What Hackers Want in a Bounty Program [Security@ Recaps]
Keeping hackers motivated and engaged in your bounty program means understanding what makes them tick. For the “Understanding Hacker Motives” panel at Security@, we invited three popular and prolific hackers to share their insights from the hacker’s perspective. It turned out to be a great session on how companies can build better bounty programs by thinking more about the hacker experience.
The panel included Frans Rosén, Sean Melia, and Peter Yaworski, who have together found more than 1,500 bugs on the HackerOne platform. In a session that’s jammed with valuable insights, moderator Melanie Ensign, Uber’s security and privacy communications lead, quickly found out that money isn’t at the top of their list of motivators. As Peter put it, “The return on investment isn’t always financial.”
From left to right, Sean Melia, Peter Yaworski, and Frans Rosén pose for a photo just before they go on stage at Security@.
Again and again, the trio pointed towards clear communications, the importance of personal relationships with security teams, and the need for speed. It’s a crash course in understanding today’s best hackers, and is a playbook of sorts for those looking to build a bounty program that attracts this level of talent.
On communications, Sean mentioned that it works both ways and on both sides. “Hackers talk,” he said. “If a company isn’t treating hackers well, word spreads quickly.” Going further, Frans mentioned the value of having actual human-to-human conversations to quickly convey concepts or increase understanding.
On relationships, Frans talked about how he’s been able to produce better results when he creates friendships with the people inside an organization. “Companies think, ‘We just set the bounty and give the money,’ but it doesn’t work like that,” adding that it’s the personal connections that help both sides get more for their efforts.
On speed, Peter talked about how slow response times from security teams results in duplicate reports, which wastes the time of hackers and doesn’t get them paid, so they might leave a program they could otherwise help. Frans revealed that he submits a few quick reports to new programs, just to gauge their response times. “If I need to wait days (for a response), I’ll move on to something else,” he added.
The 40-minute conversation offers many more great insights into the hacker side of a bounty program. Watch the full session to hear them all.