There are many misconceptions around the word ‘hacker.’ Often the word has negative connotations, HackerOne, believes in hacking for good. Put simply, a hacker can be defined as someone who is curious and enjoys the intellectual challenge of overcoming limitations. In the context of security, a hacker is anyone who has the skills required to find security vulnerabilities.
Hacker-powered security is increasingly seen as part of a mature security system - that is, tapping the community of ethical hackers to look into your systems, and to discover vulnerabilities before they are exploited by bad actors. Such programs are used by governments around the world including the U.S. Department of Defense, Singapore’s Ministry of Defense (MINDEF) and Government Technology Agency (GovTech) as well as leading brands like Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Intel, Lufthansa, Microsoft, Nintendo, PayPal, Qualcomm, Slack, Starbucks, Twitter, and Verizon Media.
Here are the top commonly asked questions that many IT and security professionals have about working with hackers, according to HackerOne.
Who are these hackers who hack on HackerOne?
The hacker community is filled with smart, curious, communal and charitable human beings. Some hackers are full-time application security engineers by day and part-time hackers by night. Many are completely self-taught (84%). Some have even earned over US$1million, securing the Internet one vulnerability at a time. They are youthful, they are curious and they want to hack for good on programs like Uber, PayPal, Airbnb, Gitlab and many more. More than two-thirds of hackers hack for the intellectual challenge. While financial incentives are important, especially as hackers use earning to supplement or replace a traditional source of income, there is more to hacking than just money. They have a genuine desire to help the internet become more secure, with 28% stating that their main motivation is to do good in the world.
Are hackers the same as pentesters?
Hackers and pentesters are sometimes the same, but hackers are not necessarily pentesters. Hackers are paid per finding, based on the severity of the valid vulnerability; whereas, pentesters run traditional penetration testing engagements that are more structured, regardless of the number or type of vulnerabilities they find.
How does HackerOne take responsibility for the hackers in ensuring they are benign and ethical hackers only and would not exploit the vulnerabilities?
There is no incentive for a criminal to participate in a hacker-powered security program because participants are not granted any special access. Many hackers participating on HackerOne look for and report vulnerabilities in public-facing assets. Anyone can take a look at these public facing properties. If an individual had any sort of malicious intent, they would not necessarily sign up for HackerOne, identify themselves and make themselves known.
Hackers can be invited to participate in private, invitation-only programs, but these programs are only open to hackers who have proven themselves on the platform through their results and reputation. Based on that, we know that they have a good track record of working with other customers in a private setting. Hackers on HackerOne establish their reputation over time by helping find security bugs across numerous well-known organisations such as Twitter, General Motors, Spotify, and others. Those reputation points earn them invites to private programs, including those requiring additional vetting like those with the U.S. Department of Defense.
How do I tell the difference between traffic coming from ethical hackers or malicious sources?
If this is a concern for a program, customers can request that hackers tag their traffic and weave specific custom headers into the process. This way, security teams can identify the hacking traffic, setting it apart from any sort of suspicious traffic. Customers can also use HackerOne Gateway, an end solution allowing programs to identify the source range of IPs that hackers are coming from. Through that, security teams can also filter the traffic in the monitoring system and identify suspicious traffic.
What kind of access to company data do HackerOne’s hackers need?
In general, none! If the target access surface is public facing, hackers just need to know the general policies of what is in scope versus out of scope for the program, what sort of vulnerabilities is the organisation looking for as part of their bug bounty program, and what they are not looking to hear about. This is what program policies are for — to align on what teams are looking for.
Have you seen any changes in hacker behaviour since the COVID-19 lockdown?
With more time at home, folks are looking for creative outlets, and, for many, hacking serves that purpose. In fact, according to a recent report from hacker-powered security platform HackerOne, 30% of businesses globally have seen an increase in attacks on their IT systems as a result of the pandemic. This is according to C-Level IT and Security execs at global businesses, almost two thirds (64%) of which believe their organisation is more likely to experience a data breach due to COVID-19.
Is HackerOne compatible for beginner hackers? How much experience is needed to join?
It’s definitely compatible for beginner hackers! For a start, HackerOne oﬀers resources like Hacker101, a free e-learning series for new hackers on some basic skills. We also host capture- theﬂag programs (CTF) to allow hackers to test their chops in engaging environments. Most hackers get started on public programs. Any new hacker looking to try it out can sign up and go to our directory and see all the public programs that are open for participation from the entire community on HackerOne. By hacking on public programs, new hackers can earn “reputation” points to help them work their way to participate in private programs. We also publish a public hacktivity feed, which shows the hacker activity that has been publicly disclosed through our platform. This is a good place to start learning what vulnerabilities other hackers are finding, review bug submission reports, and apply that knowledge to one’s own testing practice.
Contributed By Rena Chua, Bug Bounty Advisor at HackerOne Edited By Zachary Chan