Maintaining the Intelligence Edge in Cybersecurity

This $300 million not only reflects a decade of making the internet safer but also serves as a beacon to the brightest security minds worldwide. They form the world's largest assembly of ethical hackers, encompassing diverse expertise such as bug hunters, security researchers, penetration testers, source code reviewers, attack surface reconnaissance experts, and security leaders for hire. 

The HackerOne community is the planet's most expansive human intelligence network dedicated to cybersecurity. These ethical hackers are indispensable; 70% of our customers credit their efforts for averting significant cyber incidents.

This is why Dr. Craig Martell, Chief Digital and AI Officer for the U.S. Department of Defense, ventured to DEFCON this year with a call to action:  “I am here today because I need hackers everywhere to tell us how this stuff breaks.” 

Dr. Martell was referring to AI deployments. At HackerOne, we make them and we break them. We have been deploying Machine Learning and, lately, Generative AI functionality in our software platforms in order to make hackers more productive and customers more successful. 61% of ethical hackers plan to use and develop hacking tools using GenAI to find more vulnerabilities. Many intend to specialize in the OWASP Top 10 Vulnerabilities for Large Language Models (LLM). 

Two years ago, we did our first AI Red Teaming exercise for a customer, looking for algorithmic bias in one of the top social media platforms. Today we are working on another AI Red Teaming exercise to evaluate the ability of a text-to-image AI functionality to produce unacceptable content. The results are prompt and impressive, helping our customers to quickly contain the dangers of an LLM deployment.

This year, HackerOne has signed up leading AI companies as new customers. Our existing customers are expanding the scope of their bug bounty programs to include AI deployments, too. With new source code being produced by Copilot and other such tools at rapidly expanding rates, there is even more code to review and test for security vulnerabilities. 

We make sure we are there to provide peace of mind at all steps of the AI-empowered software development lifecycle:

• Security Advisory Services to set up a secure SDLC with security by design and defense in depth
• Source Code Security Audit at time of development
• Pentest and AI Red Teaming at time of deployment and at regular intervals to test the application and validate test coverage
• Continuous Bug Bounty testing to provide superior results over time

The perennial problem of lack of talented testers is solved by using external security researchers who have gone through thorough vetting and skills testing.

Reflecting on the evolution of ethical hacking, this practice started in earnest when Microsoft, Facebook, and Google made strategic decisions a dozen years ago to operate bug bounty programs in order to reduce their risk of breach. HackerOne was established to take the best of this practice out to the world. 

We soon signed up Yahoo, Twitter, Uber, Snap, and General Motors as customers, to name a few. The Department of Defense hand-picked HackerOne to run Hack the Pentagon. Today the vulnerability disclosure program of the DoD is the world’s largest, with nearly 50,000 vulnerability submissions received. The vulnerabilities hackers find are of the exploitable type that otherwise likely would lead to compromises and data breaches.

We have come to the point where the government is requiring this practice. Long a best practice in the NIST Cybersecurity Framework, vulnerability disclosure is now mandated for federal government agencies. CISA is coordinating the disclosure of, the hunt for, and the drive to mitigate critical and exploitable vulnerabilities. In March of 2023, the White House stated, “The Administration will encourage coordinated vulnerability disclosure across all technology types and sectors."

Once a novel practice favored by progressive tech companies, vulnerability disclosure is today a must-have practice for anyone who develops and deploys software. If you are not doing it, you are falling behind.

There is no security without humans working on it together, and there is no security technology that will not be empowered by Generative AI. Human intelligence at scale is coming together with artificial intelligence at scale. The adversaries are moving fast. The defenders, moving together in larger numbers, have the opportunity to outmatch and outperform the threats.

At HackerOne, we have cultivated the world’s largest community of security researchers, including pioneering experts on the weaknesses of AI deployments. We are empowering our hackers and customers with GenAI functionality. It’s about the intelligence — both forms of it.

Marten Mickos
CEO, HackerOne