+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Meet The Company That Helped Twitter Launch Its Bug Bounty Program

Sep 9, 2014, 02:26 IST

Last week Twitter unveiled a brand new bug bounty program that pays security researchers (or hackers) to report vulnerabilities on its platform.

Advertisement

We decided to reach out to HackerOne, the company behind the bounty program to learn more about how tech companies communicate with independent hackers to better protect their products and services. HackerOne's platform helps companies of any size - including big ones like Twitter and Yahoo - streamline their bug reporting programs, with or without a cash reward bounty.

The platform, which launched publicly in 2013, "streamlines the exchange between a researcher and the response team," HackerOne CPO Katie Moussouris told Business Insider.

Before moving to HackerOne, Moussouris worked for Microsoft as a security strategist and helped them build up an in-house vulnerability team.

"I saw a lot of the manual labor that a large company could afford to do," she said.

Advertisement

For smaller startups that may not have the time and/or manpower to deal with bug reporting, HackerOne offers a helping hand. For instance, it'll recognize if multiple hackers report the same bug so the security team doesn't need to deal with tons of emails. This frees up their time to work on more serious coding issues.

Twitter definitely has the time and money to work on security issues in-house - they've got talent like former NSA employer Charlie Miller - but HackerOne gives them some extra padding, just in case Miller can't find everything out there.

"Twitter is a great example of a company who brings in-house some of the great talent, but you can't hire everybody," Moussouris told us. "So for that, you want to have an outward-facing program that brings in anyone - a researcher, customer, partner, it could be anybody."

While Twitter (via HackerOne) now offers cash rewards for discovering exploits, not all its programs necessarily include bounties. Moussouris told us that even Twitter tried HackerOne's service for a few months without a cash reward before adding that extra incentive.

But according to Moussouris, a cash reward is just one part of the motivation for hackers. They're in it for the recognition. If they can say that they noticed a huge security problem on Twitter, that's a big deal. And it can also potentially help them further their career as a security researcher, maybe leading to a full-time position at a company.

Advertisement

Many of these hackers are also teaching themselves and need to get experience under their belts. So a few hundred dollars is a nice prize, but they're also focusing on building a strong C.V.

HackerOne also offers its "Hall of Fame" to recognize those researchers and hackers, but the thrill of taking on a challenge is also often enough to drive these individuals to help with bug hunting.

"It's really intellectual curiosity, or the pursuit of intellectual happiness," Moussouris said. "They want to see if they can."

Apparently the curiosity is paying off. According to HackerOne's site, it has led to 3,776 bugs being fixed, $1.18 million in bounties paid, and 820 hackers being "thanked," all for 66 different public programs.

"If anybody has software out there, there are good guys and bad guys looking at it," Moussouris said. "If you've got anything worth protecting, data for users, financial information, somebody is going after it."

Advertisement
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article