Using Bug Bounty Talent Pools to Attract and Maintain Top Talent

Security leaders today face a complex set of talent challenges—from training on the latest attack vectors, to finding talent with the right skills, to preventing burnout. HackerOne demonstrates its commitment to the security community by supporting each of these talent challenges. 

On the training side, HackerOne Hacktivity is the largest directory of disclosed vulnerability reports, serving as an up-to-the-minute learning resource for security professionals. HackerOne also maintains the open source Hacker101 collection of videos, resources, and activities to equip security professionals with the skills to effectively identify application vulnerabilities. As part of Hacker101, Capture The Flag (CTF) activities allow participants to practice their skills in real-world challenges. 

To address the talent search, many HackerOne customers hire hackers from their bounty program. In a private bounty program, or a live hacking event, you specify the number of hackers you want and the skills they need to bring to the table. By working closely with hackers, your security team can evaluate their security skills and also their communication and general work style.

At our recent Security@ conference, a panel of three security engineers who also hack on the side said that training and hiring often go hand-in-hand. Hacktivity and plenty of elbow grease helped panelist Peter Yaworski effectively transition from a government role to a coveted job as an Application Security Engineer with Shopify. Because Shopify discloses its reports on Hacktivity, Peter was able to learn their systems and program, and this earned him an invitation to the the H1-415 live-hacking event in San Francisco. “Here was this entire library of disclosed Shopify reports that I could learn from. It was a real turning point.” In 2017, Shopify hired Peter.   

When asked by panel moderator Chloe Messdaghi what drew him to his role at Dropbox, Nathaniel Lattimer cited the smarts of his colleagues. One person on his team is a member of PPP, one of the top-ranked CTF teams. “I wanted to have an opportunity to be in this environment and learn from these people. And it’s been an amazing experience to learn the technical side as well as the softer skills I didn’t realize I needed to develop.”

The three panelists—Tanner Emek from OneLogin, Nathaniel Lattimer with Dropbox, and Peter Yaworski at Shopify—said it takes work and discipline to avoid burnout. Tanner, for instance, makes sure hacking doesn’t interfere with his job or personal life by approaching it as a hobby. For instance, this means not attaching goals to his hacking. “Once I’ve set goals, it feels like work, and I want to keep hacking fun.”

Another proven way to alleviate stress is tapping into the on-demand security skills in the HackerOne community. HackerOne works tirelessly to grow our community, now numbering more than 600,000 hackers possessing every imaginable skill. Putting this community to work strengthens your organization’s security posture, frees up internal teams to focus on core processes, relieves stress, and cuts down on burnout. 

Nextcloud Founder Frank Karlitschek put it this way, “We obviously can’t hire enough engineers to protect against every possible vulnerability, but we can use our bug bounty program to add on-demand expertise where we need it and continuous coverage nearly everywhere else.” You can check out the Nextcloud customer story over here.

Hacking != Security Engineering

All three panelists caution that, while similar, security engineering and hacking are not identical. Peter strongly encourages companies to send recruiters to live hacking events and to hire hackers, though he says “it’s not a silver bullet.” Hackers do bring deep understanding of different vulnerability types and their impact. Once he began working as a security engineer, Peter acknowledges he had to develop new skills such as how to work collaboratively with development team. Other things you’re not likely to learn through hacking, and that are essential to being an effective security engineer, include helping with the fix and with rolling it out, performing root cause analysis, and making sure it doesn’t happen again. 

Nathaniel encourages leaders to look to the hacking community as a great source for raw security talent. “The hacking community is an amazing talent pool with strong security skills, and it’s important to recognize that hackers may need to learn additional skills to be as effective as possible as a security engineer. For instance, hackers often limit their thinking around a fix to the bug in front of them, and so there’s an opportunity to gain a broader perspective about fixing bugs more holistically, and even designing applications that prevent them from happening.” 

For Tanner, the hacking mentality translates extremely well to his role as a security engineer. “At live hacking events, the organizer invites some of the best hackers to describe their reports, and this is an incredible way to learn. We are all looking at the same targets, and so I had the same opportunity to find the bug, and you learn these incredibly creative techniques that you can apply on the job.” Hackers’ emphasis on impact makes them great security hires as well. “In order to get paid, you have to be able to create a POC and demonstrate impact,” says Tanner. “This offensive perspective is something you don’t always get with people that have always been on the defensive or remediation side.”

Be sure to check out the full Security@ video for additional insights on how OneLogin, Dropbox, and Shopify support their security engineers who hack and give back to the hacking community.