HackerOne speaks to The Daily Swig about what support should look like when it comes to ethical hacking

Bug bounty programs are fast becoming an important tool for companies looking to bolster their own security.

To date, firms and organizatios including Microsoft, Google, HP, and even the US Department of Homeland Security have paid out millions to researchers for disclosing holes in their security.

But a report released by Crest this week noted that more needs to be done to encourage best practice in vulnerability reporting.

Guidelines need to be put in place that clearly state what is a ‘good’ bounty program, and what isn’t, stated the report, which also revealed that more than $6 million has been rewarded to finders so far.

Some companies have already taken their own steps, such as the launch of Bugcrowd’s open source platform Disclose.io, which aims to protect the legal rights of security researchers.

Others, such as HackerOne, are also making the effort to strengthen relationships between their bug finders and clients, including Google, the US government, Twitter, GitHub, and Dropbox.

The Daily Swig spoke to HackerOne director of program operations, Adam Bacchus, to discuss how its response team navigates the murky waters of ethical hacking, and what it can do to better the practice of responsible disclosure.


What are the main responsibilities of the HackerOne response team?

Adam Bacchus: The responsibilities of the security team are to reply to submissions in a timely manner and work with the researchers to resolve vulnerabilities quickly.

We generally recommend that security teams prioritize security by making a good faith effort to resolve reported security issues in a prompt and transparent manner, and respect finders by giving them public recognition for their contributions.

[They must also] do no harm and not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement.


What can HackerOne do for organizations looking to launch a bug bounty program?

AB: Organizations looking to launch a bug bounty program through a platform or for the first time look to us for guidance around the who, what, when, where, and how.

Who should we invite or open our program to? When is the best time to launch a program? Where should we be housing information about the program? How can we make sure it’s successful?


And how does HackerOne aid security researchers?

AB: HackerOne provides a safe and consistent channel for security researchers. They can report vulnerabilities through a consistent interface and feel confident that the company they are working with will adhere to HackerOne’s program standards.

They won’t be met with threatening or legal language or law enforcement.

HackerOne also provides opportunity for income. In our recent 2018 Hacker Report, top earning researchers make 2.7 times the median salary of a software engineer in their home country.


Do you find there is a positive relationship between organizations and researchers? Or can it be strained?

AB: Yes. In many cases, a certain set of hackers will “anchor” towards a particular program due to investing time in learning the attack surface, as well as having positive experiences with the organization.

Organizations often develop great relationships with these experienced hackers to keep them engaged in their program. In some cases, organizations have even hired hackers as full-time employees.


Finally, how important are bug bounty programs and what do they bring to the security community as a whole?

AB: While not anyone can snap their fingers and pull a bug bounty program out of thin air, it’s become much easier to implement one, or at the very minimum, set up a response program.

It seems like a no-brainer to me. Criminals are going to find and exploit flaws in your systems, no matter what. Why not open the door to let friendly hackers inform you of these same issues, so you can find and fix them before criminals take advantage?

Having personally identified vulnerabilities in services that store my own sensitive data, I trust organizations with some means of receiving bugs from the community way more than those that turn a blind eye, or worse, seek punitive action.

The notion of working with researchers outside of your organization can seem daunting at first, but it’s definitely become more of the norm, and finding and fixing vulnerabilities at scale is a lot easier than you might think.