Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Some of the world's largest companies—Yahoo! Inc., Twitter Inc. and General Motors Co., among others—participate in bug bounty programs. Companies in these programs pay rewards to “white hat” or “ethical” hackers for finding cybersecurity vulnerabilities in their networks.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Marten Mickos, chief executive officer of HackerOne Inc. and former senior vice president and general manager for Hewlett-Packard Co., on why companies should join bug bounty programs and whether hackers will help businesses shore up their cybersecurity.
Do companies become part of the HackerOne bug bounty program platform by application or invitation?
Companies come to HackerOne in most cases because they understand the benefits of working with hackers to improve software security so they contact us to sign up. HackerOne has created a global network of hackers and companies who work together to find and resolve software vulnerabilities.
Because of this community we also see customers arrive by invitation from either a hacker who has found a vulnerability and would like to report it using the HackerOne service, or they are invited by a customer or business partner of theirs. We also conduct outreach to invite others to join. Each new customer on HackerOne poses a unique challenge for our talented hackers and this helps us attract the best hackers and foster our community.
Do you think allowing white hat or ethical hackers to exploit network vulnerabilities is the best way for companies to both detect and prevent future cyberattacks?
Inviting white hat or ethical hackers to hunt for bugs is a very powerful solution to a very common and complex problem. Every software system has vulnerabilities and every industry is struggling with security. Even if you’ve bought all the right products or followed all the best practices there are still no guarantees that your systems are secure. By inviting friendly hackers to look for vulnerabilities you will find out what you missed.
Most of our customers find a security vulnerability within 24 hours of launching on HackerOne. This is why organizations, including the U.S. Department of Defense, General Motors, Google Inc., Yahoo, Microsoft Corp. and Uber Technologies Inc., work with hackers as part of their security strategy.
Is there any clearance process for hackers that join the program that might ease concerns of company leaders who may be hesitant about joining a bug bounty program?
The power of a bug bounty program lies in the large number of highly skilled hackers looking at your code. These hackers do not get any special access to your systems that a criminal would not have. In most cases there is no formal clearance process.
It’s the model itself that ensures that only people with good intent will bother to sign up to help you improve your security. To help companies better understand who they are working with, HackerOne also has a reputation system for our hackers that is based entirely on their track record. This reputation system allows our customers to see what other programs and vulnerabilities this hacker has found and how they rank. In some cases our customers have specific hacker requirements but overall we find that the more hackers participate the better the results are.
Do you think more hackers will turn to white hat hacking instead of malicious hacking because of the legal rewards involved?
I believe that the overwhelming majority of any group of people will be ethical and have an innate desire to do good. White hat hacking is also an exciting intellectual challenge. So we will always have ethical hackers who will helps us find vulnerabilities no matter what the reward. But to get the best hackers to pay attention to your system, you will want to pay competitive bounties. This creates an enormously powerful mechanism where you pay only for results, and hackers get appropriately rewarded for their ingenuity.
From your perspective what is the biggest risk companies face today regarding cyberattacks or network vulnerabilities?
Unfortunately there is no single biggest risk. Any computerized system has an attack surface exposing a variety of vulnerabilities. Additionally you have risks of physical intrusion, social hacking, internal malicious actors and so on.
Perhaps the answer is that the biggest risk is ignorance or arrogance. Once a company acknowledges its risks, it is actually fairly straightforward to start building defense mechanisms. Vulnerability coordination and bug bounty programs are a powerful way of finding vulnerabilities that inevitably exist in production systems and products.
How did you get your start in cybersecurity and what made you join on as CEO for HackerOne?
The cybersecurity industry has accomplished a lot in the past decade, but it has also struggled with being seen a separate isolated industry. To truly achieve security, we must see security as an integral part of the software development lifecycle from start to end. We must see it as positive and constructive action, not a defensive one. This is where HackerOne represents the way of the future.
I have personally been involved in businesses based on openness and collaboration for the past 15 years. Now I get to employ those learnings on the most pressing need of today’s connected society. I get to work with the smartest minds across the globe, and as a result hundreds of millions of people can be a little less worried about cybersecurity. This is why I felt I absolutely had to join HackerOne. It’s a vital mission.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)