The World's Elite Hackers Share Tips and Insights
As many hackers on the HackerOne platform know, you can make a good living out of bug-hunting. But a few of our hackers have made a really good living.
Bloomberg Tech Editor Aki Ito moderated a 40-minute panel at HackerOne’s recent Security@ conference with three elite hackers, each of whom has grossed over $1 million in bounty earnings with HackerOne. Whether you are a security leader looking to get the most out of your HackerOne Bounty program, a hacker looking to improve, or an aspiring hacker looking to get in, read on for advice from some of the best.
Getting Elite Hacker’s Attention
Although each panelist came from a different corner of the world, the three shared similar advice on how programs can get their attention. Some are things every organization running a bounty program can do, like be explicit and transparent about how much you pay for different types of vulnerabilities and treat that like a contract, triage, remediate, and pay quickly, and treat hackers with the same professional respect as you do members of your team. Other things you may need to work up to, like having a big scope, or paying top dollar. (By the way, HackerOne has benchmark stats, guides, and professional services to help you with these program dimensions.)
While it’s true that established programs like Verizon have a head start, even the best hackers hit the occasional dry spell on those programs. That’s when they go looking for other interesting programs. Will your program page be ready to grab their attention?
If they’ve never worked with a certain program before, panelists shared that they will frequently submit a report or two to test the program’s responsiveness. As Bloomberg’s Ito said, bounty hunting is extremely performance-based. While her comment was directed at hackers and how they only get paid for valid vulnerabilities, it is equally true of programs. The three panelists reward responsive, transparent, communicative, and welcoming programs with their time.
Should You Try Hacking?
Bloomberg’s Ito kicked off the panel asking each hacker to name their favorite thing about being a hacker. For Nate, it’s being his own boss; for Santiago, it's freedom, and for Tommy, the money.
Santiago, who hails from Argentina, began hacking at 16 and was the first to reach $1 million in lifetime awards. He's a great testament to the fact that with the right interest and dedication, there are very few barriers to entry. Nate cautions you to avoid going into it purely for the money, though. “If you’re passionate about computer security and you want to do it well, the money will eventually come.”
For anyone with the interest and commitment, Nate strongly encourages you to consider computer security. “As more of life gets digitized, the opportunities in mobile and web application security will continue to grow.”
Asked to name the most common misperception about hacking, Tommy replied, “That it’s hard. You need the right mindset to approach applications in a way that will allow you to find bugs, but most people could do it.” Tommy’s advice is “don’t doubt yourself.” Santiago and Nate added that there are ample resources available to learn, including videos of people hacking, blogs, forums, even a Twitch livestream from HackerOne’s Ben Sadeghipour.
How To Be A Great Hacker
If you’re in the game already and looking to take things to the next level, Nate encourages you to put on the customer’s hat. “Don’t just get good at understanding different vulnerability classes. While you’re hacking, always have in the back of your mind the question ‘what is the impact to this organization?’ If you can answer that, you’ll be on your way to a successful career as a hacker.”
All the panelists said that hacking can get lonely at times, so it’s really important to find your people. Join online communities where you can discuss, share, and get encouragement from other hackers. And if you’re able to do so, go to conferences. As your skills and reputation grow, try to position yourself to be invited to Live hacking events.