Security@ 2018: Oath, DoD Highlight Value in Bringing Bug Bounties to Life
Most hacker-powered security happens remotely, with digital messaging being the typical communication channel. There’s no brainstorming together with a whiteboard, no chats over coffee, no conversations during the walk across the street for lunch.
One of the many benefits of Security@ is the chance to bring hackers, developers, and security teams together to meet in real life. At Security@ 2018, held in San Francisco in late October, we invited Kate Conger, the technology reporter for the New York Times to moderate a panel of security program leads and one of the top hackers on HackerOne to better understand the importance of personal connections in hacker-powered security.
The conversation began with the value of hacker-powered security and overcoming initial objections. Inside the Department of Defense, Staley explained, it comes down to using the best people for the job and realizing that these properties are already open to criminal cyber attackers. “This is an avenue for you to engage with people who wouldn’t ordinarily work for the Department of Defense,” she explained. “These are public-facing websites and applications that are on the internet. They’re accessible by anybody. We’re not giving privileged access.”
Nims, of Oath, recalled their program starting in 2014, a year in which Yahoo! (who previously owned some of Oath’s brands) spent $3 million in bounties. Their program’s success and acceptance, Nims says, can be seen in the growth of their bounty payouts. “In the past six months, we’ve spent $2 million in bounties. In the month of September alone, we spent $800,000.”
From the hacker’s side, Rosén says he uses the Department of Defense as his model for promoting hacker-powered security. “I use the DoD as an example for being proactive in launching these types of programs,” he said. “I’m trying to get more people to understand the power of using (bug bounties) to get more secure.”
Hackers are the lynchpin of hacker-powered security, so staying connected through events like Security@ and live hacking events helps put context to security. The DoD went so far as to hire a hacker as an intern. “It helps humanize the community,” Staley said. “It really helps put a face to the crowd and helps people get more comfortable in partnering with this community.”
But as hacker-powered security becomes more popular, and programs like Oath’s and the DoD’s move to expand, hacker talent also becomes more valuable. That drives organizations to make their program’s more attractive to the hacker community.
“You always think about what you can do to make your program more compelling,” said Nims. “The number of researchers is finite. In the same way, we compete for cyber talent from the employee perspective, we’re all competing for research talent.”
For hackers, and we’ve heard this again and again, it’s not always the money that creates the most appeal. In fact, it ties back to the human connections with those inside the organizations.
“The biggest and most important thing for me is the interaction,” said Rosén. “The ability to get a response, to get a connection with the people on the other side. If I know it will take 3 or 4 weeks for them to pay or respond, I’d rather go with a company that responds in a day or two. The interaction is key.”
But that doesn’t mean money isn’t a consideration, Rosén added. “Of course, money is also a super awesome thing. It’s a measurement on how much they appreciate what you actually spent time on.”
The panel went on to discuss how they incorporated bounty programs into their organizations, how those programs altered their development processes, and even the “plumbing”, as Nims calls it, necessary to build and scale a hacker-powered security program. Stay tuned, however, as you’ll be able to watch this panel in its entirety as this, and all the Security@ sessions will be posted soon.
To learn more about HackerOne Bounty, live hacking events, and how hacker-powered security can improve your security posture, contact us today.