Would you pay someone to hack your company? How about if the hacker discovered a bug that would save you money, liability and a host of problems you never realized existed? And how might a company thank a teenage hacker in Siberia who found a bug in its system?
All of those questions and issues are solved with this week’s “Uber of X” featured company: HackerOne — “Uber of Hacking.”
The San Francisco-based company was founded in 2012 by two hackers who wanted to empower the world to help companies pair up with hackers who wanted to “do the right thing” and solve unforeseen issues.
Companies interested in having their bugs — or vulnerabilities — pointed out set up a “bug bounty program” through HackerOne. More than $10 million has been awarded to hackers by HackerOne companies since it launched.
Hackers log on, look through the directory, find a program they’re interested in and work to spot a bug in a company’s system. The hacker is able to report it safely and reap a monetary benefit. Hackers have a reputation score over time. More than 60,000 hackers are part of the HackerOne community, and nearly 4,000 have been thanked by a company for hacking them.
Recent special and large projects have yielded significant outcomes. HackerOne recently won contracts with the U.S. Department of Defense through the “Hack the Pentagon” program, which awarded hackers $75,000 after they discovered 138 vulnerabilities. The H1-702 project included a handful of large companies hacked in real time in Las Vegas. More than 224 vulnerabilities were resolved over three days.
To date, HackerOne has gone through two rounds of funding, totaling $34 million. As for the hacks, HackerOne takes an extra 20 percent of the bounty, but most companies find that the total fee is worth much more than having a vulnerability exposed.
Chief Bounty Officer Adam Bacchus spoke to PYMNTS about how bug bounty programs work, the history of the company and what HackerOne is doing to make the word “hacker” a more positive one.
PYMNTS: What is HackerOne?
AB: It’s a platform that makes it really easy for companies to set up a bug bounty program, and it also makes it easy for hackers to find companies hosting these programs. Essentially, a hacker hacks on a company, and they find a vulnerability or security bug. What they can do is report it privately to that company through HackerOne.com. The company then looks at the bug and says, “Oh, wow, this is an issue.” They may thank the hacker by paying them a monetary bounty.
There are two main ways that a company can do this. They can have a private program, where they only invite a certain number of hackers and slowly ramp up over time. Or, they can have a public program — which is what, for example, Yahoo has — where anyone in the world who is a member of HackerOne can submit a bug to the company.
Typically, what hackers will do is: We have a feature called the directory, so they can go into the directory and see all of our various customers that have a bug bounty program and are basically saying, “Come hack us.” Hackers can look and see what that company’s rules are.
Typically, when a company signs up on the platform, they say, “OK, here are the rules of engagement. Here’s what you can and cannot hack. Here’s how far you can and cannot go.” They also say things like, “Here’s what we’re willing to pay for. Or, if you find this type of bug, we’ll pay $10,000. If you find that type of bug, we don’t care so much; we’ll only pay $400.” And the cool part about this is that various companies can leverage this to point hackers to what they care about the most.
So, if I’m a medical company, I might pay top dollar for a hacker that exposes patients’ data. If I’m a financial company, I might pay a big bug bounty for somebody who finds the bug that allows somebody to steal money from another user.
PYMNTS: How did HackerOne start?
AB: The two cofounders were originally hackers. They found that they were having trouble reporting issues to companies because companies would have different reactions. Some would say, “Oh my gosh, how dare you hack us! We’re going to sue you and throw you in jail.” Other companies were a little more open to it.
So, the company was started with a mission to empower the world to build a safer internet. So, they’ve bridged the gap between friendly hackers and companies willing to reward hackers for doing the right thing and letting them know about the bugs that they find.
PYMNTS: How does anyone know that these hackers are doing this for the good of the company?
AB: That’s a great question, and we get it all the time. There are good hackers and bad hackers. When a company starts a bug bounty program, you’re opening up the door to good hackers who want to work with the company. No matter what the company does, its systems are going to have bugs. They are going to have vulnerabilities. Bad hackers are going to hack no matter what. If you start a bug bounty program, you’re essentially making it easier for good hackers to find these issues, let you know about them and give you a heads-up so you can fix them before the bad hackers take advantage of them.
PYMNTS: How does HackerOne get paid?
AB: HackerOne gets paid in two major ways. One way is we have a “Free Version,” a “Pro Version” and an “Enterprise Version,” which unlocks different functionality within the platform. We also charge a 20 percent fee on every bounty that gets paid out. The company will have a pricing table telling hackers what they’ll pay for what kind of bug.
PYMNTS: Do or can hackers make this their main job?
AB: There are all types and all ages of hackers, all across the world. We have one hacker who has made upwards of $500,000 on bug bounties alone. Others who are doing it in their spare time.
The other cool part is that this is democratizing opportunities. No matter where you are in the world, you’re going to get paid the same amount for that bug. In different parts of the world, this can be life-changing. There can be hackers that use this money to put food on the table or buy cars.
PYMNTS: What does the phrase “Uber of X” mean to you?
AB: Uber has done something really interesting by revolutionizing an industry to help customers get a service super quickly, as well as create tons of jobs with massive flexibility, for a lot of people.
HackerOne is doing something similar in that we’re helping companies make it really easy to discover massively critical bugs within even a day of posting a bounty program. So, you get that same Uber experience in a way.
It’s also a way for hackers who can hop on as much or as little as they want, get some money and continue or pause for awhile. It’s up to you. You can take a break.
PYMNTS: Can you share a hurdle or issue that’s occurred since founding?
AB: Getting people on board with the idea was one of those things that was an issue.
Another issue is a misunderstanding between hackers and companies. For example, when a bug is found out and paid out to the hacker, sometimes, the hacker thinks the bug is worth more than the company wanted to pay. So, this transparency was originally an issue. That’s where the pricing table came to be, to explain what a company is willing to pay for.
PYMNTS: “Hacker” has a negative connotation. Is HackerOne trying to change that?
AB: I think the term “hacker” used to have a negative connotation, but we’re seeing a shift. Especially with some of the bug bounties in the past year. People are starting to say “hacker” doesn’t necessarily mean “bad” anymore. There are definitely different types of hackers out there.