
$100M in bounties paid via HackerOne to ethical hackers - badRNG
https://www.bleepingcomputer.com/news/security/100-million-in-bounties-paid-by-hackerone-to-ethical-hackers/
======
guessmyname
> _$100M in bounties paid by HackerOne to ethical hackers_

Not by HackerOne per se but the companies using the platform.

A better title would be _“$100M in bounties paid to ethical hackers by
companies via HackerOne”_.

To be fair, the original message on Twitter reads much better than the title
of the article:

> _HackerOne is proud to announce that hackers have earned $100 Million in bug
> bounties by hacking for good on our platform._

I was on both sides of this: leading the security team at a company paying bug
bounties via HackerOne and also reporting security problems to other companies
as a freelancer. To be honest, the experience was always bad in both cases. I
wasted several hours triaging bugs reported by “hackers” that often
disregarded the conditions of our bug bounty program. People reporting the
most trivial things and we would have to pay them anyway just to move on,
otherwise they would end up ranting for days.

On the other side, as a bug bounty hunter, the experience is also awful. One
of the biggest problems is the fact that you have no way to know if other
person has reported the same issue, so you spend hours if not days documenting
a vulnerability and creating proof of concepts (PoC) and it is only after your
submission that you get a message saying “closed: duplicate issue”. Add to
that all the back-and-forth trying to justify more complex issues that are
slightly more difficult to prove without damaging the system you are testing.

I am glad so many companies and people are still onboard with this service,
but I wouldn’t blame anyone for closing their account after all the bad
experiences I had.

~~~
DoofusOfDeath
> HackerOne is proud to announce that hackers have earned $100 Million in bug
> bounties by hacking for good on our platform.

(Tangent) Can anyone recommend a coherent interpretation of that statement?

I know what it means for an individual person to be proud. And I could see an
argument for extending that notion to a group of persons _if every_ person in
the organization was proud.

But I assume HackerOne has had employees / members come and go over time. And
I also assume that some of the past or current members _don 't_ share that
feeling of pride for this particular milestone.

So the only interpretation _I_ can think of is that the person writing the PR
was being sleazily vague. I.e., trying to get the audience to take a sentiment
that's only meaningfully applied to individual humans / animals, and getting
them to unwittingly apply it to a brand name instead.

Is there a better explanation that eludes me?

~~~
qeternity
Not really sure what you’re getting at here. Without getting into the
boilerplate cooperate “we’re helping the world”, it’s a perfectly coherent
sentence.

------
mjayhn
This is a tangent but it's been fascinating watching the infosec community
grow on twitter. It makes me feel super out of the loop with a huge part of my
field (i'm more dev/architecture but of course security is important). I kind
of dove into it a tiny, tiny bit the last week. I figure with all this time at
home for quarantine I might as well start playing in CTFs, etc and hone some
skill I'm so used to only using in a reactionary manner.

I'm honestly envious of their community and all of the tools they've created
and tutorials and everything for newcomers. They've done a great job getting
anyone who is remotely curious the ability to dabble.

When I was coming up as a sysadmin "rtfm."

Anyway, are people making lucrative careers out of bug bounties? What do these
"infosec CEO" twitter people do day to day? Their goal is to hit bounties and
sell pentesting/exploits I assume?

~~~
lowdest
>They've done a great job getting anyone who is remotely curious the ability
to dabble.

Any suggestions where to start? I'm several years out of the scene and would
love to be reacquainted.

~~~
mjayhn
I've only done a few hours of research so far and done little hacktivities
([https://tryhackme.com/hacktivities](https://tryhackme.com/hacktivities)).

Then there's hackthebox
[https://www.hackthebox.eu/](https://www.hackthebox.eu/) I haven't used this
yet.

Mostly I just grab stuff off of twitter/reddit, I don't really know who to
recommend right now, I kind of just followed a ton of relatively random open
source infosec people organically, but none really scream "has guide for
diving in or is a great intro person" off the top of my head.. (maybe
@troyhunt),
[https://www.reddit.com/r/netsecstudents/](https://www.reddit.com/r/netsecstudents/)

Hopefully someone else can chime in because I'd like to know more as well.

~~~
hnick
I've not seriously started but am considering it. I've only done a few toy
problems myself.

On the YouTube side for people who are a bit more casual like me, John Hammond
and Live Overflow both seem pretty good for beginners.

John has a bunch popping up on my feed where he runs through a CTF or hacking
room and steps through his process, like this SQLite timing attack
([https://www.youtube.com/watch?v=DYLDG_2Vs3E](https://www.youtube.com/watch?v=DYLDG_2Vs3E))
which I found interesting since I knew the concept but hadn't seen it in
action before.

Live Overflow also explains things pretty clearly and has covered a variety of
topics like using Ghidra, hacking an intentionally hackable MMO, or recreating
patched XSS flaws.

I think it's really good to pick a niche first and stick to it, reverse
engineering code looks fun but I'm not sure how commercial that skill is
compared to busting open web apps.

If you want something to poke and prod at there's also Damn Vulnerable Web
Application (DVWA) at [http://www.dvwa.co.uk/](http://www.dvwa.co.uk/)

------
jamez1
Seems a bit funny, the top scorers didn't have a few massive bounties, but
many many little ones. Both of these accounts made most of their hits on
Verizon. To get those kind of rates it's probably the same type of flaw
present in many places of the system.

It's questionable if these companies are getting massive value for money if
most of the bugs are oversights rather than intricate flaws in a bespoke
process.

[https://hackerone.com/try_to_hack?filter=type:bounty-
awarded](https://hackerone.com/try_to_hack?filter=type:bounty-awarded)
[https://hackerone.com/mlitchfield?filter=type:bounty-
awarded](https://hackerone.com/mlitchfield?filter=type:bounty-awarded)

------
vmception
I feel that bug bounties are still undervalued, and the market is still
inefficient because the prices are unilaterally set by companies.

The only other publicly disclosed signals for market price come from third
party companies and state actors.

The other signals are not public and hard to quantify, they come from trying
to weaponize and monetize exploits yourself. This results in potentially
incurring various forms of liability, or reducing that by selling information
to a different broker, who will eventually find someone to weaponize or
monetize a piece of the exploit. This part is a much more efficient market,
but it is not vertically integrated.

The prime bug bounties seem to be trending upwards in value, with the bottom
being crowded and with non-serious companies testing the waters.

Does anyone have any ideas to make the value of bug bounties be more dynamic
and elastic, trend upwards towards their true value inline with the growth of
the sector?

~~~
AmericanChopper
I see bug bounty programs as just being another example of InfoSec
charlatanism. People do bug bounties because InfoSec people say you should do
bug bounties, and not doing what InfoSec people say you should do implies some
sort of malfeasance. But the value of them is remarkably questionable. For
starters they are absolutely not a replacement for pen testing, having a bug
bounty is not a sufficient substitute for any of the pen testing that you
should be doing. The value of the bugs you have reported are also typically
incredibly low value. Most of the reports you get through bug bounty programs
are just the output of open source scanning and static analysis tools. You get
no-effort reports for things like frame-able content and “your mobile app has
a dependency, which has a dependency, which was compiled with marginally sub-
optimal flags”. Actually valuable reports do make it through, but I seriously
doubt having a bug bounty program is more effective than publishing a security
email address on your website. They’re mostly just spam generating services
that invite people to try pressure you into coughing up some money for largely
trivial nonsense.

~~~
tptacek
Bounty submissions are _mostly_ scanner spam; maybe _almost entirely_. But
every once in awhile you get a serious and important report, and you wouldn't
have gotten it without the bounty. Retain 3 different pentesting firms to hit
an app and their reports will overlap maybe 70-80%; similarly, bounty people
find different stuff as well.

~~~
AmericanChopper
> But every once in awhile you get a serious and important report

Yes this is true.

> and you wouldn't have gotten it without the bounty

Of this I am highly skeptical. Most companies that I’ve worked at who don’t
have bug bounty programs get the occasional serious report. These reports were
submitted to companies before bug bounty programs were even thought up. Bug
bounty services just seek to capture value from something that was happening
long before they were invented, and I’m highly skeptical of them having a
significant impact on generating serious reports that otherwise wouldn’t
exist.

The other issue is that everybody has a finite security budget, and dealing
with the spam is going to (perhaps significantly) eat into that. In those
cases, it’s taking money that could be spent on something with a decent ROI,
and redirecting it to essentially just creating busy work for your security
team (or spending their budget on paying somebody else to do that busy work).

I think they really only exist because a lot of security professionals don’t
really know what they’re doing, and a lot of their employers don’t really know
what they’re supposed to be doing.

~~~
tptacek
I watched it happen, several times, on projects where I not only had _6 weeks
of undivided time_ to run an app assessment before I took over their bounty
program, but the client had contracted assessments from other firms prior to
me being involved.

It's also a refrain I got from almost everyone I asked about running bounty
programs.

A fundamental truth I don't think anybody who does appsec assessments
professionally can escape: multiple audits of the same target will turn up
different bugs. It happens even if the same people do both assessments! I've
never talked to a software security professional who pushed back on this;
maybe you'll be the first.

~~~
AmericanChopper
> A fundamental truth I don't think anybody who does appsec assessments
> professionally can escape: multiple audits of the same target will turn up
> different bugs.

I completely agree with this.

> I watched it happen, several times

I don’t doubt you have, but this is anecdata. I wouldn’t want to draw any
conclusions from this, especially because it conflicts with a lot of my own
anecdata.

Auditing/security testing is something you could infinitely devote
incrementally more budget to, and infinitely receive incremental returns from.
While I question it provides as much benefit as you’re describing, it can
certainly provide a benefit. My issue with it is that, in my experience, it
has always had a bad RoI. The resources that you have to devote to dealing
with the spam make extracting any value from bounty programs a very expensive
exercise. I’ve personally seen people devoting more than one day a week to
managing bounty programs that they were lucky to get one good report per year
out of. Imagine how much more value they could have gotten from having a
security engineer spending a full day per week threat modeling with the
product engineers.

Perhaps the ROI is different if your department is over-funded, or if you have
a big brand that people want to write self-promotion blogs about. But any time
I hear a security professional parroting the importance of bug bounty
programs, the cynic in my wonders whether they’re just looking for some low-
skill busy work for themselves.

~~~
tptacek
I think we'd have to struggle to find a clear debate between the two of us. I
just wanted to make the point that people run bounty programs because they do
in fact turn up black swan bugs, even after the repeated pentests that most of
these firms have already engaged.

------
kerng
As company you should do bug bounty but in addition, not as replacement of
doing your own testing.

The reason: Bug bounty is fundamentally favoring the companies that sign up.
They pay next to nothing for getting a lot of eyes on their site and here and
there a valuable find will be made.

Rewards should probably be much higher, like 10x I think to attract better
researchers.

Also, the latest invention of private programs, where testers aren't even
allowed to talk about it or share finds after is a joke as well - it's all
just in favor of the companies. The basically buy the researchers silence,
e.g. they can dismiss a find and don't pay and just say oops duplicate.

For someone skilled and interested in infosec there are better ways to make
money.

~~~
lawnchair_larry
This is correct in theory but not in practice. Commodity bug bounties have
become somewhat of a failed experiment. For most companies, they cost more
than they are worth, and that cost doesn’t even come from the reward payout.

~~~
kerng
That's a good point, but if I understand correctly Hackerone staff has to
triage bugs before a company is even responding or required to look at it? So
it's all offloaded, or is that incorrect?

------
ngneer
The missing figure is how many hours those hackers spent. Most of the
companies that were on HackerOne when last I checked are using the platform as
a kind of a substitute for contracting with a pen test firm. Things like "will
you break my website". With bug bounties, the payout is only for
vulnerabilities found, not for analysis effort, and therefore one has to
carefully weigh the expectancy. I think that vulnerabilities found is the
wrong metric for the industry, because it is really downstream of the true
desire. If anything, the metric should be complexity removed. Prove that you
made the system simpler.

------
dpeck
"ethical hacker" is such a trash term.

~~~
lawnchair_larry
For what it’s worth, nobody who actually works in security uses it, and they
mostly cringe when others do. That and “cyber” are pretty good smell tests
that you’re interacting with someone who is very out of touch.

~~~
dpeck
yeah, old (by todays standards anyway) infosec hacker here. "cyber" has always
a fed/consultant tip off

------
semisober
Here's a link to "The 2020 hacker report" by HackerOne

[https://www.hackerone.com/lp/resources/2020-hacker-
report](https://www.hackerone.com/lp/resources/2020-hacker-report)

I've looked through it and there's some nice information on how hacker
industry emerged and grew into what it is now, talks about money earned by
ethical hacking as well.

------
29athrowaway
Paid through HackerOne not by HackerOne.

------
darepublic
What if I introduce security bugs only to be paid bounty on them later

~~~
saagarjha
I believe that most platforms have restrictions barring you from submitting
bug reports if you're affiliated with the company offering them.

~~~
hnick
Easy loophole, work with a friend.

~~~
lawnchair_larry
And risk losing your 100s of k a year career for a $250 Amazon gift card.
Knock yourself out.

------
shafner99
Worth every penny

