Bug bounty platform HackerOne announced this week that it hit $20 million in payouts, but it's not stopping there.
HackerOne CEO Marten Mickos said in a blog post this week that he wants to quintuple payments, quadruple the number of bugs found, and increase its workforce by a factor of 10—all by 2020.
It's an ambitious goal, but Mickos believes his platform, and bug bounties in general, are the future of cybersecurity. They're cheaper to pay than QA teams, more effective than internal testing, and could save organizations an estimated $10 billion a year.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Take the US Department of Defense (DoD) as an example. It contracted with HackerOne, whose members found bugs amounting to $300,000 in payout. Former Secretary of Defense Ash Carter said that if the DoD had gone about finding those vulnerabilities in a normal way it would have cost more than $1 million.
Hacker-powered security: Is it the future?
Mickos believes that cybersecurity is in a lousy state right now, and that employing skilled, ethical hackers to find flaws is the best possible solution. "Vulnerabilities that go unnoticed by scanners and other expensive security products are more quickly and more cost-effectively found by ethical hackers," he said.
SEE: Top 5: Reasons you need a bug bounty program (TechRepublic)
Add to that the fact that hackers aren't getting paid unless they're finding bugs and you have a recipe for faster discoveries, less cost upfront, and, as Micklos said, "you [end up] just one step away from a fix."
Right now HackerOne is sitting at $20 million paid out, 100,000 hackers in the program, and 50,000 bugs found and fixed. Getting to $100 million, a million hackers, and 200,000 bug discoveries is a tough goal in three years, but it just may be doable—especially when the incentives are good for hackers as well.
A highly skilled hacker living in India, where a number of HackerOne's hackers reside, can make 18 times the salary of the average software engineer, according to Mickos' blog post. That's an attractive proposition for anyone living anywhere.
SEE: Bug Bounty: Web Hacking (TechRepublic Academy)
Like any freelancing or crowd sourcing platform, that comes with a warning, though: That 18-times figure only applies to the smallest fraction of HackerOne's userbase—realistically most won't ever see a payout.
Regardless, using hackers to find security holes is very likely to be the way the industry goes. "Look at the examples of Google, Facebook and Microsoft," Mickos said. "They operate the most modern software deployments and are the world's biggest users of hacker-powered security, spending millions a year rewarding external hackers for helping them find flaws in their systems. Arguably, they are among the most secure companies in the world."
Their examples, he said, are invariably going to be done at smaller scales by smaller companies, which is where HackerOne comes in: They're the connection between the companies and the hackers who want to break into them.
The growth figures HackerOne wants to meet in the next three years are extraordinary to say the least, but those figures could be within reach. "This model is providing the new computer-savvy generation a rewarding way to be useful to society and build a successful career making the internet more secure," Mickos said. And better security is something we definitely need.
Top three takeaways for TechRepublic readers
- Bug bounty platform HackerOne recently announced it has paid out $20 million in bounty rewards from 50,000 found and fixed bugs. In the next three years HackerOne believes it can grow from 100,000 hackers to 1 million, reach 200,000 bugs found, and increase payouts to $100 million.
- Using HackerOne to find bugs is cheaper than hiring security firms to do the same thing—the US DoD, for example, paid out $300,000 in bounties and would have spent over $1 million to hire a team.
- Highly skilled and successful bug bounty hunters in India have made as much as 18 times the income of the average software developer. That figure may vary per country, and those kinds of incomes are rare, but it makes enlisting with HackerOne an attractive proposal.
- How to develop a bug bounty program (TechRepublic)
- Cash isn't everything when bug bounties compete with the black market (ZDNet)
- How the DoD uses bug bounties to help secure the department's websites (TechRepublic)
- Tor network will pay you to hack it through new bug bounty program (ZDNet)
- Penetration Testing and Scanning Policy (Tech Pro Research)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.