We Are at The Edge of Realizing the Potentials of Bug Bounties and Crowdsourced Security – Hackerone

More organizations are taking advantage of bug bounty programs to strengthen their security postures. It simply makes sense – crowdsource the best cyber talent at scale to find those security gaps before the bad actors find them, and exploit them.

Hackerone is a bug bounty platform with over 1200 customers, ranging from multinational brands, to the Department of Defense and Twitter. ITWatchIT chatted with Hackerone’s Jon Bottarini at the recently concluded Billington Cybersecurity Summit in Washington, D.C.

Cybersecurity Keeps Evolving and Bug Bounty Programs a Necessity

Any company with a digital presence is at risk of having an adversary steal data or perform other types of cyberattacks. The idea of using bug bounties is basically to crowdsource your security talent, and is indicative of the amount of experience a company can tap into at once, from all these gifted hackers all around the world, participating in the program to make your organization more secure.

It does not matter if you are a startup or an established brand, it is vital to ensure that the data of your organization and customers is protected.  We have different levels of offerings, depending on your level of internal security maturity. If you are new to crowdsourcing security, we offer a basic vulnerability disclosure process, which is not a bug bounty, just where someone who sees something draws attention to it.

Hackerone’s Jon Bottarini Speaking at The Billington Cybersecurity Summit

Ensuring Black Hat Hackers Stay Out

If we’re starting a bug bounty program, we have to ensure we are not inviting bad actors to come and attack the systems. The reality is that when a bug bounty program begins, it’s really the worst possible news for someone who is a black hat hacker, who might be taking advantage of a system.

Adversaries are out there, currently taking advantage of vulnerable systems. Setting up a bug bounty program is bad news for those actively exploiting vulnerable systems.

It goes against the best interest of the users on the platform to try and undermine the system, since black hat hackers do not typically go through a bug bounty program if they are trying to act in bad faith towards an organization regarding information gathered about vulnerabilities.

They would normally rather peddle their wares on the dark web, or go through a broker to make that transaction. By signing up for a bug bounty program, you are basically saying you don’t have anything to hide; you give the company your information and give them the right to ensure you follow stated guidelines.

We have a program offering where we choose select hackers who have their backgrounds checked, are situated within the US or Canada, come from pen testing and technical backgrounds, and are basically the cream of the crop.

Why Hackerone is Ahead of the Bug Bounty Game

We have more researchers than other platforms combined, we have found more vulnerabilities, we’ve had more bounties and paid more to our ethical hackers, and at the end of the day, we just try to make the internet a safer place. As an organization, if that is part of the core values of your business, then you would definitely see reason to choose Hackerone.

Competitors have their strengths and weaknesses, when Hackerone started out a couple of years ago, other companies, such as Bugcrowd, were already established as the market leaders. It’s arguable who that leader is now, but Hackerone certainly has some strengths which helps it stand out from the crowd.

Bug Bounty Outlook

I believe that we are right at the edge of bug bounties and crowdsourced security as a whole. When you look at the numbers, there is a high volume of vulnerabilities discovered all the time, and there is no way for security researchers to report these vulnerabilities to the organizations in most cases. This is quite alarming because most of the affected companies are ones we use in some capacity or the other.

As more organizations become more aware of their threat models, it becomes critical for them to consider crowdsourced security. A great contribution of bug bounty programs is the ability to scale your own security team, and bring in the outside knowledge of potentially thousands of security professionals, to not only strengthen your own internal security processes, but to make you more secure overall.



Speaker: Jon Bottarini
Technical Program Manager II, HackerOne
Jon Bottarini is a security researcher and an ethical hacker who has reported security vulnerabilities to organizations like Google, Apple, Microsoft, Yahoo!, the US Department of Defense, and many others. When he is not finding security vulnerabilities, Bottarini serves as a Technical Program Manager II for HackerOne, the #1 bug bounty and vulnerability disclosure platform, where he helps global organizations run successful bug bounty programs and help make the internet more secure. Bottarini serves as the Lead Project Manager for the US Department of Defense’s bug bounty programs, a part of the Hack the Pentagon security initiative. Bottarini earned a Bachelors of Science in Information Science and Technology from the University of Arizona.

About HackerOne

 HackerOne is a hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,000 other organizations have partnered with HackerOne to resolve over 80,000 vulnerabilities and award over $35M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore.