The best hackers always ask: "I wonder what I can do with this bug?" This unwavering curiosity, combined with the technical ability to answer this question, is the kernel of hacking.
One reason I enjoy being Head of Hacker Success is the emphasis we place on the role of the hacker. Hacker is in our name itself! When we say hacker, we don't mean the typical media portrayal of nefarious-looking characters in black hoodies. Instead, we subscribe to the pure definition of hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations." Hackers are people who embody a specialized set of knowledge, skills and ethos. They combine knowledge about coding and systems, the skills to explore and test them, and an ethos that seeks out better knowledge and safer implementations.
Today's secure environment has changed significantly compared to when I started 15 years ago. Many of us in security can share similar stories about how we first became interested. For me, I'd always felt like I was a hacker at heart. Even before the Internet and vast interconnected systems, I learned to solder circuit boards solely to hardware hack my Atari disk drive to read double density 5¼-inch floppies instead of low density ones. But my professional experience in the computer industry harkens back to times when the Internet — the entire Internet! — could go down around the world for several days at a time because of attacks like Slammer and Blaster. Even The Onion poked fun at the situation!
Today, while more people than ever value the positive contributions made by the hacker community, we still have progress to make. Many still misunderstand what hackers do, incorrectly describing their activities as "twisting," "subverting" or "bending" systems for "nefarious" purposes. And there's still this tinge today that hacking is less legitimate than quality assurance or testing. Many believe that the practice is too unstructured, or simply unnecessary, because updated coding practices and the incorporation of security modeling have made software "secure enough." Nothing could be further from the truth.
Hackers play an essential role in making systems more secure. Increasingly, the very people who are integral to creating technology in the world recognize this too. More companies than ever have vulnerability coordination programs, which removes both friction and risk for a hacker to come forward and inform a company about a vulnerability they should review. This is a great first step, and non-trivial especially for larger companies. Even better is when a company's vulnerability coordination program is mature enough to layer on incentives (aka add a Bug Bounty reward) to attract more reports from hackers. Wherever companies fall along the maturity spectrum, all of them understand that a productive relationship with hackers results in fewer vulnerabilities in their deployed code.
Even the very notion of disclosure has changed. Previously the ecosystem was so small, and resources so scattered, that Full Disclosure ahead of a fix as a model was common. The industry didn't have good reward systems or standard methods of reporting. It simply didn't recognize that receiving this information made their customers safer. Fast forward to today, and we are much better at balancing disclosure and a fix through a system designed to take into account the hacker and their expertise:
Hackers are a diverse group with varying interests and abilities, running the gamut from professional teams to individuals doing some part-time software tinkering. We also find software developers discovering a security bug in someone's code while doing software research, realizing that the bug might be a security issue that was closed as something less severe. It's hard to generalize or refer to hackers as one group, without a measure of confusion or peril. Just ask Kristoffer Von Hassel. <g>
In fact, because hackers represent such a diverse group, HackerOne is constantly evaluating how to create unique opportunities and challenges for all parts of the community. We want to grow the community and find new, constructive ways to connect hackers to the companies or individuals who can address found issues and compensate them for it. This helps create a safer Internet for everyone.
Hackers are increasingly recognized as valuable contributors to security. They are more often properly seen as allies, and not adversaries. It's the curiosity and skill of those hackers who want to make the Internet safer. Happy Hacking.
– Stephen "Stepto" Toulouse
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.