
Ask HN: How was your experience hiring a white hat hacker? - jklontz
How did you find them? Was it worthwhile? Any recommendations for a company paranoid about IT security and considering hiring one?
======
big_youth
I'm a white hat hacker!

I think a better question is what are you looking for or what type of
organization do you run or work for? A good security firm can provide
application reviews to find everything from xss bugs in your web app to remote
code execution in kernel components. This is done either black-box or source
assisted and staffed with a team reflective of the size and complexity of the
application.

Another aspect of security assessments can be network and infrastructure,
these generally mean someone running nmap and looking for entry ways further
into your network. I am biased but my organization almost never fails to find
critical bugs or breach networks.

I'm not a salesman but my firm is NCC Group, we are a global pure security
consulting firm, which means we don't make or push products. We also have tons
of research [https://www.nccgroup.trust/us/our-
research/](https://www.nccgroup.trust/us/our-research/) which you can check
out to see a sample of what you be paying security consultants for.

------
ladytron
My firm was referred to a firm that needed us through the leader of the local
Python user group.

The client needed us to review code and act as a witness in a court case on
very short notice.

It was interesting work, but a bit frightening once we did some research into
the black hat hacker who had been warring with the client.

I would say to make sure you are hiring a WHITE hat hacker, and pay
accordingly. Do your research, check recommendations by past clients and the
community, and do a background check at minimum.

------
uladzislau
HackerOne worked really well for us, it's a crowdsourced bounty based
marketplace for white hat hackers.

------
elyrly
Bugcrowd leaderboard provides insight into the top bounty hunters -
[https://bugcrowd.com/leaderboard](https://bugcrowd.com/leaderboard)

------
martenmickos
The safest and most convenient way of hiring a white hat hacker (a.k.a.
ethical hacker) is to run a bug bounty program and get the input of many of
them.

HackerOne is the leading bug bounty platform.

