Editor’s brief: Having been a programmer since the 1970s, dabbling with BASIC, then Fortran and C, and later on the alphabet soup of web languages, I know programming. However, I have not been enticed to become a professional programmer and make a living out of it. In the first wave of the Internet, I did become a cybersecurity developer, and co-developed an email security server appliance with a friend. However, that was not my calling. Fast forward to the 21st century, and now there are folks who straddle between day jobs and a “white-hat” ethical hacking role on the side, and some have even made a million out of it and suitably semi-retired. Could this be you? The vendor’s news release is below.
Hackers Earn Record-Breaking US$100 Million on HackerOne
Leading hacker-powered security platform reveals the global community of hackers uncovered 170,000 vulnerabilities, changing the way organisations do security
SINGAPORE, @mcgallen #mcirowireinfo, May 28, 2020 — HackerOne, the number one hacker-powered security platform, today announced that hackers have earned US$100 Million in bug bounties by hacking for good on the HackerOne platform. A bounty — or bug bounty — is a monetary award given to a hacker who finds and reports a valid security weakness to an organisation so it can be safely resolved. With nearly half of bounty earnings awarded in the past year alone, this record-breaking milestone showcases how the world’s largest hacker community is addressing the growing security needs of our increasingly interconnected society.
From US$30,000 paid to hackers across the globe in October 2013 — the first month of bounty payments on HackerOne — to US$5.9 million paid to hackers in April 2020, working with hackers has proven to be both a powerful way to pinpoint vulnerabilities across digital assets and more than just a past-time. It’s a career.
“We started out as a couple hackers in the Netherlands with a crazy belief that hackers like us could make organisations safer and do it more efficiently and cost-effectively than traditional approaches,” explained HackerOne co-founders Jobert Abma and Michiel Prins in their blog post about the milestone. “US$100 Million in bounties later, maybe this idea isn’t so crazy after all. Thank you to all the hackers who have made the internet safer one vulnerability at a time. Hacking is here for good, for the good of all of us.”
The positive power of a growing community of ethical hackers pools our defences against data breaches, reduces cybercrime, protects privacy, and restores trust in our digital society. Highlights from this journey to US$100M include:
- 84: The number of new hackers that sign up to the platform every hour
- US$6,000: The amount of bounties paid out on the platform every hour
- 214%: Year-over-year hacker-powered security growth in the federal government
- 85.6%: The year over year growth in total bounty payments, with 17.5% increase since February when COVID-19 was declared a pandemic.
- 343%: The increase in signups over the past year on Hacker101 — HackerOne’s free online classes for aspiring hackers.
- 38%: The increase in average weekly new registrants for Hacker101 since February, when COVID-19 was declared a pandemic.
- Over 170,000: The number of vulnerabilities hackers have uncovered in nearly 2,000 customer programs
“We are building a community able to test and vet every piece of our digital connected civilisation,” said HackerOne CEO Marten Mickos. “US$100 Million is a number that attracts the best hackers, providing companies and governments unmatched ROI, significantly reducing the risk of data breach. We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers. In this new world of ever-evolving threats, the only way to get ahead is to get transparent. Openness, not secrecy, is the way forward.”
Back in 2017, Mickos predicted the community of hackers on HackerOne would grow to one million strong and would have earned US$100 Million in bounties by the end of 2020. With over three quarters of a million individuals signed up to hack for good, we’re well on our way to exceeding these expectations. Mickos shared the following predictions for the future:
- The HackerOne community produces outstanding security experts to fill the talent gap in the industry. Within the next 15 years, we expect to have produced over 500 Chief Information Security Officers (CISOs) out of our hacker ranks. These skilled and motivated people will help reduce cyber risk in key commercial enterprises and government agencies.
- Hackers will earn US$1 billion in bug bounties within five years on HackerOne.
“Some of my favorite highlights are absolutely the interactions with the people on the other side, and reactions to some of the bugs I’ve found,” reflected elite hacker Frans Rosen. “When the CISO of a company calls me up in the middle of the night to understand the severity and panics when he realises the impact. When I build a little game to show the impact of a bug and the company responds with “this is the best game ever, we’ve played it all day in the office.” On live hacking events, when you submit a really critical bug and the team of the company fills the room afterwards to understand exactly what happened. I live for the reactions since I understand myself how I would feel to get the same kind of report myself.”
Every minute of every day, hackers and companies across the globe come together to enhance security. Businesses are constantly seeking to grow: expanding into new markets, shipping new products and services, adding customers, releasing mobile offerings, processing new forms of payment, increasing web assets, and so on. And every time they do, they add a new layer to their attack surface.
By partnering with willing organisations, trusted hackers are an extension of any security team and earn up to 36% more than they would as a software engineer in their home country. For companies, working with the largest, most active community of hackers allows them to be proactive about their security strategy in an efficient and cost effective way.
“Our first priority at Dropbox is the safety of our customers’ data, and we’ve looked to the global security research community on HackerOne to validate the security of our platform continuously,” said Justin Berman, Head of Security at Dropbox. “We have an industry-leading vulnerability disclosure program that protects ethical researchers and partnered with HackerOne to include sensitive vendors in the scope of our bug bounty program to help protect our entire ecosystem. Our hope is that bug bounty programs like ours continue to spearhead a culture of collaboration and transparency that benefits cybersecurity as a whole.”
For our founders’ reflections on this milestone and the journey to US$100 Million in bounties, read more in their blog. CEO Marten Mickos also shares his analysis of the industry and what is to come for hacker-powered security, available here. And for more about how organisations like Dropbox are working with hackers hacking for good to secure their attack surface, visit our blog.
HackerOne is the #1 hacker-powered security platform, helping organisations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. With nearly 2,000 customer programs, including The U.S. Department of Defense, General Motors, Google, Goldman Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, and Intel, HackerOne has helped to find over 170,000 vulnerabilities and award over US$100M in bug bounties to a growing community of three quarters of a million hackers. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, France and Singapore and is a Fast Company World’s Most Innovative Companies for 2020.