Last week Twitter unveiled a brand new bug bounty program that pays security researchers (or hackers) to report vulnerabilities on its platform.
We decided to reach out to HackerOne, the company behind the bounty program to learn more about how tech companies communicate with independent hackers to better protect their products and services. HackerOne’s platform helps companies of any size — including big ones like Twitter and Yahoo — streamline their bug reporting programs, with or without a cash reward bounty.
The platform, which launched publicly in 2013, “streamlines the exchange between a researcher and the response team,” HackerOne CPO Katie Moussouris told Business Insider.
Before moving to HackerOne, Moussouris worked for Microsoft as a security strategist and helped them build up an in-house vulnerability team.
“I saw a lot of the manual labour that a large company could afford to do,” she said.
For smaller startups that may not have the time and/or manpower to deal with bug reporting, HackerOne offers a helping hand. For instance, it will recognise if multiple hackers report the same bug so the security team doesn’t need to deal with tons of emails. This frees up their time to work on more serious coding issues.
Twitter definitely has the time and money to work on security issues in-house — they have got talent like former NSA employer Charlie Miller — but HackerOne gives them some extra padding, just in case Miller can’t find everything out there.
“Twitter is a great example of a company who brings in-house some of the great talent, but you can’t hire everybody,” Moussouris told us. “So for that, you want to have an outward-facing program that brings in anyone — a researcher, customer, partner, it could be anybody.”
While Twitter (via HackerOne) now offers cash rewards for discovering exploits, not all its programs necessarily include bounties. Moussouris told us that even Twitter tried HackerOne’s service for a few months without a cash reward before adding that extra incentive.
But according to Moussouris, a cash reward is just one part of the motivation for hackers. They’re in it for the recognition. If they can say that they noticed a huge security problem on Twitter, that’s a big deal. And it can also potentially help them further their career as a security researcher, maybe leading to a full-time position at a company.
Many of these hackers are also teaching themselves and need to get experience under their belts. So a few hundred dollars is a nice prize, but they’re also focusing on building a strong C.V.
HackerOne also offers its “Hall of Fame” to recognise those researchers and hackers, but the thrill of taking on a challenge is also often enough to drive these individuals to help with bug hunting.
“It’s really intellectual curiosity, or the pursuit of intellectual happiness,” Moussouris said. “They want to see if they can.”
Apparently the curiosity is paying off. According to HackerOne’s site, it has led to 3,776 bugs being fixed, $US1.18 million in bounties paid, and 820 hackers being “thanked,” all for 66 different public programs.
“If anybody has software out there, there are good guys and bad guys looking at it,” Moussouris said. “If you’ve got anything worth protecting, data for users, financial information, somebody is going after it.”