By: Laurie Mercer, Security Engineering Lead at HackerOne
Myth #1: Bug Bounty Programs Have to Be Public
Public bug bounty programs are a way to publicly demonstrate how secure your products are. “If you don’t think our service is secure, we invite you to find a bug!” However, not all bug bounty programs are public.
In fact, the majority of bug bounty programs are private. 80% of HackerOne programs are private, invitation-only bug bounty programs. In a private program, a smaller group of people are selected and invited to find bugs. The selection is usually based on experience, specialist skills, location and availability. Every report, every participant, every bounty reward, every aspect of the program is totally private.
Most organisations begin with a private program and then ‘go public’ only after the vulnerability handling process is well-rehearsed, the bounty budget forecasted, the legal and marketing teams briefed, and the DevSecOps communications streamlined.
The main benefit of going public is that organisations can attract the largest number of security brains. In the eyes of many, all bugs are small. Public programs have the largest valid vulnerability volume. But most don’t realise that even with a public program, bug reports can remain private or redacted.
HackerOne allows organisations to control the disclosure process, and whilst we publicly disclose all fixed bugs that are submitted to our own HackerOne public bug bounty program, we know that this is not everybody’s cup of tea, and support different ways of publicly acknowledging the wonderful work of security researchers.
Myth #2: Bug Bounties Have To Be Continuous Throughout the Year
Not at all. While many of our customers run continuous bug bounty programs, an increasing number choose to run a time-limited HackerOne Challenge, the hacker-powered pentest alternative. These hacker-powered pentests involve testing against a defined scope using a fixed number of hackers, from 5 up to 300, in a time-bound engagement. Just like a traditional pentest, they can fulfill PCI DSS and SOC2 compliance requirements while harnessing the power of hacker-powered security.
HackerOne Challenges can replace traditional “point-in-time” pentests for a more efficient use of skills and easier to schedule tests. With HackerOne’s hacker-powered pentests, our customers benefit from more eyes, more diversity of skills, and “on-tap” availability of our global community. This results in more valid vulnerabilities, in fact, HackerOne pentest customers can see up to 600 percent ROI compared to traditional testing.
After a challenge has finished, the bugs that have been found can be remediated and retested with the help of the community. With every bug fixed, your products will be more secure, your Secure SDLC will be improved, the digital world will be safer. Once you have to have the ability to quickly fix the bugs that you find, you’re ready for a continuous engagement.
Myth #3: You Have to Award Bounties to Work with Hackers
A Vulnerability Disclosure Program (VDP) is a way to receive vulnerabilities from outside with no financial incentive. Like the 911 of the internet, they provide a channel for reporting and receiving digital emergencies.
The primary purpose of a VDP is to have a public way of receiving vulnerabilities from external security researchers. In doing so, they avoid surprises like a vulnerability disclosure on Twitter or through your customer service channels. Several governments and companies host their VDPs on the HackerOne platform, including Equifax, Alibaba, General Motors, Toyota, Ford, IBM and many more. The U.S. Department of Defense, recently reported that they have received over 10,000 vulnerabilities through their VDP.
On the other hand, there is a competitive bounty market for bugs. The average bounty paid out is $800. Some are lower than that, and some are much higher, up to $1,000,000. The amount depends on the skill and effort required to find the bug.
We recently analysed our database of vulnerabilities (120,000 and counting!) to calculate which categories are worth the most to our customers. We found ten vulnerability types that have collectively led to $55 million in bounty payouts. Rather interestingly, there are not insignificant differences to the OWASP Top 10.
Every bounty is paid directly and immediately to a hacker’s bank account in the currency of their choice. As well as allowing customers to tap into the global talent pool, this has also resulted in a handful of rockstar hackers who have earned more than $1 million in bug bounties. Santiago Lopez, a 19-year-old hacker from Argentina, was the first. HackerOne is proud to create such millionaire hackers while improving the security of the internet.
Myth #4: Bug Bounties Don’t Encourage Developers to Communicate with Hackers
Every bug that is fixed makes our digital lives safer, and it is developers that do this heroic work. Developers don’t want to navigate through a 100 page PDF report. Developers don’t want to read irrelevant tool output. Developers are unlikely to attend your 90-minute online seminar reviewing pentest results at 9am.
That’s why the HackerOne platform allows developers to communicate directly with hackers in their time, in their way. With the ability to tag people, to assign a vulnerability to different groups, to add your contractors and vendors to a report – the HackerOne platform is designed to make communication and collaboration as streamlined and as simple as possible.
That’s why the HackerOne platform integrates with development tools like Slack, Jira, Zendesk, and ServiceNow, providing a direct line from the researchers to the internal development team.
That’s why the HackerOne community can add such value to organizations. By connecting the dev and sec and ops to external researchers, we can learn how to detect, fix and prevent similar bugs from being introduced in the future, increasing the security of your applications over time, and making a safer digital world.