Home > Blog > More Hacking, Less Risk

More Hacking, Less Risk

 |  Luke Tucker

Our systems will be hacked. This is the only reasonable cybersecurity prediction we can make. If we are at risk of being hacked, the best scenario would be to be hacked by friendly forces so we can plug the hole immediately. This will render the vulnerability useless for malicious attackers. How can we find these vulnerabilities faster? The answer is simple: Ask those who see something to say something.

How can hackers disclose vulnerabilities to companies?

A vulnerability disclosure program (VDP) is the “See something say something” of the internet. This is not a bug bounty program but a formalized method for receiving vulnerability submissions from the outside world. It instructs hackers, security researchers, engineers and users on how to file vulnerability reports, and defines the organization’s internal process for handling those reports.

Today, vulnerability disclosure programs are in operation at leading organizations such as the U.S. Department of Defense, Starbucks, General Motors, Adobe, Salesforce, General Electric, MasterCard, JPMorgan Chase, Citigroup and others.

Federal agencies and standards bodies, including FDA, FTC, NHSA, and NTIA, recommend VDPs for all organizations that take security seriously. In fact, to comply with the CII Best Practices defined by the Linux Foundation, an open source project must implement and publish a process for reporting vulnerabilities. 

Vendors are asking their suppliers and partners to establish a formalized and published method for receiving vulnerability reports from the outside world.

A platform to serve you

To serve this universal and growing need, we provide HackerOne Response, a platform for vulnerability disclosure. HackerOne Response gives companies and government agencies a formalized and effective way of receiving vulnerability submissions from the outside world. For each vulnerability found and fixed, the risk of a breach is reduced.

While in a VDP there is no financial reward in sight for the hackers, they do it for the intellectual challenge, in order to build their own resume and career, for the public recognition they may get, and simply because it is the right thing to do. To date, 11,600 valid vulnerabilities have been reported by hackers through HackerOne’s platform to over 200 vulnerability disclosure customers.

“To improve the security of their connected systems, every corporation should have a vulnerability disclosure policy that allows them to receive security submissions from the outside world" - Jeffrey Massimilla, Chief Product Cybersecurity Officer, General Motors

HackerOne has a community of over 100,000 hackers and security researchers who have signed up in order to help companies find their software vulnerabilities. When you receive a report from a hacker, the report does not come from an entirely unknown person, but from a hacker with a published scorecard.

HackerOne has processed over 200,000 vulnerability reports and our customers have fixed 50,000 valid vulnerabilities. The elaborate data we have collected helps us screen hackers and vulnerability submissions in order to produce only the most relevant reports to our customers.

The hope of the internet

What the world is doing here is brilliant. We are facing grave threat from malicious cyber attackers. By adopting a universal defense and pooling our security experts so that they can help all participating corporations, we are turning the asymmetry around to our benefit.

There are orders of magnitude more white hats than black hats in the world. By providing a way for anyone to report a vulnerability to any organization, we are shifting the balance in favor of security. The connected world is becoming more secure.

And this is what HackerOne Response is about. It would be a mistake not to allow hackers to report what they see. By implementing a vulnerability disclosure policy, companies strengthen their security posture and reduce the biggest risk they face - the risk of cybercrime. This is something that increasingly is found on the agenda of audit committees, risk management teams, CFOs and CEOs.

Marten Mickos
HackerOne CEO



HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.