Ethical Hacking and Bug Bounties: An Interview with Debby Chang of HackerOne
In the past several years, multi-billion dollar companies have been hit with massive data breaches, wherein millions of customers’ personally identifiable information (PII), protected health information (PHI), and payment data have been stolen. These companies spend millions on cybersecurity, but things still get overlooked. Vulnerabilities are left unpatched or a misconfiguration is left unfixed. Increasingly, many companies have added an additional layer of security to their defenses through unorthodox means: relying on external hackers to discover these errors, through the adoption of vulnerability disclosure policies (VDPs) and bug bounty programs. CyberVista recently sat down with Deborah Chang, Vice President for Business Development and Public Policy at HackerOne — a platform that facilitates ethical hacking between independent cybersecurity researchers and companies — to discuss VDPs and bug bounty programs.
White Hat Hackers: Ethical Hacking for Security
“White hat” hackers, also referred to as ethical hackers or ethical security researchers, are primarily motivated by the excitement of looking for vulnerabilities and remediating them. Unlike criminal hackers, also known as “black hat hackers,” white hat hackers aim to identify issues in order to improve a brand or product they love, or improve their skill sets. Contrary to popular belief, Chang noted that less than 15% of the 350,000 hackers that partner with HackerOne are driven by bug bounty payouts — payments that are given to researchers who discover security vulnerabilities. Other, more important motivations include solving the problems, remediating the actual vulnerability found, and the pride of being able to hack into a brand or system in which they take interest. She further emphasized that, when utilized correctly, white hat hackers can serve as a cyber “neighborhood watch” to identify security threats before crimes occur.
However, white hat hackers continue to face some legal challenges to their actions under the antiquated Computer Fraud and Abuse Act, passed the 1980s. The law, passed decades ago, empowers the government to seek hefty prison sentences for what are today considered minor violations even if, as is the case with ethical hackers, their goals are benign and they inform the target company about their activities. Thus, companies seeking to utilize ethical hacking talent will need to establish proper policies and procedures.
Vulnerability Disclosure Policies and Vulnerability Testing
A vulnerability disclosure policy, or VDP, is a written policy that provides guidelines for hackers to uncover security flaws in an organization. According to standards established by the National Transportation Information Administration, a good VDP will identify 5 things:
- Brand Promise – a commitment that the organization will fix vulnerabilities identified by security researchers.
- Safe Harbor – a guarantee that the organization will not pursue legal action against ethical hackers who find and report a vulnerability.
- Scope – a description of what public assets and potential bugs are acceptable to be targeted.
- Communication – a process detailing how a company wants to be informed of discovered vulnerabilities, such as an email address and the style of reporting detailing the issue.
- Remediation Process – a description of how long the company will take to address the bug once it is reported.
After an organization establishes a vulnerability disclosure policy and has grown accustomed to inviting the public to investigate and report vulnerabilities in their public assets it can then seek out a more formalized bug bounty program — where white hats are paid to find bugs — through a vendor such as HackerOne.
Chang says that while penetration testing has become more common today, continuous vulnerability testing provides greater value. While pen testing can identify vulnerabilities, these tests are usually one-off actions done by a small team of cybersecurity researchers targeting specific assets. HackerOne recommends continuous testing through a mature bug bounty policy and VDP that can help regularly identify vulnerabilities before threat actors can exploit them.
Beginning with its Hack the Pentagon program, HackerOne has now coordinated seven bug bounty programs with the U.S. government. These programs enable white hat hackers to ply their skills targeting different aspects of cyber infrastructure with the intent of finding vulnerabilities that the government itself has not identified. The first iteration of Hack the Pentagon alone uncovered 138 “unique, legitimate, and eligible for a bounty” and other programs illustrate the effectiveness of this model of crowdsourced cybersecurity in practice.
Not only do major U.S. government agencies trust ethical hackers to identify vulnerabilities in their assets, but top tech companies including Apple, Salesforce, Twitter, and Microsoft all have VDPs and bug bounty programs as well. However, less than 7% of companies currently have vulnerability disclosure policies. When deciding whether to adopt a VDP, organizations should consider its cyber risks, existing security policies, and the impact potential data breaches could have on their business. While still somewhat unorthodox, vulnerability disclosure policies and bug bounty programs can provide a much-needed extra layer of protection for an organization’s most critical digital assets.
CyberVista is Here to Help
Want to see more subject matter expert interviews on cybersecurity topics, tailored to senior executives and board members? CyberVista is here to help. Our Resolve program is designed to quickly get you up to speed on cyber risk, threats, and vulnerabilities.Be sure to check out our Cyber Risk Seminars, offered both on-site and on-demand, which come with our complimentary Executive Briefings — a monthly newsletter that wraps the latest cybersecurity headlines and what they mean for your organization — and our other subject matter expert interviews.
Interested in learning more about HackerOne and their bug bounty programs? Check out their website here.