HackerOne, the famous bug bounty platform, has reached $20 million in rewards handed out to white hats.
This is great news, because it shows just how active ethical hackers are in tracking down all types of issues with tools we use all day long, problems that could otherwise result in us all losing access to the services, getting hacked, and so on. This shows that people with hacking skills can make a pretty buck with this type of work, choosing the legal path, rather than the “dark side.”
Just recently we had a chat with Edwin van Andel, ethical hacker, and CEO of Zerocopter, another platform that offers bug bounty programs to companies. During our conversation, he admitted that such programs could very well turn black hat hackers into white hats.
“It gives them peace and quiet, extra earnings and a way to show the world how smart they are. And as I tell the world in my presentations: Most hackers are good hackers. Willing to help. Willing to assist in creating a more secure connected world,” van Andel said of the situation.
And it’s really no surprise because bug bounty programs give hackers the chance to flex their muscles, discover how much they can do, dig for vulnerabilities and so on, without risking going to jail for it. Sure, there are hackers out there that will never choose the greater good over their own, who would rather harm services, people, and governments, and there’s nothing we can do about that, much like there are bad people on the streets that want to rob you, for instance.
The fact that bug bounty programs are so successful with hackers and companies alike is a good sign for the future, mostly because it means the services we use online are that much safer. Any vulnerability discovered by a white hat hacker, and patched by the affected company, is one less vulnerability that black hats can take exploit and turn against us. Some vulnerabilities are more dangerous than others, but they can affect our online lives in some way or another.
WannaCry killswitch takes the cake
To honor the $20 million milestone reached by HackerOne, the company went on to present the most up voted reports ever submitted on the platform. While all of them are important, the one with the most votes was the WannaCrypt Killswitch discovered by MalwareTech, or Marcus Hutchins, deemed a hero for putting a stop for the spread of the ransomware attack. HackerOne awarded him $10,000 for it, money he said he’d donate.
On the second spot, there was the vulnerable deserialization function in PHP leading to remote shell on a production server of Pornhub, for which the white hat was awarded $20,000. On the thir spot was the Jenkins instance which would allow login on Snapchat with any valid Google account, further enabling access to sensitive API tokens and source code, which the ethical hacker got $15,000 for.
These are all pretty big rewards, but there are other programs where ethical hackers can get even more. The prize money depends, of course, on the seriousness of the vulnerability they discover.
Many big companies run in-house programs, such as Google and Microsoft. Google, for instance, will award white hats up to $200,000 for critical Android issues, while Microsoft has a limit of $100,000 for Windows vulnerabilities.
For those who possess the necessary skills, this line of work can prove to be quite lucrative. As much as black hat hackers will try to undermine everyone’s security, it seems that the “army” of ethical hackers and researchers continues to grow, looking to keep us all safe.