HackerOne Founds Hacking Policy Council with Fellow Industry Leaders in Continued Drive to Improve Cybersecurity Policy for Ethical Hackers, Businesses, and Governments

HackerOne Founds Council with Google, Intel, and Others to Advocate for the Protection of Good Faith Security Research and the Adoption of Cybersecurity Best Practices

SAN FRANCISCO, April 13, 2023: HackerOne, the leader in Attack Resistance Management, announced the formation of the Hacking Policy Council in conjunction with the Center for Cybersecurity Policy and Law and other leading organizations experienced in security researcher engagement. As a founding member, HackerOne will advocate for policies encouraging vulnerability detection, management, and disclosure best practices and improved protections for good faith security research.

“As the threat landscape continues to evolve, policymakers must consider how the hacking community can help organizations meet this challenge. The Council aims to advocate for policy outcomes that will best enable vulnerability discovery and disclosure and protect the hackers working to improve the security of the products and systems we all use,” said HackerOne Chief Policy and Legal Officer Ilona Cohen. “I look forward to bringing lessons from my background in the federal government and HackerOne’s work with the hacking community to inform the Hacking Policy Council’s agenda.”

As cyberattacks increasingly impact consumers, more businesses and governments have begun to recognize the benefits of security research to reduce the risk of a breach. However, misinformed and outdated notions about vulnerability disclosure persist, and some organizations still struggle to effectively adopt best practices like vulnerability disclosure programs (VDPs). Overly restrictive legacy laws create uncertainty that discourages good faith security research, and emerging legal requirements mandating rushed or premature vulnerability reporting can negatively impact collective cybersecurity efforts. A recent HackerOne survey also revealed 64% of organizations still admit to a culture of security through obscurity, which hinders industry collaboration and transparency. 

HackerOne will address these challenges through the Hacking Policy Council by working with the security, business, and policymaking communities to: 

  • Promote collaboration across these communities for increased transparency and understanding
  • Encourage a further cultural shift toward protecting and embracing good faith security research and ethical hackers
  • Build a more favorable legal environment for and educate these communities on the benefits of best practices such as VDPs, pentesting, and bug bounty programs
  • Drive policies that encourage hacker engagement and the adoption of vulnerability policies that increase all organizations’ resistance to attack

“HackerOne will always push to effect industry change that protects the research of the hacker community and enhances the security of our customers. These advocacy efforts contribute to our mission of building a safer internet,” said HackerOne CEO Marten Mickos. “Joining the Hacking Policy Council will strengthen our message and expedite how quickly we can reach policymakers to shape their agendas.”

The Hacking Policy Council builds upon HackerOne’s other advocacy efforts for greater Corporate Security Responsibility (CSecR). In March 2022, HackerOne announced the CSecR pledge for leading customers to advocate for improving industry collaboration and transparency. In September 2021, HackerOne expanded the Internet Bug Bounty (IBB) program, which pools funds for under-resourced open-source projects. Most recently, HackerOne announced its Gold Standard Safe Harbor Statement (GSSH), which acts as an opt-in default safe harbor statement for programs and clearly defines protections for hackers engaging with programs. The founding members of the Hacking Policy Council include HackerOne, Bugcrowd, Google, Intel, Intigriti, and Luta Security. You can read more about the Hacking Policy Council at HackingPolicyCouncil.org/.

About HackerOne

HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include Citrix, Coinbase, Costa Coffee, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Microsoft, PayPal, Singapore’s Ministry of Defense, Slack, the U.S. Department of Defense, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company