While there are many interpretations of the word "hacker," we choose to pay homage to the original MIT hackers by using the term in our company name. We favor their early definition of a hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations."
To help you better understand what the HackerOne name means to us and the vulnerability coordination and disclosure process that we host using our platform, let's first acknowledge that vulnerability disclosure has come a long way.
Overall, I'm excited that the world has evolved enough to embrace a better approach in working with hackers. But this was not the case just a short time ago. Remember the gag orders at Blackhat? Or how about when the Boston Subway authority sued MIT students? Sony vs. Geohot? Vulnerability disclosure has been historically treacherous. As Alex Stamos, (CISO of Yahoo!) reflects: "You'd get your door kicked in."
This kind of hostile reaction from organizations is outdated and discourages hackers from reporting security issues that would help protect consumers and businesses alike. This shouldn't be the case when ISO standards exist and provide guidelines to manage this process. An ever-increasing number of companies have come forward with further support of research, some rewarding tens of thousands per discovery which supports full-time bug hunters. These recent developments make the public uneasy when organizations do not openly welcome research.
I started working at Facebook after disclosing security issues to them in 2006. The early Facebook team had great relationships with their hackers and allowed them to positively influence security. Elsewhere, at the same time, Samy Kamkar was being treated much differently by MySpace and the Patriot Act. Samy didn't know me at the time, but this contradiction influenced me greatly.
I worked to get vulnerability disclosure formalized shortly after joining Facebook in 2007. Later, I upgraded it with Alex Rice until we had an outstanding bounty program that treated researchers well and greatly influenced Facebook Security. It was our most important contribution to Facebook, but it was only successful because of its hackers.
Understanding the hacker's experience is crucial to vulnerability disclosure. Hackers value the rush of adrenalin involved with a discovery. The truth is that the discovery of a new vulnerability bombards its finder with competing emotions, ethical dilemmas, and critical choices. The hacker has an empowering feeling to know they have valuable information.
The moment a hacker first finds a vulnerability is pivotal in terms of the choice they have on what to do with their discovery. Some hackers choose to use their powers for good, some just want to watch the world burn. Too often uncertainty surrounding the outcome leads to the tragic decision of doing nothing at all.
For all this hacker knows, they were the first one to find this vulnerability.
If you can steer the first hacker on every vulnerability toward doing the right thing, then we believe you have helped improve the Internet. This is why we're focused on a mission to empower the world in building a safer Internet. We want hackers to be protected, acknowledged, rewarded, and encouraged to do the right thing, all while making it easier for organizations to respond to vulnerability reports.
Let's not ignore that hackers still face problems when trying to report vulnerabilities, and respect the hackers who stuck their necks out before now. We are making progress, but this journey is far from over. Let's celebrate and support hackers by helping that first hacker, Hacker One.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.