
Ask HN: Do I need a bug bounty program? Feeling a bit threatened by HackerOne - scared_of_hacks
I got a sales email recently from someone at Hacker One and they said that &quot;Teams who push code on a regular basis need continuous coverage on their attack surfaces. &quot; and that, &quot;If security is a priority for you and [COMPANY NAME], I want to make sure you and I connect.&quot;<p>I understand how the sales process works, but I&#x27;m kind of starting to feel after the second cold email that this is a bit mafia-like. I&#x27;m basically being told that my kneecaps are going to be bashed in by hackers if I don&#x27;t respond to this sales call, at least that&#x27;s how I&#x27;m reading this communique.<p>I was thinking a good way to respond would be to at least put something about responsible disclosure on our &quot;Contact Us&quot; page, and that we&#x27;d pay a bounty if someone finds something out of the ordinary. A security professional told me allowing responsible disclosure is the first step. We&#x27;re a very small company though, I&#x27;m the sole developer. I know security is important, and I try to follow best practices - but has anyone else gotten these emails and felt a bit threatened?<p>I don&#x27;t meant to insinuate that Hacker One is going to be doing hacking themselves, I&#x27;m not a conspiracy theorist. I&#x27;m just wondering how people are reacting to getting emails like this?<p>Thanks for any perspective.
======
martenmickos
Thanks for raising this issue.

HackerOne will NEVER threaten you or do anything to reduce your security. You
can safely ignore our sales emails if that's what you want to do. We are just
trying to be helpful.

But we do have the absolutely best set of programs for companies of all
stripes. To start with, you can open a vulnerability disclosure program that
costs you nothing. It will allow hackers to submit vulnerability reports to
you. We run numerous programs of this type for startups and other companies.

Our mission is to empower the world to build a safer internet. That's it.

Marten HackerOne CEO

~~~
scared_of_hacks
Thank you so much Marten for your direct response!

I'm sorry if my post came out as at all harsh. I respect what you guys are
doing. I just had those honest reactions to the communication I got.

Maybe putting some general pointers on getting started in emails like this for
really small companies would come across as a bit less threatening? That way,
you can be the guide early on, then we can become partners later when we have
the scale.

Good luck with your build!

------
ovi256
If this isn't guerilla PR for HackerOne, I don't know what it is.

It's set up just the perfect way to make us answer "oh but that's just normal
salesmanship and reasonable".

Well played if true.

~~~
ParameterOne
google trends says hackerone spiked today at 4pm on the 7 day search.

~~~
kronos29296
Is this the power of Hackernews I wonder? If so I am impressed.

~~~
Kpourdeilami
Sometimes when a link makes it to the front page of HN, the website goes down
due to the number of HNers who try to access it

------
throwaway52123
It's all marketing. I would ignore it and move on with your life.

Allowing and encouraging responsible disclosure is never a bad idea. That
said, if you're a young startup, I would focus on practicing and promoting
good security hygiene within your company. Secure coding best practices,
locking down infrastructure, that kind of thing. I wouldn't overcomplicate it
or stress too much unless your product _needs_ special security attention
(i.e. you are a bank or likely to be hacked by a nation state or something).
If you're the only technical person and you're already doing this, it does not
sound like you have much (anything?) to worry about outside of the norm.

I hope that can help you sleep better at night :-D

------
Rannath
How much does a bug fix save you? How much is that worth? Are you popular
enough that people are constantly trying to break your security? Bounties are
cost saving measures.

------
NameNickHN
I wouldn't worry too much about it. In my opinion a bug bounty program is
another marketing tool of big companies. They have to portray an image of a
company that cares about security.

From my experience if you are a small company and fix a reported bug in a
timely manner, nothing bad will happen. As long as your customers see that
you're reacting quickly, everything is going to be fine.

------
gt565k
Jeez sending cold emails is mafia like?

Sounds like paranoia.

Ignore the emails and move on with your life.

~~~
scared_of_hacks
Well...

I want to ignore the email.

But what if we do get hacked in the next few months?

I can ignore it...but yeah, I am definitely paranoid about what might happen
if I do! You know?

~~~
zamalek
I deleted another comment, but this is a far simpler analogy. As a nightclub
owner it is prudent to hire a bouncer. Why? Not because the bouncers are
making trouble outside your establishment (as a racket would do) but rather as
a form of insurance against future miscreants.

Hiring a company like HackerOne (we've hired a competitor) is simply a very
wise idea - that is all their email is pointing out. You are currently running
a nightclub with no bouncer, you are currently vulnerable (all software is).
Get some help by contracting or hiring.

