Follow Slashdot stories on Twitter


Forgot your password?
Security Businesses IT

Companies Are Paying Millions For White Hat Hacking ( 58

White hat hackers "are in very high demand," says PwC's director of cyber investigation and breach response, in a New York Post article titled "Companies are paying millions to get hacked -- on purpose." An anonymous reader quotes their report: HackerOne, a San Francisco-based "vulnerability coordination and bug bounty platform," reports that it has some 800 corporate customers who paid out more than $15 million in bonuses to white-hat hackers since its founding in 2012. Most of that bounty was paid in the past two years, as companies have become more aware of their cyber vulnerabilities. Clients that have used the platform include General Motors, Uber, Twitter, Starbucks and even the US Department of Defense.
Google paid $3 million last year through its own bounty program, according to HackerOne's CEO Marten Micko, who touts his company's "turn-key" solution -- a platform which now offers the services of 100,000 ethical (and vetted) hackers. "With a diverse group, all types of vulnerabilities can be found," Micko told TechRepublic. "This is a corollary to the 'given enough eyeballs' wisdom... they find them faster than other solutions, the hunting is ongoing and not happening at just one time, and the cost is a tenth of what it would be with other methods." And one of the platform's white hat hackers has already earned over $600,000 in just two years.
This discussion has been archived. No new comments can be posted.

Companies Are Paying Millions For White Hat Hacking

Comments Filter:
  • by Anonymous Coward

    10k to fix a bug that could destroy everything. The black market is still better.

    • by ls671 ( 1122017 )

      It has always been the same, technology or not; people with skills that use them according to their values. Send me the job offers, I might consider them...

    • What exactly is the story here? Companies, all of them put together, are paying millions for everything, I'm pretty sure the water bill from flushing after taking dumps is in the millions, and it wouldn't surprise me if Google spends $3 million on food every month.
      • by Anonymous Coward

        Admittedly, the only real news here is that this is an above board platform to connect such talent to organizations seeking such, as opposed to networking over IRC etc...

        You've got to admit that middlemen successfully making a buck usually signifies something or another... back in the day before guys like the L0pht crew you were more likely to end up under threat of arrest or sued than paid as a consultant.

      • What I find interesting is that a regular newspaper will write about this despite it being a highly technical topic. The readers of New York Post are regular citizens. This shows that software security and the hunt for bugs are becoming important enough to be presented to the broader public.

    • The black market will always pay better. If companies increase their offers, then the black market will increase them even higher. Although as the prices rise, the number of buyers on the black market will decrease.
      • This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it t

        • That won't happen. A company that writes security vulnerabilities will continue to write them, thus providing an endless supply. Until something changes within the company, there will be a bountiful harvest for both black and white hat.
    • Given the ease of submission and speed of payment, a bug bounty can be very well worth it. On HackerOne, there is a hacker who made over $600,000 in two years with most of the individual bounties well under $10k.

    • by gweihir ( 88907 )

      Indeed. This is completely bogus. People doing it will go for the low-hanging fruit and if they find something really juicy by accident, they can easily make one order of magnitude more money on it. Nothing more complicated will ever get reported to the company. This may also explain why the cost of this is 1/10 of other methods: It has far less than 1/10 of the results and is dangerous in addition.

      Now, a really competent security review will be expensive, but it will look at things like code quality, desig

  • A $3M expense from Google is not a considerable sum. They are cheaping out by only expending that little when you consider all data they store and are pseudo-responsible for.
  • I was a black box tester for nearly seven years. When I graduated from community college with A.S. degree in computer programming in 2007, I wanted to get a job as a white box tester. Never got hired. Went into I.T. support and the rest was history.
    • by pnutjam ( 523990 )
      Do you mean "black hat", because when I read black box, I assume you are testing a device with no documentation. I'm not sure what a white box is, maybe well documented?
      • Do you mean "black hat", because when I read black box, I assume you are testing a device with no documentation. I'm not sure what a white box is, maybe well documented?

        Black box testing is testing something without knowing how it works inside. White box testing is testing something while knowing how it works inside. Grey box testing is a mixture of the two, say, a device with an exposed API that doesn't document the internal workings.

        • by pnutjam ( 523990 )
          OK, if nobody would hire you for "white box", why couldn't you continue "black box" testing with responsible disclosure. There is a lot of money in that.
          I was confused because you indicated an inability to break into the industry and assume you misspoke trying to indicate what you where doing was unsanctioned and not necessarily legal.
          • OK, if nobody would hire you for "white box", why couldn't you continue "black box" testing with responsible disclosure. There is a lot of money in that.

            My black box testing experience was six years as a video game tester and lead video game tester, six months as software tester for a virtual world and six week as a software tester for an ebook reader. Some hiring managers would find my experience "lacking" because none of it was a "mainstream" product. I didn't want to continue as a video game tester because all the local companies were moving to Southern California for the Hollywood convergence that never happened. Recruiters kept offering me positions in

      • by gweihir ( 88907 )

        white box = you have all documentation, accounts, technical authorizations, and access to people
        gray box = you have some of the above, often in limited form
        black box = you know how to reach the target systems

        Black box pen-testing makes no sense, since it wastes a lot of time. The only reason to do it is that with a limited budget, it may not find things, i.e. create a false sense of security that management can then escalate as a great achievement.

  • the same sense that the NBA is paying millions for basketball-playing.

Someone is unenthusiastic about your work.