Building the world’s largest bug bounty platform

Security bug
(Image credit: Shutterstock)

Over the years finding bugs in popular software, apps and online services has become quite the lucrative venture for enterprising hackers. In fact some of these hackers and security researchers have even become millionaires thanks to bug bounty programs. In addition to getting paid for discovering vulnerabilities, their work helps some of the world’s largest companies improve the security of their products to better protect their users.

The bug bounty platform HackerOne helps connect these companies to ethical hackers all around the world. To learn more about how the company got started and the various bugs that have been discovered by its community over the years, TechRadar Pro spoke with HackerOne’s CTO Alex Rice.

HackerOne Early Days

(Image credit: MSNBC)

What led to the creation of HackerOne back in 2012?

Organizations of all shapes and sizes now use hacker-powered security, but this wasn’t always the way.

Before HackerOne, I was head of product security at Facebook. One of the most effective things we did was to say to hackers out there: "We want your help. Find a bug, find a vulnerability, let us know and we'll reward you." The program went on to pay out over $10M and improve the security of the product more than anyone could have imagined.

Fast forward to today and HackerOne is the most successful hacker-powered security platform in the world. Over 2000 organizations have partnered with the hacker community to uncover 181,000+ verified vulnerabilities. Those hackers have been rewarded over $100M for making the internet a safer place.

How has your background as a security engineer and researcher influenced the work you do today as HackerOne’s CTO?

At HackerOne I am responsible for developing our technology vision, driving engineering efforts, and counselling customers as they build world-class security programs. I'm motivated first and foremost by a conviction that technology can improve our lives for the better. But fundamental challenges with security and privacy often hold us back. We need trustworthy technology, and my experience as an individual researcher taught me that we'll never get there alone. We need millions of us working together, disclosing lessons learned, and pushing every one of us to do better.

What impact do you think your platform has had on the way vulnerabilities are identified and reported?

At HackerOne we partner with the global hacker community, to ensure organizations are aware of any security issues before these can be exploited by criminals. The incredible creativity, diversity, and persistence that you find within this unique community ensures organizations are far more secure than they'd be on their own, and that the people depending on them are safer.

We also have different programs and options available for customers, ensuring they get the best support possible, when they need it. It is important that businesses are not only aware of where the risks are, but that vulnerabilities can be managed and fixed. At HackerOne customers can opt for a variety of solutions available from pentesting, through to public and private bug bounties, and, most importantly, vulnerability disclosure programs.

coding

(Image credit: Shutterstock / Gorodenkoff)

Can you tell us more about your company’s vulnerability database and how you keep track of all of the bugs submitted by security researchers?

We maintain the largest and most authoritative database of vulnerabilities in the industry and our reward program encourages our hacker community to identify and submit vulnerability reports on everything from websites, APIs, mobile apps, hardware devices, and an increasingly diverse and vast array of attack surfaces.

In terms of how we keep track, there’s a clear process for our hackers to follow. Once they’ve signed up to a HackerOne account, they can search for a participating program and start hacking. If they find a vulnerability they then use the HackerOne Directory to find the best way to contact the organisation and submit a report. The company will then review the contents and reward valid findings.

Of the top ten most impactful and rewarded vulnerability types in HackerOne’s new report, which one do you see as the greatest threat to organizations today and why?

Cross-site scripting (XSS) vulnerabilities. This is the second year running they’ve topped our list as they continue to be a major threat to web applications and account for 18% of all reported vulnerabilities. Attackers exploit XSS attacks and gain control of a user’s account to steal personal information such as passwords, bank account numbers, credit card details and more. Our customers awarded over US$4.2 million in total bounty awards, up 26% on 2019.

Common vulnerabilities such as XSS are often dismissed by CISOs fond of chasing "threat du jour", but hackers consistently show us that these neglected best practices continue to be one of the most effective ways to compromise personal data.

What types of vulnerabilities pique your interest the most?

Right now I’m interested in seeing what happens with SSRF (Server Side Request Forgery) vulnerabilities which are increasing in prevalence as cloud migrations are underway. Historically, SSRF bugs have been fairly benign, as they only allowed internal network scanning and sometimes access to internal admin panels. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

Two People Working on Laptop

(Image credit: Pexels)

What advice would you give to a business looking to implement a bug bounty programme for the first time?

Crawl, walk, run. Your business doesn't have to jump in head first. Businesses can limit the number of hackers involved with a private program. Use this capability to launch in a controlled fashion to ensure you have a clear policy, capability to effectively triage and root cause analysis, and you are proceeding at a manageable pace for your development teams. Running too fast, often leads to knee-jerk whack-a-mole and deferment of necessary investment in your core security practices.

How should businesses set about assigning monetary value to the discovery of a particular bug?

For starters, don't pay for a particular bug. Start with a vulnerability disclosure program that simply establishes a process for receiving vulnerabilities from external finders without promise of a financial reward.

From there, start with a small private program on some of your more hardened attack surface. Our team can work with you to compare your chosen attack surface against our benchmark data for similar organizations with a goal of attracting an initial baseline of attention from the community before scaling up rewards as your attack surface hardens.

Monetary value will typically depend on how critical the bug is, the more severe the vulnerability, the more the reward. In our recent 2020 Hacker Powered Security Report, we discovered the average reward for all vulnerabilities of any severity was $979.