Every organisation with an online presence, be it a web app, website or smartphone application, runs the risk of cyberattacks. Even with the best written code, vulnerabilities can creep in.

“Everyone that has an online web estate has vulnerabilities. To say that you're impenetrable is ridiculous. Not even GCHQ would say that,” says Laurie Mercer, security engineer at HackerOne.

Companies put considerable effort in to root out such vulnerabilities, but depending on resources, as well as the scale and complexity of the code, this can be an immensely time-consuming task.

“Some companies can take six years to fix a vulnerability, whereas some companies can take a few hours,” he says. “And some companies can take a very long time to find them in the first place, and some can find them in a very short time period.”

For many companies, an in-house team isn’t the most efficient approach to finding potential rogue paths into the system. But HackerOne has another approach: hackers.

From personnel-first to technology-first: modernising threat intelligence

HackerOne provides what it calls a “hacker-powered security platform”, which connects companies and ethical hackers to effectively crowd-source vulnerability hunting.

“We are essentially a two-sided marketplace with HackerOne in the middle. On the left we have our customers who tend to be organisations who have what we call a footprint or an attack surface. On the other side we have hackers,” says Mercer.

These hackers, otherwise known as researchers, come from all over the world, and typically do the work as a side-gig to a full-time job.

“The researchers essentially will find vulnerabilities in the assets of the customers and report them in a structured way through our marketplace. And in return the customers will pay them money, which is what we call a bounty,” he says.

“We've paid £22m in bounties so far. And that's amongst about 63,000 vulnerabilities.”

“We've paid £22m in bounties so far. And that's amongst about 63,000 vulnerabilities.”

The amount paid per vulnerability varies wildly by project, with a select few offering very high payouts.

“There are very few vulnerabilties that have a very high bounty, and then lots and lots of ones that have a much lower bounty.”

With 1,000 customers, HackerOne helps companies with a wide variety of needs – some of which are very confident in their systems.

“I don't think we ever have a customer that comes to us and saying that you're not going to find anything, but we do have customers coming to us saying you're not going to find much,” he says.

“And that's always fun, because sometimes they're right, but equally sometimes they're wrong.”

One eye on the money

While the hackers are paid individually, this does not mean the companies have to issue individual payments. Instead they agree a fixed pot at the start of the bounty programme that HackerOne manages and issues to successful hackers in their currency of choice, be it dollars, rupees, euros or even Bitcoin.

“We're basically the marketplace in the middle that does that management,” says Mercer.

“We provide the services in the middle that help provide that level of trust and management. So we do things like make sure vulnerabilities are submitted in a structured way… handle all the background processes and provide customers with a single invoice that covers the bounty pool.”

“Everyone has a fixed budget, and we make sure it doesn't go down too quickly.”

As each bounty involves a fixed amount, this requires careful management to ensure all those who find vulnerabilities are paid, and that companies get value for money out of the programme.

“Obviously everyone has a fixed budget, and we make sure it doesn't go down too quickly,” he says. “So we have algorithms which invite people at a certain frequency in accordance with your budget to make sure it doesn't run out, because if it runs out that's the worst thing. If someone finds something and can't get paid, then it's not fair.”

This includes a tool to continuously monitor the health of a programme, and ensure that hackers are getting involved at the right rate.

“We can identify programmes that are beginning to drop off a little bit, and then combined with the bounty pool information we can basically stop inviting, pausing submissions before it reaches the end of the bounty pot,” he explains.

The right hacker for the right job

Depending on the type and complexity of the code, different companies have different needs when it comes to vulnerability hunting. But there are also significant differences between different hackers.

“Not all hackers are equal. Some of them are really good, some of them are really terrible,” says Mercer.

“Sometimes you want the terrible people because they charge the lowest – that's for the low-hanging fruit. And sometimes you just want the elite people.

“Everyone's requirements are different, the skills required are different, for example the skills required for an IoT device are totally different to a website. The same for mobile, or even for iOS and Android.”

“Not all hackers are equal. Some of them are really good, some of them are really terrible.”

To resolve this, HackerOne provides a hacker matching service, where it monitors the progress and skill level of hackers, ranks them and uses that information to match them to the right bounty programmes.

“When someone comes to us with a special project, we can be like 'okay, we think we've got the right people, here's 400 who've the right skills',” he says.

While there are a host of public programmes where any would-be hacker can get involved, the majority of HackerOne’s bounty programmes – for 80% of its clients – are private, invite-only affairs.

For a limited time only

In order to encourage participation, the company also runs some programmes for limited times, with certain customers only running bounties at fixed times during the year.

Known as challenges, these “concentrate effort within a certain time-period” and give the companies time to respond to vulnerabilities before they run additional programmes.

For challenges that require the attention of the elite, HackerOne even brings a touch of glamour to proceedings.

“We do live events where we invite the world's elite hackers, we fly them in from all over the world and then we have a live competition with leadership boards, live bounties teams, all that kind of stuff,” he says.

“We do live events where we invite the world's elite hackers, we fly them in from all over the world.”

Recent events have been held in London, Amsterdam and San Francisco.

“San Francisco we targeted Oath, the merger of AOL and Yahoo, we paid $400,000 in one day. So these things can be huge, very exciting as well, when you find a vulnerability we triage it on the spot and you get paid on the day,” he says.

Mercer compares this to a sports event, with the added benefit that it provides an economical way to maximise the vulnerabilities identified.

“We're trying to game it basically, so that essentially customers find vulnerabilities across their web estates in the fastest, most economical way.”

What makes a good ethical hacker?

When it comes to the people finding the vulnerabilities, there is no such thing as a typical hacker.

“Hackers can be anyone really; they could be you or I. They come in all shapes and sizes,” says Mercer.

“They are located all over the world, the top three countries are USA, India and Russia. The UK does feature quite highly and if you take the European Union as a whole they are also top-tier.”

Notably, there are often also people that may not think of themselves as hackers before they try the platform out.

“I think there's a lot of people out there that don't realise they can do this, and really can. They don't need a degree, and they don't necessarily need experience either,” he says.

“It's all to do with a sense of curiosity and technical ability, so deep diving into what happens behind the scenes when my mobile app communicates: what does that message look like? How would I even look at it? What would happen if I modified it? And then being able to interpret the response to say 'oh, something funny is going on here, I'll look into that a bit more'.”

“There's a lot of people out there that don't realise they can do this, and really can.”

One such example is Tom NomNom, who Mercer describes as “one of our most famous hackers in the UK”.

“He had never done any security testing whatsover, but he was a system administrator, infrastructure engineer. And he just discovered he had a talent for it,” he says.

“It wasn't until the bug bounty programme came out that he realised this. Now he's one of our top hackers.”

Some of them aren’t even adults, such as one of HackerOne’s top hackers, Jack Cable, who was a teenager when he started.

“He was finding the top vulnerabilities. There are consultants with 30 years of experience who weren't finding what he was finding. So it really is hard to judge who would be good at this.”

Using hacking to change lives

The majority of the company’s hackers don’t work full time on vulnerability hunting, with 44% spending no more than 10 hours a week on the platform. This is enough to earn “pocket money” – perhaps £500, £10,000 or even £20,000 a year. However, there are some – 13% that do spend over 40 hours a week hacking, and for some hackers, it is a primary income.

“It really depends where you're living, but if you're living somewhere like India, Argentina, then you get a massive multiplier. The majority of the researchers that I know in the UK do not do bug bounty as their full-time job. They have a full-time job as a software engineer or an infrastructure engineer and this is just their second income, like an AirBnb,” he says.

“However, we do have an elite tier, I think it's like 4% or maybe less than that, who earn more than $300,000 a year.”

“We do have an elite tier who earn more than $300,000 a year.”

For some, the programme enables people to work in a field where they have significant skills, despite not living in an area with good opportunities.

“It's a real equaliser because the thing is skills are distributed unequally, and they're not based on where you live or who you are,” he says.

“I've been speaking to a guy in Angola: They just don't have the jobs where they are where their skills can be used, whereas with the bug bounty programme you can make a bit of cash doing this.

“And also, once you've got a reputation on our system, you can use your HackerOne profile as an addition to your resume or CV to prove that you actually can find stuff and therefore get a professional job as well.”

For others, the programme has even proved life-changing.

“We have these beautiful stories from some of our researchers, especially in India and Eastern Europe where people are making the first car purchase, they're buying their first home, or perhaps they're helping a family member who's in need.”

Share this article