The more the world gets hacked, the more we need hackers. We need white hats. They will find vulnerabilities so we can fix them and not get breached.
When HackerOne was invited to testify before the US Senate on data security and bug bounty programs, that was our exact message. The senators have seen the outstanding results that Hack the Pentagon, Hack the Army and Hack the Air Force have produced for the Department of Defense.
The industry is already going that way. Half a year ago, Google launched an initiative recommending vulnerability reward programs to the leading vendors on the Google Play app store for Android applications. HackerOne is honored to be the chosen partner to provide these programs.
HackerOne recently surpassed $25 million paid to the ethical hacker community for finding and disclosing vulnerabilities to our over 1,000 customers. We are so grateful for our hackers contributions to the security of the internet and for defending our data every day.
We followed the money, and found that the $25 million has done even more good in the world than we thought. Over 24% of hackers surveyed said they donated bounty money to charity organizations like EFF, Red Cross, Doctors Without Borders, Save the Children and local animal shelters. Meanwhile, customer programs like Qualcomm and Google offer “bounty matching” programs donating even more to a cause. It has also empowered hackers all over the world to provide for their families, buy homes, cars, pay for college and more while improving security.
In the past 6 months we have welcomed more companies than ever to the world of vulnerability disclosure and bug bounties via the HackerOne platform. We are now offering hackers a maximum bounty of $250,000 on HackerOne, like those offered by Google and Microsoft. Government agencies, leading investment banks, leading automotive manufacturers, and a variety of tech startups and fast-growing digital companies have decided that it is time to hunt down security vulnerabilities. HackerOne is trusted by more enterprises on the Forbes Global 1000 and the Fortune 500 than any other hacker-powered security platform.
Our hacker community is growing in skill and productivity. New hackers sign up all the time. The current tally is over 160,000. The larger our community, the broader we can scout for specific, high-end talent that is needed in the most advanced bug bounty programs. And with those programs come opportunity, collaboration and earning potential for hackers.
Through HackerOne programs alone, over 65,000 security vulnerabilities have already been found and fixed. The pace of finding and fixing is accelerating. We expect to have paid out $100,000,000 in bounties to hackers by the end of 2020. That’s a big sum of money, but we estimate it is up to two orders of magnitude smaller than the data breach costs thus averted.
We pride ourselves by being leaders in signal-to-noise innovation, implementing algorithmic and human mechanisms to quickly separate the wheat from the chaff in the tens of thousands of vulnerability reports submitted through our platform. All of this allows us to pass a bigger portion of the customer’s money to the hackers. In fact, we pass on to hackers more than any other vendor in this space.
For the past year we have been an active producer of hacker education. Last year we started a university program, with UC Berkeley as our first partner. As part of its cybersecurity course, every student signed up with HackerOne and hunted for bugs in our public programs. The goal of the course was to help future software developers build more secure software by first learning how to break it. There are few methods as powerful for learning the ins and outs of cybersecurity.
In December of 2017, HackerOne partnered with Code.org in New York City to help high school students learn the fundamentals of hacking, responsible disclosure, and the opportunities available and attainable through ethical hacking.
In early 2018 we acquired the acclaimed Breaker101 security education platform, renamed it Hacker101 and made it freely available for anyone under an open source license. The interest in Hacker101 took us by surprise. Within a week we had 50,000 visits to the online classes, and Hacker101 became a top trending topic on Github. Thousands of hackers praise the book by Peter Yaworski that we helped produce. By providing free cybersecurity and hacking education for all, we make sure that we have a community of white hat hackers stronger than any group of criminals.
This is just the beginning. There is not a single individual in the world that does not have a stake in this. Cybersecurity is not the privilege of the few, but the responsibility of the many. The full community of skilled and passionate hackers is eager to contribute to the security of the internet. At the same time, 1.8 million cybersecurity jobs will go unfilled by 2022, according to Forrester Research Inc. Just like no one can tackle security alone, we can’t possibly close the skills gap alone.
We, as members of the greater business community, must challenge and push each other to advance education, grow the ethical hacker community, share learnings from security incidents and help each other improve. We need to take the future of the internet into our own hands by investing in hackers. In summary, Mr. Chairman, we need hackers!
Here’s to $100 million in bounties, and beyond! Together we hit harder. Together we will be stronger.
-- Marten Mickos