By Marten Mickos
Hacking is here for good, for the good of all of us. Half a million hackers have willingly signed up with HackerOne to help solve one of the greatest challenges our society faces today. We cannot prevent data breaches, reduce cybercrime, protect privacy or restore trust in society without pooling our defences and asking for external help.
The positive power of the hacker community far exceeds the risks and the might of adversaries. To date, HackerOne has helped find and fix over 140,000 vulnerabilities for 1,600 client organisations, earning hackers more than US$72 million in awards — nearly half of that in the past year alone.
A quarter of valid vulnerabilities found are classified as being of high or critical severity. When a new bug bounty program is launched, in 77% of the cases, hackers find the first valid vulnerability in the first 24 hours. That is how fast security can improve when hackers are invited to contribute.
Yet the work is not done. It has barely begun. Each day we must fear the discovery of yet another giant data breach. The number and the magnitude of the breaches keep growing. At risk are financial institutions, healthcare organisations, e-commerce companies, big box stores, media companies and practically anyone relying on technology.
But some of the most recent breaches have one thing in common: they were detected, discovered and reported by good hackers.
Hackers are no longer anonymous guns-for-hire. They are being embraced by everyone from the insurance industry to government agencies. Hacker- powered security is today a given part of a mature and proactive security program.
It’s not hard to see why. Businesses process more sensitive data and more personal information than ever before. Software development lifecycles are increasingly continuous. As companies work overtime to push code, criminals work overtime to find ways to break in. It feels impossible to scale security with product development. Innovation is outpacing traditional security measures.
Working with hackers allows you to provide security at the speed of innovation. The number of hacker-powered security programs is rapidly growing all over the world. Latin America saw record growth of 41% over the previous year. The federal government sector grew an impressive 214%.
The professionalism and positive impact of hacking is also growing at an impressive clip. Last year, HackerOne paid out 511 individual bounties of US$10,000 for issues of critical severity, a four-fold increase over the year before. The average bounty for a critical vulnerability increased nearly 50% in just one year to US$3,384. And yet that is an incredibly low price for a company to pay for the ability to block a weakness that otherwise could be the cause of a data breach.
Hacker rewards are going up both on a unit level and in the aggregate. United States, India, Russia, Canada and Germany are the top earning countries for hackers. Over 50 hackers earned over US$100,000 last year. A full half-dozen surpassed US$1 million in lifetime rewards.
Society is embracing the positive power of hacking. Lawmakers are introducing legislation to drive hacker-powered security. Government agencies are launching bug bounty and vulnerability disclosure programs. Noteworthy customers include the European Commission, U.K.’s National Cyber Security Centre, Singapore’s Ministry of Defence, and, for several years, the U.S. Department of Defence, including the Army, the Air Force and the Marine Corps.
Hacker-powered security is on the rise in risk- averse and highly regulated industries such as financial services, banking, insurance, healthcare and education. With HackerOne’s new pen testing and compliance offerings, such companies can fulfill security obligations in a way that’s less costly yet more productive. Today, six of the top ten financial services organisations in North America, and companies like Goldman Sachs, PayPal, and Lending Club, are working with HackerOne.
Every five minutes, a hacker reports a vulnerability. Every 60 seconds, a hacker partners with an organisation on HackerOne. That’s more than 1,000 interactions per day.
There are more than 555,000 hackers registered on HackerOne who find vulnerabilities missed by traditional detection methods. These trusted hackers — many of whom are under the age of 35 — play a critical role in securing organisations large and small.
Security vulnerabilities are a fact of life. For this reason, technology unicorns, e-commerce conglomerates, governments around the world, and hospitality giants are competing to attract hackers who have one key advantage over traditional methods: they can think like an attacker. The stories of these hackers are inspirational. They’re an invaluable extension of the most trusted security teams, on a mission to find what others may have missed or could not see.
Hackers are the solution to the world’s cybersecurity challenges. By investing in people, not just software, we will see the greatest outcome. It is our mission to empower the world to build a safer Internet.
(The author is CEO of HackerOne, a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. The views expressed are his own.)