Cablej’s last two bounties earned him more than $5,000. Johnny has found almost 10 bugs for the U.S. Department of Defense. Cache-money has, in the past year, found bugs for Uber, Paypal, the Department of Defense, New Relic, and GitHub.
At Security@ 2018, we invited these three hackers to participate in a panel discussion moderated by Bree Fowler, Electronics Team Editor at Consumer Reports. Each hacker, all of whom rank in the top 100 on the HackerOne platform, talked about what motivates them, what organizations can do to attract more of the best hackers, and how hacker-powered security makes the internet safer while also helping them be better hackers.
Motivated by the Challenge
So what does motivate the best of the best hackers? Yet again, this panel reiterated that the common motivation for hacking is not money. “I enjoy it for the challenge,” said Johnny. “That’s one of the biggest motivators.” Cache-money agreed, saying that “the challenges are awesome (because) it’s kind of a puzzle.”
Just as motivational is the opportunity to learn and the sense of helping secure the internet. Johnny noted that the “sense of impact” was a big benefit of hacking, since the bugs hackers discover could have huge consequences for not only the organizations they’re helping directly, but with disclosure, hundreds of other organizations across the globe.
Of course, money is always nice. “Getting a big, fat bounty, that’s a pretty good feeling,” added the hacker with the fitting handle, Cache-money. But all three hackers also pointed to products or services as an additional reward that can be used in place of money. GitHub, said Cache-money, gave away a lifetime subscription to their service as a bounty. “For developers, that’s awesome,” he added.
But more than just an inexpensive reward for an organization, there’s a benefit to giving your product away to hackers. “You’re exposing more surface to the people you’re working with,” explained Cablej. “If you offer trialsor free (products), those hackers are going to have more surface exposed to them. It’s mutually beneficial.”
Communication is Key
With learning new things and being challenged as primary motivators, Fowler asked the hackers what organizations could do to attract hackers and get their bounty programs off to a good start. Communication was overwhelmingly the top ask. “Communications is very important,” said Cache-money. “When you see a company respond quickly and pay bounties quickly, that’s really motivating.” He added that speed also shows how much organizations value the work done by hackers.
“Communications is one of the most important parts of the bug bounty program,” added Johnny. “One of the biggest aspects of that is building a relationship with the company.” Those relationships pay dividends in hacker participation and loyalty, both of which contribute to more bugs found through simple familiarity with the products being targeted. What’s more, when hackers return to the same programs, they know what to expect and, more importantly, what the organization’s security team expects.
These relationships, the hackers explained, become reinforced at HackerOne’s live hacking events. “Having interactions with people who work there and are improving security, and (hearing) that they appreciate your work, is a fantastic experience, especially at live hacking events,” said Johnny. The benefits come from talking with the developers of those systems, the teams securing them, and having a “mutual understanding that you’re both looking for the same things” is what makes the relationships more beneficial, added Johnny.
Benefits of HackerOne
Working on the HackerOne platform also has benefits for the hackers. It lets hackers quickly find and participate in programs, and lets hackers be confident that the organizations really want their help and will pay for it. “You don’t have to wonder or search for a VDP or bug bounty,” said Johnny. “It’s a formal way for you to interact with them.”
Another benefit of HackerOne’s platform, according to the panel, is how easy it is to find a program and get started. “There are so many targets on HackerOne,” explained Cache-money. “There are hundreds of companies to choose from”, and he added that, with a platform like HackerOne, you know it’s legit. “A lot of times you don’t know what you’re going to get paid through other channels,” he said, further explaining how HackerOne’s program visibility lets hackers see bounty values, past reports, and how much was actually paid on different vulnerabilities.
Get Inside the Hacker Mind
Fowler continued digging into the motivations and mindsets of the hackers, what’s fun for them, what advice they’d give to aspiring hackers, and how hacker-powered security has evolved over the past few years. Stay tuned, however, as you’ll be able to watch this panel, and all the Security@ sessions, when they’re posted.
To learn more about HackerOne’s community and how hacker-powered security can improve your security posture, contact us today.