I didn’t even know existed. Even the best hacker doesn’t know everything, so we have a community of 100,000 of them.
Another thing that I really love about the hacker community is that they really are dedicated to making the internet a safer place. They collaborate, share ideas, and publish their findings, all in an effort to share their knowledge with the world, so that others can benefit from it.
Final question, what’s your favorite hacker movie and why?
Well, this is a difficult question… There are so many good/bad hacker movies out there. Hackers will always hold a special place in my heart for being one of the first movies that shows hackers as “good guys” in the mid-90s. Even though basically everything about hacking was completely ridiculous in that movie (and everything else is pretty ridiculous too), I still love it.
A couple of runners up are Antitrust from 2001 and Live Free or Die (which is a hacker movie just like the original Die Hard is a Christmas movie).
This is part 2 in a 3-part blog series on HackerOne’s triage services. Read part 1, “HackerOne’s Approach to Triage” written by HackerOne co-founder Jobert Abma.
Interested in engaging our talented triage team? Talk to us today.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.