21 hackers made over $1m on HackerOne

Hacking is just a weekend hobby for some white hats, while others treat it as a way of making a living. Cybernews talked to HackerOne about the power of hackers.

HackerOne, an attack resistance manager, was formed ten years ago to empower the world to build a safer internet. With countless recent leaks and hacks, including Uber, Revolut, and Rockstar Games, we can all agree that it sure doesn’t feel safe in the digital realm.

Last year alone, hackers reported over 66,000 vulnerabilities through the platform, signaling a 20% increase from a year before.

But some things have changed for the better. For one, good faith hackers are not villains anymore – many companies embrace their help in a quest to protect both businesses and customers.

Cybernews sat down with Dane Sherrets, a solutions architect at HackerOne, to discuss what’s changed throughout the years and whether you can make millions while on a bug bounty hunt.

  • HackerOne helped find and fix nearly 230,000 vulnerabilities for customers (all time)
  • Paid out more than $200M in bounties to hackers
  • More than $40M in bounties awarded to hackers in the past year
  • 21 hackers have passed $1M earnings

HackerOne was created ten years ago to make the internet a safer place. Yet, the internet doesn't feel safe. However, it seems that the attitude towards white hat hackers is shifting. Do you see that shift?

When it comes to security research, the trend is that hackers are friends. Ten, twenty years ago, if you were a hacker and found a vulnerability, there might be some upper tension between you and the organization you found the vulnerability in. You might not have a direct pathway to report it.

A lot of things have changed, you might say, legally and also culturally. The Department of Justice changed its guidance regarding charging violations of the Computer Fraud and Abuse Act (CFAA).

There's also a very similar conversation starting in the UK with the Cyber Misuse Act. We also have organizations like Cybersecurity and Infrastructure Security Agency (CISA) and some executive orders from the [Biden] Administration encouraging organizations to set up vulnerability disclosure programs or bug bounty programs.

Organizations are seeing a benefit to having a good relationship with the security researcher community and recognizing that when the next Log4j vulnerability is found, they want to have a good relationship with the community to help secure assets.

There's also a new adoption of security.txt files – many organizations now have a security file on their website of how you should report the vulnerability.

You work with many big names – Coinbase, Toyota, PayPal, Twitter, and Google, among others. Is it hard to explain to some companies the benefit of having a relationship with the white hats? Are you looking for clients proactively, or do they come to you?

We often have people coming to us and saying, yes, we have researchers reaching out to us, and we want to have a secure, thorough process to take in these vulnerabilities. These conversations might have been a lot harder ten, maybe even five years ago. Now, you want to engage with the hacker community, and security is a primary concern for governments and end users.

Are there any criteria for companies to join Hackerone or start a bug bounty program? I know it's not suggested for a company to have a bug bounty program if it has too many vulnerabilities.

A bug bounty program is not the silver bullet to just fixing all of your security issues. It's a part of your security. You should have static and dynamic testing of your code, you should have regular protests, and you definitely need a way to receive one of those [vulnerability reports].

The vulnerabilities are there whether you want them or not, so you need to have some kind of intake process. A bug bounty program is a part of that. I think, also, a lot of time, the conversation around HackerOne is focused on the bug bounty, but we also do a lot of other things to help organizations to close their attack resistance gap.

In addition to doing bug bounties, we also look at our researchers and clients and offer pentests. It is an opportunity to engage with our hacker community.

We've also acquired a company called PullRequest that can help companies use the hacker, research, and security community for their development process and find bugs before they actually make it to production.

Sometimes new zero days are discovered, but often known and publicly reported vulnerabilities are exploited. We saw that with MS Exchange Servers and Log4j library. Do you react to the events like this – significant vulnerability discovery like Log4j?

I was with HackerOne when Log4j happened, and it was awesome seeing how we work with clients and hackers to [mitigate] the crazy 10.0 CVSS [the maximum possible criticality for a vulnerability] type of vulnerability.

We did a survey recently, and it turned out that one-third of organizations see less than 75% of their attack surface. We can't defend what we don't know about. So we helped find assets that might have been affected by this vulnerability, and also, our researchers were able to quickly find bypasses to patches that organizations might have deployed.

Researchers can add more value by saying hey, I found this way, I added this extra quotation mark and made a bypass that patch, and here's another way that we can fix this.

What about the hacker community? Do you have a vetting process for them to ensure they are doing this within legal boundaries and in an ethical manner?

When you sign up for HackerOne, you sign terms of service where you agree not to joke with responsible disclosure. Anyone can sign up, but that only gives you access to public programs.

There's additional vetting that hackers can do. We have a Clear program, so if you meet certain criteria and qualifications and go through a background check, you can apply to be a Clear researcher. It is a checkmark that you get on your profile, just how you get verified on Twitter, and that would give you access to additional private programs.

Some clients might prefer that type of researcher. Once on the HackerOne platform, you are incentivized to behave ethically and find high-quality bugs. We have different metrics like impact and reputation. The higher quality vulnerabilities you find, the higher severity, your metrics increase, and you get invites to more private programs.

Eventually, you can get invited to live hacking events that we do. Just this year, we've done Austin, Vegas, where hackers get to interact with actual clients. This is an awesome experience. As a researcher, the more you are involved on the HackerOne platform, the more additional opportunities you get.

Do you support hackers in any other way? Do you educate them?

On Hacker101, we offer gamified versions of vulnerable applications, and you can try to find the vulnerability and capture the flag. You capture these flags by exploiting different vulnerabilities inside this application. That is an awesome way of learning some of the standard types of vulnerabilities I might see when bug bounty hunting.

We also have an entire team dedicated to teaching hackers and helping them to get started. Many hackers do that [teaching] too, just for the public good. They create YouTube videos, and we invite them to live hacking events so they can do some videos about live hacking.

Can you make a living working through the HackerOne platform? Is it a full-time job or just a hobby for some people?

Both. There are at least 21 hackers that have passed one million dollars. Some say this is their job – they wake up in the morning and make money off the bug bounties.

Some people wake up and say, I want to do a HackerOne pentest, and on the weekend, I'll do a bug bounty.

There are people for whom HackerOne is just a bug bounty space, there are also people, and this is one of the larger groups, that say, I have this security engineering job, I like it, I like the steady paycheck, but I want to hunt for bugs on the weekend. It's a fun opportunity to make some additional money.

It's also a great learning and professional development opportunity. You build a profile that you can share with potential employers if you are ever interested in switching jobs.

Some people enjoy doing things that are not as financially lucrative. They enjoy helping governments to secure their assets and having a safe way to hack on very interesting organizations. It is intellectually very stimulating.

This interview has been edited for clarity and length.