Good Guys Protecting the Internet, From Pornhub To The Pentagon
Cybersecurity should be on everyone's mind in this day and age, but it's very difficult to implement. Bug bounty programs mobilize the good guys of the internet to help companies protect themselves before the bad guys can hurt them. HackerOne establishes trust between hackers and companies and provides a marketplace for discovering and fixing bugs.
Why Security Matters
In just one day, we create 2.5 quintillion bytes of data.[1] A lot of this data is data we don’t want others to know, like our bank account information, stuff we say behind our boss’ back, or whom we are having affairs with. Yet we are bombarded with continuous streams of security breach horror stories such as 40 million Target shoppers getting their credit card information stolen, personally identifiable information of 78.8 million insurance policy holders floating around, and the whole world reading Sony producers’ evaluation of Angelina Jolie: “a minimally talented spoiled brat.” [2] [3] [4] Whether it’s embarrassing or hilarious, a security breach often leads to lawsuits and has unfathomably heavy cost to company and its customers. Naturally, cybersecurity is becoming a priority for everyone.
Guarding a website against hackers is incomparably more challenging and complicated than keeping burglars out of a house. Unlike a house, with a door and few windows, a digital property has a host of access points. Most digital property is also in continuous development; with new features and improvements, the product is always shapeshifting. Because developing and maintaining a product involve so many parties, including some third party APIs, it’s hard to know what exactly is a product.
Bug Bounty: There are Good Guys Out There
In as early as 1995, big companies like Netscape figured out a way to reduce the risk of getting hacked: placing a bounty on a bug. [5] Although it sounds like an oxymoron, well-intended hackers exist. Companies can pay these white hat hackers—engineers who are skilled enough to find weaknesses but are not malicious enough to exploit them and commit crimes—to test and identify vulnerabilities on their systems. Unfortunately, bug bounty did not pick up for a while because trust between companies and hackers, even ones whose intentions are good, was hard to establish.
HackerOne
HackerOne founders, Prins and Abma, were aforementioned white hat hackers who enjoyed hacking websites, but did not want to become criminals, and in fact thought about how companies could fix their vulnerabilities.[6] Seeing how difficult it was for white hat hackers and companies to establish trust and interact, Prins and Abma built a platform connecting companies and hackers. (From now on, “hackers” will be referred to as the PC synonym, security researchers.)
By putting monetary value on bugs, HackerOne incentivizes security researchers to take the time to find loopholes and report them to the companies instead of using them for criminal activities. Companies can communicate and transact with security researchers through HackerOne, vetting vulnerability submissions, paying researchers, and building solutions together. Implications of white hat researchers protecting companies against the black hats, the bad guys, are far reaching: we can make the internet great again.
![[2] Pornhub's listing on HackerOne](https://d3.harvard.edu/platform-rctom/wp-content/uploads/sites/4/2016/11/Screen-Shot-2016-11-19-at-8.06.25-PM.png)
![[3] PornHub's bounty price list on HackerOne](https://d3.harvard.edu/platform-rctom/wp-content/uploads/sites/4/2016/11/Screen-Shot-2016-11-19-at-7.59.30-PM.png)
Unsurprisingly, big tech companies like Facebook, Google, Uber have flocked over to start bug bounty programs on HackerOne, inviting white hat researchers to poke around their assets. In 100 days, Uber has paid $345,120 and fixed 161 unique vulnerabilities.[7] This July, three security researchers made $22,000 from identifying a serious weakness from PornHub.[8] The researchers never clarified why they were on Pornhub in the first place, but they did help protect the identities of Pornhub’s 60 millions daily visitors. Even the Department of Defense recently hired HackerOne and have paid out $150,000 to “Hack the Pentagon”, a productive campaign that would have cost $1M if they had hired a contractor.[9]
![[3] Recent Bug Submissions on HackerOne](https://d3.harvard.edu/platform-rctom/wp-content/uploads/sites/4/2016/11/Screen-Shot-2016-11-19-at-8.02.18-PM.png)
While companies like HackerOne provide researchers to stress test assets in the internet, I think a natural next step lies in physical assets. HackerOne resolved the issue of mistrust between researchers and companies and created a marketplace for bug discovery. If they were able to expand the scope of bug bounty to physical assets such as data warehouses or company sites, to prevent mischievous practices like tailgating or malicious USB sticks, I think companies would be able to enjoy added layers of security in their often neglected offline assets on top of online assets.
(Word count: 793)
[1] “Bringing Big Data to the Enterprise.” IBM. Accessed November 17, 2016. https://www.ibm.com/software/data/bigdata/what-is-big-data.html.
[2] Pagliery, Jose., Riley, Charles. “Target Will Pay Hack Victims $10 Million.” CNNMoney. Accessed November 17, 2016. http://money.cnn.com/2015/03/19/technology/security/target-data-hack-settlement/index.html.
[3] Elkind, Peter. “Sony Pictures: Inside the Hack of the Century.” Fortune. June 25, 2015. Accessed November 17, 2016. http://fortune.com/sony-hack-part-1/.
[4] Mathews, Anna. “Anthem: Hacked Database Included 78.8 Million People.” WSJ. February 24, 2015. Accessed November 17, 2016. http://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364.
[5] Burningham, Grant. “The Rise of White Hat Hackers, Our Modern-day Web Cowboys.” Newsweek. January 31, 2016. Accessed November 17, 2016. http://www.newsweek.com/2016/02/12/white-hat-hackers-keep-bug-bounty-421357.html.
[6] ibid.
[7] Fletcher, Paul. “100 Days Into Uber Engineering’s Public Bug Bounty Program – Uber Engineering Blog.” Uber Engineering Blog. August 11, 2016. Accessed November 18, 2016. https://eng.uber.com/bug-bounty-update/.
[8] Spring, Tom. “PornHub Hack Earns Researchers $22,000.” Threatpost. July 25, 2016. Accessed November 18, 2016. https://threatpost.com/pornhub-hack-earns-researchers-22000/119450/.
[9] Kuldell, Heather. “DOD Wants You to Hack the Pentagon Again and Again.” Nextgov. October 21, 2016. Accessed November 18, 2016. http://www.nextgov.com/defense/2016/10/dod-wants-you-hack-pentagon-again-and-again/132539/.
Pictures
[1] THR Staff. “Angelina Jolie Speaks Out for First Time on Insults From Sony-Hack Emails.” The Hollywood Reporter. November 5, 2015. Accessed November 18, 2016. http://www.hollywoodreporter.com/news/angelina-jolie-sony-hack-amy-pascal-837389.
[2] “Pornhub on HackerOne.” HackerOne. Accessed November 18, 2016. https://hackerone.com/pornhub.
[3] “Pornhub on HackerOne.” HackerOne. Accessed November 18, 2016. https://hackerone.com/pornhub.
[4] “New Hacktivity List.” HackerOne. Accessed November 18, 2016. https://hackerone.com/hacktivity?sort_type=latest_disclosable_activity_at&filter=type%3Aall&page=1.
Dear Brittney,
It was super informative and interesting blog to read. As you said, cyber securities became one of the most important assets especially when it comes to the financial transaction or health-related information. The bigger problem is that it is really hard to protect because technology always outpace the existing safeguarding methods. It was also interesting to know diverse companies including Uber is investing in cyber securities domain. Again, It was helpful and exciting to read your blog. Thank you.
Thanks for the post Brittany – a really interesting topic. I am keen to understand the type of margin HackerOne reserves for itself? Do companies have to request HockerOne’s services or do the security researches visit large online platforms to test for weaknesses independently? Cyber security is something that I am woefully ignorant of, however your article highlights its importance and in some respects, the urgency that we need to move to protect sensitive online content.
HackerOne serves as a portal (kind of like a job site) listing all the companies’ assets (like which websites to find bugs on) and policies (like what’s an acceptable bug).
When you log in as a hacker, you’ll see the list of bounty for bugs, like a menu. You can only report bugs to the company through HackerOne’s platform, and get paid only through that platform. I’ve never been on the company’s side but HackerOne probably takes commission and might also charge to get a listing up.
This is super interesting and recent events have shown how critical these types of services is (the PornHub example reminded me of the scandal with Ashley Madison’s users being leaked). McKinsey has started providing consulting services around cybersecurity. Riot Games has a whole internal team dedicated to this as well (with the analogy of Star Wars being used since the skills required to hack can be used for good versus evil). As HBS students we see the required use of Duo Mobile to protect our information, which is reflective of the trend of companies requiring their employees to use this app as well to protect proprietary information.
I’m surprised that the big savvy tech companies you listed are using HackerOne. Wouldn’t they have their own internal teams? This brings up my concern with the long-term competitive advantage of HackerOne if eventually every company should establish expertise on cybersecurity. Or is this a skill that should be outsourced?
I had a very similar thought when reading this post. To add to it, I would imagine that certain organizations (e.g., the US Government) might view this as a way to recruit: have people work on these projects, feel a sense of mission, and get pulled into the internal team that works on even bigger issues. I wonder how HackerOne can retain talent, especially if a lot of the most critical projects are still done internally (which may not be the case for many organizations, in which case, being a HackerOne employee could have high value in the diversity it provides, a la consulting).
I love the idea of white hat hacking. My question is – in the long-term are incentives going to stay as pure as they are now? Helping companies discover flaws by hacking seems akin to robbing banks and offering a service as a security guard. I think right now there is not a lot of competition in the hacking-for-hire space and hackerone has an excellent advantage, but if they are competing for business in the future against a competitor, is no one incentivized to cause some serious damage or a violation of security to then offer the service to secure it at a price? Additionally, technology is changing so rapidly that systems used for security now will definitely be outdated in 2 years, so how often do you need to keep switching to a new hacking security team with a more up-to-date understanding of the ecosystem? Is this not a service a company would be better and more securely able to do in-house?
Great blog post, Brittany! My question is: what is the incentive for companies and hackers to keep the transaction on the platform? I would think that companies like Uber have a constant demand for hackers to help identify bugs (since the tech is always evolving), and if Uber was able to find and engage with a highly-skilled “security researcher” through HackerOne, wouldn’t Uber want to contract this person long-term or take future transactions off the platform (cut out the middle man i.e. HackerOne)? I would think so, since companies are looking to engage these security researchers in coming up with solutions to the bugs — which seems like a more involved project than just identifying issues. I imagine anonymity would be very important for these security researchers, and they may prefer to engage in these freelance projects on HackerOne on their own time as opposed to having a longer-term engagement with one company — but having a direct relationship with a company might provide more stable income and make it easier to find bugs and devise creative solutions to these bugs (having a deeper knowledge of the company’s tech after spending more time on it?).
Brittney, very interesting post. As you mentioned the need for increased cyber security is only going to increase over time as the information becomes more valuable and the technology more complex. Several people have commented on what prevents HackerOne from simply being cut out of the chain. While I think this is an interesting question, what I wonder is this type of reward sustainable for companies. The reward values you presented seem pretty minimal, especially when compared to the cost of a contractor for the same work. Can companies continue to entice such low cost solutions to cyber security as the value of what they are protecting continues to rise? Are they offering big enough rewards to entice the top talent to work for them? Right now we have seem a lot of data breaches released publically, I think it is only a matter of time before the data these companies hold may be used to extract ransoms or similar payments for its return that could dwarf this reward. Has HackerOne started to look at the expansion of their service to in anyway to be more then a hub to link companies and white hats?