With over one million hackers making up the HackerOne community, there’s more diversity of skill, approach, and personality than any security team in the world. At the launch of the 2021 Hacker Report, we catch up with three hackers, representing three very different approaches to hacking: the pentester, the VDP hacker and the bounty hunter. We asked them what makes them stand out in the community, what motivates them, and some of the ways they’ve made a difference to the organizations they work with.
Leandro Barragan, a.k.a @none_of_the_above, has been hacking for 6 years and surfaced over 300 vulnerabilities for HackerOne customers. Leandro would call himself a “generalist pentester.” “I have a broad range of knowledge from my background as an engineer and adapt quickly to new ventures and fields. Technology develops so fast that it's really hard to keep up, but being self motivated to learn really helps when you need to understand how to attack a whole new product in a couple of days. Sometimes it's not a matter of skill, but of tenacity, mindset, and persistence.”
Leandro is one of the growing ranks of HackerOne’s professional pentesters delivering hacker-powered pentests that harness the expertise of the global hacking community and deliver results in real time.
“The most interesting pentest I’ve worked on had a web application in scope with a distinctive feature,” continues Leandro. “It was only accessible via a Remote Desktop Protocol connection to a virtual machine running on AWS, which was only allowed to run a web browser and nothing else. Our objective was to test if there was any way to leak information from this restricted environment to the outside world. We ended up executing arbitrary code on the machine, rooting it, and bypassing the restrictions to communicate with external hosts using two different "side channels." The job felt like a game and utilized our most creative approaches.”
For Leandro, hacking has become a lucrative career. Outside of money, learning and career development are top motivations for hackers with 85% of them doing it to learn and 62% doing it to advance their career. Alfie Njeru, a.k.a @emenalf, has been hacking for 8 years and surfaced over 80 vulnerabilities for HackerOne customers. Alfie exclusively hacks on vulnerability disclosure programs (VDPs) to build his skills. “I understand that money is a big motivation when it comes to bug bounty but, on the flip side, VDPs provide an opportunity to test out my skills and tools without fear of litigation.”
While 57% of the community actively hacks on VDPs, half of those who do haven’t reported a bug because of a lack of a clear reporting process, or a previous negative experience with a company. Alfie recommends adopting a VDP because “wouldn’t you rather know if you were hacked? A VDP provides a platform for hackers to report security bugs that the organization can then remediate. Right now, many researchers still choose to withhold disclosure for fear of litigation. However, we are starting to see more organizations develop VDPs, and government adoption is helping educate and encourage others. Trust me, you are better off having a VDP!”
For many hackers, the transition from learning to earning starts with a CTF. Last year saw 66,000 hackers finding 420,000 flags in CTF challenges, up from 49,000 hackers finding 317,000 flags in 2019. Robert Vulpe, a.k.a @nytr0gen, has been hacking for four years and has surfaced over 100 vulnerabilities for HackerOne customers. Robert is one of the top CTF hackers on our platform. He describes his development since his first CTF: “I remember I got stuck somewhere in the middle and was not able to continue, but I learned from those mistakes and, fast forward to the last CTF, other hackers were sending me messages about how much they'd learned from my writeup. I love the challenge and the process of learning. It takes a few hours usually to find a solution but always when I see it, it seems obvious!” Robert recognizes the growing opportunities with greater adoption of hacker powered security: “I now have the opportunity to hack some of the biggest companies in the world, completely legally and, on top of that, I get paid to do it - for someone like me this seems like a fantasy for my younger self.”
Hackers are always looking for the next challenge, a fresh scope and the opportunity to find an impactful bug that could make all the difference. Customers benefit from this drive and the ‘always on’ nature of engaging a global community to protect them. The findings speak for themselves with huge increases in reports across all bug categories a 53% rise in submissions for both Improper Access Control and Privilege Escalation. Reports for Misconfiguration, no doubt driven by the pandemic-led shift to the cloud, grew by 310% in 2020, according to HackerOne’s vulnerability data.
Knowing about your weaknesses and being able to take the necessary steps to mitigate against risk is the first step to building more secure systems and products. Find out more about how the hacker community can help you scale in these efforts by downloading the 2021 Hacker Report.