Meet the Middlemen Who Connect Hackers for Hire With Corporate America
Grow Your Business, Not Your Inbox
To gain access to an elite network of hackers, you need a hookup. You need to know a guy. And that guy doesn’t make the connection for free. To the contrary. There’s a nascent group of companies whose business it is to make that connection.
HackerOne is one such company. And it’s got some mighty giant companies on its client list. Take Uber, for one. Other clients of the San Francisco-based tech startup include General Motors, Yahoo, Twitter and Salesforce.
Co-founded by the former Facebook security engineer who formalized the social network’s process of engaging with the hacker community, HackerOne helps companies coordinate bug bounty programs. What that means is that it helps companies invite hackers to find vulnerabilities in their software and applications. If a hacker finds a bug, then HackerOne helps the company pay out the cash prize. It’s not necessarily easy to remit payment to a teenager hacker in Siberia who doesn’t even have a driver’s license. For the middleman service, HackerOne charges a 20 percent commission of whatever the hacker is paid.
Similar to HackerOne, Bugcrowd connects “good hackers” with companies looking to vet and verify their security systems. BugCrowd charges clients a subscription service fee or a project-based charge -- and business has been good. The San Francisco-based securities startup reported 300 percent revenue growth last year over the previous year.
Bugcrowd has compiled a pretty comprehensive list of the companies that are currently offering some sort of bug identification program. They include AT&T, Dropbox, Etsy, Facebook, Microsoft, Paypal, Samsung, Snapchat, Tesla and Twitter.
Google has a public bug bounty program that offers rewards of up to $100,000 for hackers who can find vulnerabilities in its Chrome software. The size of a bounty slides based on the size of the bug, but most bounties range from a few hundred dollars to the several thousands.
It may feel ironic to see some of the biggest names in tech jumping through hoops to get in touch with the hacker community. But more than anything, when a company liaises with the hacker community, that’s actually a sign of sophistication. No matter how good a tech team is, hackers can always make systems better.
“In an ideal world … you would have bulletproof security. You would be able to hire a security team that is going to keep pace with the actively changing code and find all of the vulnerabilities. The reality is there is not a single organization on the planet that has achieved that despite massive amounts of spending on security,” says Alex Rice, the CTO and co-founder of HackerOne. “The idea of bulletproof, vulnerability-free software is just a utopia that we as an industry haven’t figured out yet.”
No doubt. We live in a world where cyber attacks are as common as Mondays. Recent hacked companies include Verizon, T-Mobile, the Internal Revenue Service, Target, Staples and Sony. And the cost of those security breaches is staggering. By 2019, the cost of cybercrime globally is expected to surpass $2 trillion, according to an estimate by market research firm Juniper Research.
That’s why Uber recently announced that it was offering as much as $10,000 to hackers who identify bugs in its system. Uber’s bug bounty program will be coordinated and administered by HackerOne. Last year, Uber launched a private bug bounty program among 200 security officers, and those hackers found almost 100 bugs in the transportation app's software. Now, the ride hailing tech giant is opening its bug bounty program up to any hacker who is interested in giving Travis Kalanick a run for his money.
“Today there is a growing trend of large companies … who provide these bug bounties for hackers to find vulnerabilities in their network or in their application,” says Darren Hayes, assistant professor and director of cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems in New York. “It’s really important that companies do this and offer an incentive to find a vulnerability, rather than one of the bad guys finding a vulnerability and doing something nefarious on their network.”
Opening a bug bounty program up to the public is a sign of confidence and humility at the same time. It signals that a company is confident enough in its software to invite the best computer brains out there to find holes, but it’s also a recognition that even the best teams of software professionals are fallible.
“Even with a team of highly-qualified and well-trained security experts, you need to be constantly on the lookout for ways to improve,” says Joe Sullivan, the chief security officer at Uber, in a statement unveiling its bug bounty program. “This bug bounty program will help ensure that our code is as secure as possible.”
Of considerable note, Apple doesn’t currently pay hackers to find bugs in its system. Perhaps it should, though. As it stands now, if a hacker finds a security vulnerability in an Apple product, there’s not much incentive to deliver the bug to Tim Cook.
“If you’re an individual who is a software developer or a security researcher and you have to choose between getting $100,000 and not fixing the vulnerability and turning it over for free to do the right thing, it’s a choice that is unfair for us to ask anyone to make,” says Rice. “There are very few people, no matter how strong of a moral compass they have, who would turn down something like that when it’s not clearly criminal or even malicious.” Hackers are, despite all of their computer wizardry, after all, only human.
Bug bounty programs aren’t only for the Googles, Ubers and Apples of the world. Quite the contrary. Soliciting the expertise of a professional hacker can be an efficient way for a smaller business to verify it’s own network’s security. That’s because you only pay for the expertise when you have a problem.“It’s like getting a consultant to find security vulnerabilities on your network but not worrying about paying any overhead for that individual. You are only paying somebody if they find a vulnerability, which is even better than hiring some consultants,” says Hayes. “You are only paying the best of the best who can find these vulnerabilities.”