Companies Are Paying Millions For White Hat Hacking

White hat hackers "are in very high demand," says PwC's director of cyber investigation and breach response, in a New York Post article titled "Companies are paying millions to get hacked -- on purpose." An anonymous reader quotes their report: HackerOne, a San Francisco-based "vulnerability coordination and bug bounty platform," reports that it has some 800 corporate customers who paid out more than $15 million in bonuses to white-hat hackers since its founding in 2012. Most of that bounty was paid in the past two years, as companies have become more aware of their cyber vulnerabilities. Clients that have used the platform include General Motors, Uber, Twitter, Starbucks and even the US Department of Defense.
Google paid $3 million last year through its own bounty program, according to HackerOne's CEO Marten Micko, who touts his company's "turn-key" solution -- a platform which now offers the services of 100,000 ethical (and vetted) hackers. "With a diverse group, all types of vulnerabilities can be found," Micko told TechRepublic. "This is a corollary to the 'given enough eyeballs' wisdom... they find them faster than other solutions, the hunting is ongoing and not happening at just one time, and the cost is a tenth of what it would be with other methods." And one of the platform's white hat hackers has already earned over $600,000 in just two years.

Payouts are garbage, though

[Anonymous Coward]

10k to fix a bug that could destroy everything. The black market is still better.

Re:

[ls671]

It has always been the same, technology or not; people with skills that use them according to their values. Send me the job offers, I might consider them...

Re: Payouts are garbage, though

[muffen]

What exactly is the story here? Companies, all of them put together, are paying millions for everything, I'm pretty sure the water bill from flushing after taking dumps is in the millions, and it wouldn't surprise me if Google spends $3 million on food every month.

Re: Payouts are garbage, though

[Anonymous Coward]

Admittedly, the only real news here is that this is an above board platform to connect such talent to organizations seeking such, as opposed to networking over IRC etc...

You've got to admit that middlemen successfully making a buck usually signifies something or another... back in the day before guys like the L0pht crew you were more likely to end up under threat of arrest or sued than paid as a consultant.

Re:

[martenmickos]

What I find interesting is that a regular newspaper will write about this despite it being a highly technical topic. The readers of New York Post are regular citizens. This shows that software security and the hunt for bugs are becoming important enough to be presented to the broader public.

Re:

[phantomfive]

The black market will always pay better. If companies increase their offers, then the black market will increase them even higher. Although as the prices rise, the number of buyers on the black market will decrease.

Re:

[martenmickos]

This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it t

Re:

[phantomfive]

That won't happen. A company that writes security vulnerabilities will continue to write them, thus providing an endless supply. Until something changes within the company, there will be a bountiful harvest for both black and white hat.

Re:

[martenmickos]

Given the ease of submission and speed of payment, a bug bounty can be very well worth it. On HackerOne, there is a hacker who made over $600,000 in two years with most of the individual bounties well under $10k.

Re:

[gweihir]

Indeed. This is completely bogus. People doing it will go for the low-hanging fruit and if they find something really juicy by accident, they can easily make one order of magnitude more money on it. Nothing more complicated will ever get reported to the company. This may also explain why the cost of this is 1/10 of other methods: It has far less than 1/10 of the results and is dangerous in addition.

Now, a really competent security review will be expensive, but it will look at things like code quality, desig

Millions is not always a lot

[Pirulo]

A $3M expense from Google is not a considerable sum. They are cheaping out by only expending that little when you consider all data they store and are pseudo-responsible for.

Not the best, and it's more than $300,000 / year

[raymorris]

The summary says:
--
one of the platform's white hat hackers has already earned over $600,000 in just two years.
--

From that you got:
> So the world's best (or at least, best-paid) white-hat makes $150k/year?

Over $600K in two years is over $300K per year. No, that's not "the world's best paid white-hat". That seems to be how much one freelancer made from Hackerone - he or she may have made just as much from other avenues, and there is no reason to think this person is "the world's best-paid white h

Re:

[gweihir]

The problem here is that this will not keep. There is definitely luck involved, and if this person was, say, working 80h weeks, then the compensation still sucks.

Not much luck over a two-year period

[raymorris]

My team and I do something similar periodically. Our experience is that luck is a short term phenomenon in the face of skill. Daniel may happen to find something pretty good in the morning, while I don't find much until the afternoon. Zach might find two interesting bits on Monday, none on Tuesday; Immad finds one on Monday and one on Tuesday. Over the course of a few days, our performance tends toward what you'd expect from our resume. Luck is very short term, skill is the controlling factor over the cours

Re:

[gweihir]

Luck is involved in the parts of finding things that others have not yet found and that hence give you a high payout. In particular, this gets progressively harder and the harder it gets, the lower the payouts. So while this person made $600'000 over 2 years, a repeat performance over the next 10 years, or so is exceptionally unlikely.

An actually professional code security review does not depend on luck. It also does not try to maximize "bugs found". It looks at architecture, design, input validation, criti

Two different and complementary things

[raymorris]

Code review and pentesting are two very different, yet complementary things. As you suggested, code review is likely to find a lot more, including things some people don't typically think of as "security" - points of fragility, for example. Code review is very useful, especially when done by people trained in security.

Pen testing *after* code review is also very useful. It isn't unusual for code review to have a lot of detailed findings. As an analogy, looking at the internals (code review) might find that

Re:

[gweihir]

Very much so. And you can make a lot more as a gray-hat, with no risk of prison time. These people are basically a bit more advanced amateurs with big egos that exploit themselves.

Ten years too late...

[__aaclcg7560]

I was a black box tester for nearly seven years. When I graduated from community college with A.S. degree in computer programming in 2007, I wanted to get a job as a white box tester. Never got hired. Went into I.T. support and the rest was history.

Re:

[__aaclcg7560]

Even with your 800 headhunters that you talked to 10 times a day for two years?

You need to work harder at misrepresenting my positions. How do you ever expect to get ahead in life as a Troll?

Seems to me you are extremely inefficient in your "energy expended" to results ratio.

That's because people are involved. If this was rocket science, 92 million Americans would have coal miner jobs.

Re:

[__aaclcg7560]

Lying is lying dude. Trump does it.

Of course. He's a politician.

You do it.

I'm not a politician.

Your fat delusional reality is just one look in the mirror away.

I shave each morning. So what?

Re:

[__aaclcg7560]

you're not qualified to comment on getting ahead. literally everything about you is below average but your weight. and you are proud of being our clown. good for you.

You sound like my mother. Good thing I stopped listening to her when I was teenager. Otherwise, I would have committed suicide and the world would be worse off place than it is now.

Re:

[__aaclcg7560]

And likely spoonfuls of prozac in the mornings and most definitely the anti-depressant of a 4k calorie diet.

I don't take anti-depressants. Never had, never will. My current diet is 1,500 calories per day.

Where you for example sit at work "waiting for a script" so you're on slashdot. Do you actually believe that? How's that script of yours doing?

I just finished re-writing the parser section of my Python script. It's currently grabbing, parsing and saving my 8,000+ comment history into a CSV file. This usually takes 30 minutes.

I believe you are a fat loser with no brains, so this is where you socialize.

I was at the Silicon Valley Comic Con 2017 this weekend, where I posted some comments on Slashdot in between events. Check out my William Shatner video from the sixth row at the City National Civic.

SVCC 2017 - William Shatner - The

Re:

[__aaclcg7560]

I don't believe you are sitting there waiting for scripts 7 days a week. Or maybe I do. Is you title sr computer operator?

I have a regular job that pays the bill and I have my own company. It's not unusual for entrepreneurs to work seven days a week. I'm currently running a script pinging systems while listening in to a conference call at my bill-paying job.

[...] you are a fat fuck who has a chin on his chin [...]

That picture was taken four years ago and I didn't start my 1,500-calorie diet until recently. There two types of people on Slashdot: the ones who see my picture and come back with "you are a fat fuck", and everyone else.

I bet when someone gets stuck next to you on a plane they ask to be moved.

I never had that problem. I'm heavy but I'm not wide

Re:

[__aaclcg7560]

Seeing a presentation about space is socializing? Gotcha. You know what I did? I went out to a restaurant then hung out with a bunch of girls at a k-pop karaoke. Today I decided to go to Italy for euro labor day for a week or two. Went online, booked the trip - gonna work remote for a bit. After 20 years of experience, I can do that without saving and planning, as it's going to cost just a few day's wages. Not quite a show by some unknown stripper in the evening gymnasts in vegas though. I'd need to save up for that. Till about lunch.

You're the asshat with the drinking and financial problems! No wonder you sound so bitter in your replies. You should really lay off drinking $3,000 per night on wine. It's not healthy lifestyle.

Re:

[pnutjam]

Do you mean "black hat", because when I read black box, I assume you are testing a device with no documentation. I'm not sure what a white box is, maybe well documented?

Re:

[__aaclcg7560]

Do you mean "black hat", because when I read black box, I assume you are testing a device with no documentation. I'm not sure what a white box is, maybe well documented?

Black box testing is testing something without knowing how it works inside. White box testing is testing something while knowing how it works inside. Grey box testing is a mixture of the two, say, a device with an exposed API that doesn't document the internal workings.

Re:

[pnutjam]

OK, if nobody would hire you for "white box", why couldn't you continue "black box" testing with responsible disclosure. There is a lot of money in that.
I was confused because you indicated an inability to break into the industry and assume you misspoke trying to indicate what you where doing was unsanctioned and not necessarily legal.

Re:

[__aaclcg7560]

OK, if nobody would hire you for "white box", why couldn't you continue "black box" testing with responsible disclosure. There is a lot of money in that.

My black box testing experience was six years as a video game tester and lead video game tester, six months as software tester for a virtual world and six week as a software tester for an ebook reader. Some hiring managers would find my experience "lacking" because none of it was a "mainstream" product. I didn't want to continue as a video game tester because all the local companies were moving to Southern California for the Hollywood convergence that never happened. Recruiters kept offering me positions in

Re:

[gweihir]

white box = you have all documentation, accounts, technical authorizations, and access to people
gray box = you have some of the above, often in limited form
black box = you know how to reach the target systems

Black box pen-testing makes no sense, since it wastes a lot of time. The only reason to do it is that with a limited budget, it may not find things, i.e. create a false sense of security that management can then escalate as a great achievement.

Re:

[pnutjam]

Thank you, that's why i was confused. Black hat make sense, black box, not so much.

Re:

[gweihir]

You are welcome.

Re:

[gweihir]

It can also be a "system security analyst" and a "software security analyst" or a lot more fuzzily an "IT Security Expert" or "IT Security Consultant". Of course, in a time where the BS term "Cyber" gets attached to anything, "Hacker" is actually a significant improvement.

Re:

[gweihir]

At the cost-point they claim? They maybe have verified the email address for that ...

I suppose the headline is true...

[GameboyRMH]

...in the same sense that the NBA is paying millions for basketball-playing.