Building the world’s largest bug bounty platform

Over the years discovering bugs in common software program, apps and on-line providers has turn into fairly the profitable enterprise for enterprising hackers. In truth a few of these hackers and safety researchers have even turn into millionaires due to bug bounty applications. In addition to getting paid for locating vulnerabilities, their work helps a few of the world’s largest firms enhance the safety of their merchandise to higher defend their customers.

The bug bounty platform HackerOne helps join these firms to moral hackers throughout the world. To be taught extra about how the firm bought began and the varied bugs which have been found by its neighborhood over the years, TechRadar Pro spoke with HackerOne’s CTO Alex Rice.

HackerOne Early Days

(Image credit score: MSNBC)

What led to the creation of HackerOne again in 2012?

Organizations of all styles and sizes now use hacker-powered safety, however this wasn’t at all times the means.

Before HackerOne, I used to be head of product safety at Facebook. One of the only issues we did was to say to hackers on the market: “We want your help. Find a bug, find a vulnerability, let us know and we’ll reward you.” The program went on to pay out over $10M and enhance the safety of the product greater than anybody may have imagined.

Fast ahead to as we speak and HackerOne is the most profitable hacker-powered safety platform in the world. Over 2000 organizations have partnered with the hacker neighborhood to uncover 181,000+ verified vulnerabilities. Those hackers have been rewarded over $100M for making the web a safer place.

How has your background as a safety engineer and researcher influenced the work you do as we speak as HackerOne’s CTO?

At HackerOne I’m liable for growing our know-how imaginative and prescient, driving engineering efforts, and counselling clients as they construct world-class safety applications. I’m motivated at first by a conviction that know-how can enhance our lives for the higher. But basic challenges with safety and privateness typically maintain us again. We want reliable know-how, and my expertise as a person researcher taught me that we’ll by no means get there alone. We want thousands and thousands of us working collectively, disclosing classes realized, and pushing each one in every of us to do higher.

What influence do you suppose your platform has had on the means vulnerabilities are recognized and reported?

At HackerOne we associate with the international hacker neighborhood, to make sure organizations are conscious of any safety points earlier than these will be exploited by criminals. The unbelievable creativity, range, and persistence that you simply discover inside this distinctive neighborhood ensures organizations are far safer than they’d be on their very own, and that the folks relying on them are safer.

We even have totally different applications and choices obtainable for purchasers, making certain they get the finest help potential, after they want it. It is vital that companies will not be solely conscious of the place the dangers are, however that vulnerabilities will be managed and glued. At HackerOne clients can go for a wide range of options obtainable from pentesting, by way of to private and non-private bug bounties, and, most significantly, vulnerability disclosure applications.


(Image credit score: Shutterstock / Gorodenkoff)

Can you inform us extra about your organization’s vulnerability database and the way you retain monitor of all of the bugs submitted by safety researchers?

We keep the largest and most authoritative database of vulnerabilities in the trade and our reward program encourages our hacker neighborhood to determine and submit vulnerability experiences on all the pieces from web sites, APIs, cell apps, {hardware} gadgets, and an more and more numerous and huge array of assault surfaces.

In phrases of how we preserve monitor, there’s a transparent course of for our hackers to comply with. Once they’ve signed as much as a HackerOne account, they will seek for a collaborating program and begin hacking. If they discover a vulnerability they then use the HackerOne Directory to search out the finest method to contact the organisation and submit a report. The firm will then evaluate the contents and reward legitimate findings.

Of the high ten most impactful and rewarded vulnerability sorts in HackerOne’s new report, which one do you see as the best risk to organizations as we speak and why?

Cross-site scripting (XSS) vulnerabilities. This is the second 12 months working they’ve topped our listing as they proceed to be a significant risk to internet purposes and account for 18% of all reported vulnerabilities. Attackers exploit XSS assaults and achieve management of a consumer’s account to steal private data comparable to passwords, checking account numbers, bank card particulars and extra. Our clients awarded over US$4.2 million in whole bounty awards, up 26% on 2019.

Common vulnerabilities comparable to XSS are sometimes dismissed by CISOs keen on chasing “threat du jour”, however hackers constantly present us that these uncared for finest practices proceed to be one in every of the only methods to compromise private knowledge.

What kinds of vulnerabilities pique your curiosity the most?

Right now I’m fascinated by seeing what occurs with SSRF (Server Side Request Forgery) vulnerabilities that are rising in prevalence as cloud migrations are underway. Historically, SSRF bugs have been pretty benign, as they solely allowed inner community scanning and generally entry to inner admin panels. But on this period of speedy digital transformation, the introduction of cloud structure and unprotected metadata endpoints has rendered these vulnerabilities more and more essential.

Two People Working on Laptop

(Image credit score: Pexels)

What recommendation would you give to a enterprise trying to implement a bug bounty programme for the first time?

Crawl, stroll, run. Your enterprise would not have to leap in head first. Businesses can restrict the variety of hackers concerned with a personal program. Use this functionality to launch in a managed trend to make sure you have a transparent coverage, functionality to successfully triage and root trigger evaluation, and you’re continuing at a manageable tempo in your growth groups. Running too quick, typically results in knee-jerk whack-a-mole and deferment of crucial funding in your core safety practices.

How ought to companies set about assigning financial worth to the discovery of a specific bug?

For starters, do not pay for a specific bug. Start with a vulnerability disclosure program that merely establishes a course of for receiving vulnerabilities from exterior finders with out promise of a monetary reward.

From there, begin with a small personal program on a few of your extra hardened assault floor. Our staff can work with you to match your chosen assault floor towards our benchmark knowledge for comparable organizations with a aim of attracting an preliminary baseline of consideration from the neighborhood earlier than scaling up rewards as your assault floor hardens.

Monetary worth will usually depend upon how essential the bug is, the extra extreme the vulnerability, the extra the reward. In our current 2020 Hacker Powered Security Report, we found the common reward for all vulnerabilities of any severity was $979.


By admin

Leave a Reply

Your email address will not be published. Required fields are marked *