The best security initiative you can take in 2017
- February 8th , 2017
As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our balance sheet with a $40 million series C investment round led by Dragoneer Investment Group. We have the skills, the hackers, the platform, the services, the people and the funds to empower the entire world to build a safer internet.
“The best thing we ever did for security was start a bug bounty program.”
These are the words Sheryl Sandberg spoke as she discussed the success of the program Alex Rice had established at Facebook in 2012. Shortly after, Alex joined forces with hackers from Holland, and HackerOne was founded to make the best practices of bug bounty programs available and affordable for all.
Bug bounty programs have become a must for any software-powered organization. In addition to Facebook, online giants Microsoft and Google also run massive internal bug bounty programs. Google alone spent $3 million on bounties in 2016 and these organizations know that this is a fraction of the cost of not asking the world to review their code and report bugs proactively.
They know that even with the most sophisticated security development lifecycle, vulnerabilities will always exist in code. In fact, the only proven method today that can find any type of vulnerability in public-facing software is a bug bounty program. Given enough eyeballs, all vulnerabilities are shallow. The size and diversity of the external hacker community is what enables these unparallelled results.
Another bug bounty pioneer is Uber. They first launched their public bug bounty program in 2016 with a first of its kind treasure map embedded to help drive hacker engagement. Within 100 days, they had paid $345,000 in bounties to hackers and, as a result, Uber software is more secure. Additionally, team Uber takes the step of going back to the early stages of their software development lifecycle to figure out how it can be improved moving forward to reduce the likelihood of similar vulnerabilities.
“Not running a bug bounty program amounts to negligence.” - Joe Sullivan, Uber’s CSO
And it’s not just modern tech companies that see the benefits of opening up their security processes. Starbucks, Panasonic Avionics and the US Department of Defense have also realized that embracing the intelligent, creative hacker community is the best security initiative an organization can take. HackerOne was handpicked to run the Hack the Pentagon program in the spring of 2016.
Half a year later, we followed up with Hack the Army where it took us less than 5 minutes to file the first vulnerability report which, in turn, the Army was quick to resolve along with 118 other discovered bugs during the four-week program. Again, results were overwhelmingly positive and the DoD noted that they have saved over $1 million in costs while significantly improving their security.
Over in Europe, insurance company LocalTapiola launched an ambitious bug bounty program in 2016. The results were so positive so they were able to cut back significantly on pen testing budgets. With these savings, they could more than justify the cost of the bug bounty program and LocalTapiola knows they can get even more eyes on their software, quickly and affordably.
Report submissions went up 50% when they increased their highest potential maximum bounty reward. Shortly after, they found their most severe issue, and awarded the first-time contributor an impressive $18,000.
These customer examples all point to the same conclusion: A bug bounty program - and more generally, a vulnerability disclosure program - is the best security initiative you as a responsible business leader can take.
With bug bounty programs, you pay only for results -- not for false positives or unverifiable lines of defense. Thanks to the size and diversity of the hacker community, there is no limit to what types of vulnerabilities can be found regardless the type of attack surface. Unlike traditional methods, bug bounty programs are especially good at finding the unknown unknowns – the vulnerabilities that you didn’t even think could exist in public-facing systems.
Your organization must find these vulnerabilities before criminals or other malicious actors find them. The average cost of a data breach in the US is currently $7 million. Add to this the reputational damage to the company and the officers in charge and it becomes clear that the cost of a bug bounty program is a fraction of the overall risk of not having such a program. The average bounty paid is around $500 – substantially less than what you pay per bug in pentesting or using other traditional methods.
In 2016, we saw tremendous growth in both our hacker community and customer base. The hacker community tripled to nearly 100,000 and sales grew even faster. During the year, we expanded our offering to be able to serve organizations ranging from early-stage startups to the Global 1000. We have hackers skilled in web systems, mobile applications, gaming, APIs, IoT devices, and open source and infrastructure software. We stand ready for you in 2017.
New customers are invited to start with a Vulnerability Disclosure Program (VDP) which is based on the simple principle “if you see something, say something.” In these types of programs, hackers are welcome to proactively submit reports detailing their findings, but the company typically does not pay bounties or invite hackers from the community.
From a VDP, the step can easily be taken to launch a Private Bug Bounty Program in which named hackers are invited to participate and earn bounties for valid reports. As the program matures and more hacker invitations are sent out and accepted, the natural progression is to launch a Public Bug Bounty Program to maximize the effectiveness of a truly crowd-powered security program.
General Motors is a great example of a HackerOne customer who launched a Vulnerability Disclosure Program late last year and from which they aim to kick-off a bug bounty program as soon as they learn how to effectively work with and embrace the hacker community.
HackerOne has a full range of services to offer. Power users who are eager to engage directly with the hackers and researchers typically use the HackerOne platform as such. Other customers who are mostly interested in a prioritized list of valid vulnerabilities can choose the managed option. We can even take full responsibility for the entire program at a fixed annual fee, leaving only the fixing of the bugs to the customer.
Thanks to our advanced platform and its APIs, we have the ability and capacity to bring on board programs from other environments and integrate with other business systems. Github used to run their own bug bounty program but switched to HackerOne in 2016. Quora used another platform but migrated the data over to HackerOne to expand and improve their program. Other customers make use of the extensive hacker payment system that’s part of the HackerOne platform. And today we are enabling airline miles and other loyalty programs to be used as payment options in bug bounty programs.
There is no better security initiative you can take in 2017 than launch a program on HackerOne.
In joining HackerOne, your business will gain access to the same hackers who are helping Uber, Salesforce, GM and the U.S. Department of Defense. You can start by taking baby steps, and you will instantly have at your disposal the world’s strongest security community that scales along with your business.
There are just two reasons why you would NOT want to launch a bug bounty program: You don’t want to know the vulnerabilities, or you are unable to fix your bugs.
In all other cases, it will be your best security decision of 2017. Your systems and customers will soon be more secure. We stand ready to serve you.