How Hackers Are Finding Advocacy: Top Hacker cdl Speaks on His Experience in the Hacker Success Program
Background@cdl:~$
Whether it's from live hacking events or informative Twitter threads, the handle cdl (Corben Leo) probably sounds familiar to many of you. Corben has been hacking with H1 since 2016. His prolific work is known throughout our community. As a hacker, he consistently finds spots on our leaderboards and snipes incredible bugs on the programs he chooses to engage. So, it begs the question-- what more can we do to support such a successful hacker?
In late October, we released a blog about a new program at HackerOne, the Hacker Success Program. Hacker Success Managers have been actively supporting hackers within their cohorts and continue to provide assistance on a wide-range of hacker related needs. This program is providing us opportunities to engage hackers in a more personalized way. By establishing these one-to-one connections, we can assure that a variety of interests specific to individuals can be met with a result. We interviewed cdl at H1-407 about his time spent with his HSM, Steve Hernandez. Let’s go over what he had to say.
Connecting With Our Hackers 🤝
The goal of the Hacker Success Program is an effort to drive hacker engagement and support on our platform. We are doing this by treating our hackers as we treat our customers– with attention, detail and 1:1 relationships. There was meticulous planning and designing to find lucrative opportunities and areas of potential growth we could use to enhance a hacker’s journey. So, it was great to know how cdl felt about meeting someone entirely new who had their growth and a plan in mind:
cdl >>
Well, at first– I was surprised and confused at what it really was. Like, what does HSM "Mean." At first, I thought it was just another marketing buzzword-- if I'm being honest. But then, as I met Steve and dug into it, I found out, "Wow, they're here to advocate for hackers." Like, that's awesome that there's someone we can reach out to if we have problems.
Before, it felt like if you weren't already connected with someone or had a previous relationship, you were just out of luck. Trying to get something resolved meant you'd have to jump through a lot of little hoops.
So, it became exciting when I heard what it was and how it worked. Since we had someone who cared about us, instead of feeling like, "Oh, HackerOne only cares about their customers." It's just really hard when hackers have been done wrong previously.
It is great having this advocacy and someone who wants to work with you-- or even push back if you are wrong about something. HSMs work with you to understand different points of view.
Yeah, I believe it's great. There have been many times when there might be miscommunications or misunderstandings between teams and hackers. So, having someone who can step in and say, "You should take a look at this again and make sure you're right about it." Since I've made assumptions about something I've reported before, and I thought it was done wrong, having someone else look over it with me allowed me to make more sense of it.
Or even the opposite, where the team gets a bug of mine, and they don't understand its impact, it is good to have someone help mediate with me. I do believe that it's indispensable.
Hacker Impact 🔥
The heart of the Hacker Success Program is focusing on the hacker’s unique and personal journey. Every hacker has specific interests, goals, expertise and skill sets that are unique to them. Our desire is to help each hacker discover and manage their next opportunity, because the complexity of navigating these various opportunities can be difficult. Regardless of your tenure in consulting or entrepreneurship, even veterans of the field can use direction. Usually, at higher levels, this is just being able to have additional eyes over the landscape you already stand on and give encouragement.
What is the impact our hackers within the program have been experiencing and seeing? Here’s a quick list:
Hackers have been onboarded for an opportunity to join our pentest community
A substantial increase in earnings year-over-year, and a substantial increase in high and critical submissions
Those in the program have been selected for speaking opportunities at multiple events (Security@, H@cktivityCon, webinars, etc.)
This is only the beginning for this program. It is important that hackers know they have someone to turn to for these improvements. This comes from a layered approach that defines focus areas that can help build new momentum. Hacker Success Managers are here to walk through each layer and be a strong advocate for those changes.
cdl >>
Steve and I had a call, and he asked me about next year's goals. It wasn't even necessarily just goals for bug bounty, but in general. I started talking about things that weren't bounty related.
Eventually, he did ask me, "So, you don't have any bounty goals or bug goals?"
And I was like, "Yeah, I guess I've seen the program OpenSea- they pay a lot, and I think it would be really cool to find a crit."
Steve supported me by saying, "Yeah, you should totally move into it and find a crit. I think you should definitely do it. I think you should set some time and actually set that as a goal for yourself."
So, he kind of pushed me in that direction- and within 24 hours I ended up finding a crit, then ended up finding 3 more. I ended up making 320k in the next three weeks, thanks to him. If it wasn't for an HSM I probably wouldn't have found it at all, taken the time to look, or set that goal.
So, even beyond the advocacy and support their encouragement really helps push us to go outside our comfort zone.
Best Foot Forward 👟
A key component to the Hacker Success Program is understanding critical issues our hackers are facing that we might not be completely aware of. It's up to us at HackerOne to ensure hackers can hack and are not impeded by roadblocks, ensuring they can have success and growth.
Diving into individual hacker’s stories allows us to see areas that require more attention. We asked cdl if he believed this program is an example of HackerOne doing its best to empower him as a hacker.
cdl >>
Oh yeah, absolutely! And I think that it's not only just good for security researchers but also helping grow the PERCEPTION of security researchers. Because a lot of the time people experience with security researchers is, "Oh, they've received an email from a security researcher who's submitted a vulnerability to them and the receiver can be haphazard about it, or they might feel threatened." So, having someone on your side that explains who you are helps you get on-boarded to a new program and cultivates a better relationship with their team.
Because, what isn't seen is that people receiving reports can sometimes be hesitant to the perceptions of hackers- but having someone in your ballpark to say "Hey, here are all these HackOne researchers who do have something to say in good faith." They help us align so it isn't this "Us v.s. Them" mentality.
HSMs are here to actually work with you and have someone else explain our side. Having something like this is just really good for the whole security research field.
Closing ✌️
Since beginning the Hacker Success Program, we have identified new and exciting opportunities for hackers, gained important feedback on how we can improve our platform and gleaned ways in which we can connect with our hacking community in a better way. As the program continues to grow and expand, we will iterate on our processes to ensure hackers continue to benefit from having an HSM.
So, what is the future of this program and how does it apply to you? This program started with hackers who are championing program success, platform activity, and who’ve been striving to see HackerOne grow. Our learnings from this initial group will provide the groundwork for continued positive outcomes in later cohorts.
We understand that not every person is at the same place in their journey. For instance, you might be at the point where you’re just hitting your stride in bug bounty. Or maybe you’re still learning the in-and-outs of what it means to be in bug bounty. Wherever you may be, we feel hackers deserve advocacy and the opportunity to have guidance in these pivotal moments. We want to expand this program. We see a future where we can impact people across the board at HackerOne. From those who just signed up for an account, to those gunning to be the next million dollar hacker.
Simply put, the future of this program is to expand this role further out into our Community. Our Hacker Success Managers are here to help make breakthroughs in hacker’s careers.
The 8th Annual Hacker-Powered Security Report