This $300 million not only reflects a decade of making the internet safer but also serves as a beacon to the brightest security minds worldwide. They form the world's largest assembly of ethical hackers, encompassing diverse expertise such as bug hunters, security researchers, penetration testers, source code reviewers, attack surface reconnaissance experts, and security leaders for hire. 

The HackerOne community is the planet's most expansive human intelligence network dedicated to cybersecurity. These ethical hackers are indispensable; 70% of our customers credit their efforts for averting significant cyber incidents.

This is why Dr. Craig Martell, Chief Digital and AI Officer for the U.S. Department of Defense, ventured to DEFCON this year with a call to action:  “I am here today because I need hackers everywhere to tell us how this stuff breaks.” 

Dr. Martell was referring to AI deployments. At HackerOne, we make them and we break them. We have been deploying Machine Learning and, lately, Generative AI functionality in our software platforms in order to make hackers more productive and customers more successful. 61% of ethical hackers plan to use and develop hacking tools using GenAI to find more vulnerabilities. Many intend to specialize in the OWASP Top 10 Vulnerabilities for Large Language Models (LLM). 

Two years ago, we did our first AI Red Teaming exercise for a customer, looking for algorithmic bias in one of the top social media platforms. Today we are working on another AI Red Teaming exercise to evaluate the ability of a text-to-image AI functionality to produce unacceptable content. The results are prompt and impressive, helping our customers to quickly contain the dangers of an LLM deployment.

This year, HackerOne has signed up leading AI companies as new customers. Our existing customers are expanding the scope of their bug bounty programs to include AI deployments, too. With new source code being produced by Copilot and other such tools at rapidly expanding rates, there is even more code to review and test for security vulnerabilities. 

We make sure we are there to provide peace of mind at all steps of the AI-empowered software development lifecycle:

• Security Advisory Services to set up a secure SDLC with security by design and defense in depth
• Source Code Security Audit at time of development
• Pentest and AI Red Teaming at time of deployment and at regular intervals to test the application and validate test coverage
• Continuous Bug Bounty testing to provide superior results over time

The perennial problem of lack of talented testers is solved by using external security researchers who have gone through thorough vetting and skills testing.

Reflecting on the evolution of ethical hacking, this practice started in earnest when Microsoft, Facebook, and Google made strategic decisions a dozen years ago to operate bug bounty programs in order to reduce their risk of breach. HackerOne was established to take the best of this practice out to the world. 

We soon signed up Yahoo, Twitter, Uber, Snap, and General Motors as customers, to name a few. The Department of Defense hand-picked HackerOne to run Hack the Pentagon. Today the vulnerability disclosure program of the DoD is the world’s largest, with nearly 50,000 vulnerability submissions received. The vulnerabilities hackers find are of the exploitable type that otherwise likely would lead to compromises and data breaches.

We have come to the point where the government is requiring this practice. Long a best practice in the NIST Cybersecurity Framework, vulnerability disclosure is now mandated for federal government agencies. CISA is coordinating the disclosure of, the hunt for, and the drive to mitigate critical and exploitable vulnerabilities. In March of 2023, the White House stated, “The Administration will encourage coordinated vulnerability disclosure across all technology types and sectors."

Once a novel practice favored by progressive tech companies, vulnerability disclosure is today a must-have practice for anyone who develops and deploys software. If you are not doing it, you are falling behind.

There is no security without humans working on it together, and there is no security technology that will not be empowered by Generative AI. Human intelligence at scale is coming together with artificial intelligence at scale. The adversaries are moving fast. The defenders, moving together in larger numbers, have the opportunity to outmatch and outperform the threats.

At HackerOne, we have cultivated the world’s largest community of security researchers, including pioneering experts on the weaknesses of AI deployments. We are empowering our hackers and customers with GenAI functionality. It’s about the intelligence — both forms of it.

Marten Mickos
CEO, HackerOne

Defending your digital assets like no other, HackerOne stands as the undisputed champion in mitigating software security risks. We are celebrating $300 million paid out in rewards to ethical hackers for finding exploitable vulnerabilities that otherwise would have led to breaches costing billions. We are bringing human and artificial intelligence together.

We are here to give you peace of mind in a world without compromises.

Originally published in Security Magazine

When the pandemic hurled us into a cybersecurity crisis, there were some who held out hope that things would eventually return to normal. By now, we know those hopes were misguided, and the picture has only grown darker with time. According to the World Economic Forum, cybercrime now poses the greatest threat to businesses today. Populations of entire countries are at heightened risk, with Microsoft finding that nation-states are increasingly targeting critical infrastructure. Today's digital threat actors have attained a degree of sophistication and savvy that has boggled cybersecurity veterans, who are struggling to keep up with their advanced and increasingly destructive methods.

Given this pressure to compete with cybercriminals, you’d expect organizations to make eager use of every cybersecurity tool at their disposal. And yet countless organizations continue to ignore one of the most effective and time-tested cybersecurity tools we have: the ethical hacker.

By 2023, I’d have hoped the global hacker community would be a widely accepted, routine part of every company's cybersecurity toolkit—as mundane and uncontroversial as firewalls or security hygiene training. After all, hackers have been a respectable part of the cybersecurity world for nearly 30 years now, ever since Netscape pioneered the first bug bounty program in 1995. In the years since, companies like Microsoft, Facebook, and Google have all implemented—and doubled down on—their own hacker-driven programs. 

These tech giants are not the kinds of organizations known for willingly putting themselves at risk. Neither, for that matter, is the U.S. Department of Defense (DoD), which, over the years, has received more than 46,000 actionable vulnerability reports from a worldwide community of nearly 5,000 hackers. We are talking about some of the best-advised, best-fortified, most technologically advanced organizations, staffed by intelligent people who are highly incentivized not to screw things up for their employers.  

Hackers are good enough for them. So why, after all this time, are so many still hesitant to trust hackers? 

On one level, it's a branding problem: for too many, the term “hacker” still brings to mind people with malicious intent. However, given how much hackers have contributed to the safety of our current cybersecurity landscape, to perpetuate this outdated image in 2023 is no longer just misinformed, it hinders the future safety of the internet. As Gartner has pointed out, cybersecurity programs must be human-centric, or else they will fail. 

Put otherwise: companies that don't make use of hackers are putting themselves at higher risk. 

Why hackers thrive where technology fails

You can't plan for the things you can't know in advance. Yes, every sensible company tests its code before production, but many security vulnerabilities don't exist until the code is actually deployed—until it's really out there in the world. Allowing an outdated fear of hackers to prevent you from getting a comprehensive picture of your security vulnerabilities is fundamentally irrational—and self-defeating. Real-life testing—the kind only hackers can offer—is indispensable. You simply cannot get the same results from any other method. 

Secondly, there's the human element to consider: where testing software can only find known unknowns, humans are gifted with the ingenuity to find the unknown unknowns, the vulnerabilities you wouldn’t even know to look for in the first place. And because these hackers are not part of your organization—because they're coming in from the outside, their sight is unclouded by the bias that builds from working on the same product month after month, year after year.  This is no small thing in light of the fact that 95% of applications or systems have at least one vulnerability.

But potential bias isn't the only in-house limitation. There is also the fact that, owing at least in part to the ongoing IT skills gap, most companies do not have the personnel to accommodate the kinds of continuous testing that true safety requires. The supply of hackers, on the other hand, is nearly unlimited—the worldwide community is so large that testing can be conducted continuously by a wide range of experts equipped with different yet complementary skill sets.  

Hackers get results 

The potential results here are far from abstract. 

For one thing, hackers will inevitably surface vulnerabilities that are unfindable by any other method. Also, hackers won’t inundate your IT teams with irrelevant and distracting false positives, which are endemic to most cybersecurity programs.

Fewer and fewer companies are still holding out on hackers: by now, their indispensability to security practices is the common consensus. According to a survey HackerOne conducted at RSA, 88% of cybersecurity professionals believe that ethical hackers can have a positive impact on cybersecurity. Among those holdouts, you continue to hear one common concern—namely, that these places don't want to have to deal with finding and coordinating the relevant hackers. But this concern, too, is outmoded, as many companies now exist that can take care of all of this work for them. 

All this would be important even if things were relatively calm in the world of cybersecurity. Cybercrime has entered its steroid era: the enemy is stronger than ever, and even a moment's lapse in vigilance can spell disaster for a company. If hackers were just a third as effective as long experience has demonstrated them to be, it would be malpractice not to make use of them. Hackers’ research and responsible reporting has managed to avert thousands of crises over the years and continue to do so. Don’t let false, obsolete notions about hackers imperil your company’s safety. 

In an era where data breaches and cyberattacks dominate headlines, a new and unconventional approach to cybersecurity has emerged, challenging traditional notions of protection. Ethical hacking, also known as hacking for good, is rapidly gaining prominence as organizations seek innovative strategies to safeguard their digital assets. This approach involves companies hiring skilled hackers to intentionally breach their systems, identify vulnerabilities, and fortify defenses.

On a recent episode of Amazon’s “Conversations With Leaders,” Marten Mickos, CEO of HackerOne, sat down to discuss the evolving landscape of cybersecurity, the challenges organizations face, and the innovative strategies employed to build robust security cultures. 

Marten believes the essence of hacking for good lies in harnessing external hackers to identify vulnerabilities in web systems and mobile apps, enabling companies to rectify these issues before malicious actors exploit them. This “good force against bad force” approach promotes a proactive stance in enhancing security.

Ethical hacking represents a paradigm shift in cybersecurity philosophy. Organizations embrace proactive and collaborative tactics instead of relying solely on reactive measures to counteract threats. By welcoming skilled hackers into their ranks, they aim to detect weaknesses before malicious actors can exploit them.

Ethical hackers, often called “white hat”, operate with integrity and a robust code of conduct. Their mission is to expose security vulnerabilities and potential entry points within an organization’s digital infrastructure. Unlike malicious hackers, ethical hackers use their skills for constructive purposes, ultimately enhancing the security posture of the organizations they engage with.

Challenges are associated with hiring and retaining skilled security professionals in this industry. According to Marten, the solution is to create an environment where employees find meaning, autonomy, and opportunities for growth. A culture that nurtures career development and offers purposeful work can attract and retain top talent.

The Hacker Community: A Vast Pool of Expertise

A critical element that sets ethical hacking apart is its emphasis on collaboration. Ethical hackers often form communities that share knowledge, techniques, and best practices. These communities foster a supportive environment that encourages continuous learning and skill development. Organizations benefit not only from individual ethical hackers’ expertise but also from the collective knowledge of the broader community.

Companies like HackerOne have capitalized on this collaborative model, acting as intermediaries between organizations and ethical hackers. Organizations can post bug bounties through their platform, rewarding hackers who successfully identify vulnerabilities. This approach incentivizes hackers to participate in uncovering weaknesses, creating a win-win scenario for both parties.

With many potential security measures available, organizations need help prioritizing their actions effectively. Marten recommends adopting a risk-based approach focusing on essential actions aligned with business objectives.

Fostering a Positive Security Culture

While ethical hacking might sound counterintuitive, its value is increasingly evident. Data breaches and cyberattacks can result in significant financial losses, reputational damage, and legal ramifications. By investing in ethical hacking, organizations take proactive steps to prevent these scenarios. Identifying vulnerabilities before they are exploited can save companies millions of dollars in recovery costs and potential fines.

Marten draws parallels between cybersecurity and the airline industry’s safety practices. There is an emphasis on fostering a blameless culture, where mistakes are treated as learning opportunities rather than causes for retribution. This promotes open communication and rapid issue resolution.

Marten believes that the need to transform security from a roadblock to an enabler of business growth is critical for hacking for a good approach to be successful. By promoting a positive view of security, organizations can encourage employees to participate in security initiatives actively. CEOs should set the tone by highlighting security’s role in enabling business success.

Cybersecurity’s asymmetric nature demands a different approach than the standard business practices used in most organizations. Collaboration with external hackers allows organizations to tap into an immense pool of expertise that can help identify vulnerabilities quickly. This method provides flexibility and rapid access to diverse skills, ensuring a well-rounded security posture.

A Future of Enhanced Cybersecurity

As the hacking for good industry gains momentum, it reshapes how organizations approach cybersecurity. The emphasis on collaboration, transparency, and a proactive defense departs from the traditional reactive model. Ethical hacking is a testament to the power of harnessing skilled individuals for the greater good — using their expertise to strengthen digital fortifications, safeguard sensitive data, and propel the cybersecurity industry into a new era of resilience.

In an increasingly interconnected world, ethical hackers are emerging as unsung heroes, leveraging their talents to prevent data breaches and protect the digital foundations of modern society. As organizations continue to navigate the complex realm of cybersecurity, ethical hacking stands as a beacon of innovation and a testament to the remarkable potential of technology when used for positive and transformative purposes.

To hear the full “Conversations with Leaders” episode, click here.

Originally published on the Amazon Web Services Conversations With Leaders podcast blog.

CISOs often struggle with proving ROI from security initiatives when trying to secure buy-in from the board and prioritize budget. A recent survey of security professionals found that nearly a third remained unsure of how best to measure the effectiveness of security programs. When asked how they do measure success, we see how confusion reigns: 

• Efficacy of security measures: 47%
• Risk assessment (internal or external): 57%
• Agility and speed of security teams' responsiveness: 56%
• Financial savings estimated from avoiding risk: 52%
• Estimated savings of reputational or customer-related impacts as a result of a security initiative: 50%
• Absence of incidents or breaches: 45%
• Discount on cyber insurance: 25%

This is no surprise when it’s very hard to answer how you measure the impact of not experiencing a breach.

OneWeb and Booking.com: Cost-of-Breach Savings

 OneWeb, a global communications company providing broadband internet access from low Earth orbit (LEO) satellites, said they measure success by highlighting in executive reporting the financial, reputational, or business damage that could arise from an identified vulnerability remaining active. In some cases, the business value of HackerOne community findings has far exceeded the entire annual bug bounty budget! They group these savings into three categories:

1. Resource savings for our internal team that doesn’t have to spend time threat hunting.
2. Financial savings, in terms of reducing costly third-party penetration testing.
3. Avoiding fines or customer reparation due to vulnerabilities that might be found too late.

Booking.com takes a similar approach: by attaching a price to each vulnerability with bug bounty, Head of Application Security Eric Kieling can showcase the significant ROI.

“The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI.”
— Eric Kieling, Head of Application Security, Booking.com

Hyatt: Decrease Cyber Insurance Costs

Hyatt have used their security posture to bargain for a lower premium for their cyber insurance. The insurers know that a company with strong security practices is much less likely to get breached, so it makes sense to give discounts on the insurance premium to such customers.

GitHub: Impact on Development and Production

Another way to approach the problem is, instead of focusing on what didn’t happen, to look at the results in terms of what constitutes success in modern software development. All companies are becoming technology companies, and faster time to market and customer trust are key competitive advantages. Security programs must evolve to match the pace of modern business, enabling products to be released faster without being blocked by pentest schedules. GitLab focuses on the impact security has on development and production. They have made security a part of everyone’s role, with developers and security teams alike being responsible for keeping their code and product secure. While every critical vulnerability reported through their program is considered a major breach avoidance, they also recognized that results like a 58% decrease in valid critical reports for Server-Side Request Forgery are crucial to delivering more secure products, faster. 

When it comes to thinking about bounty spend and subsequent results, most of our customers pay close attention in the early years of their program to how many high-severity and critical bugs are found and measure success on the number and severity of the findings. After they’ve been running a program for a few years though, we’re going to see fewer reports, due to those vulnerabilities being fixed and developers avoiding introducing them in the first place. The measure of success then changes to celebrating how few reports they receive, despite being able to offer more lucrative bounties. This is the ideal position to be in, as customers can then afford to offer higher bounties for really unique reports, without necessarily making huge changes to their bounty pools. 

We can’t tell you the magic formula for proving returns on investment, but we continue to collaborate with our customers to tell the most compelling story about how security programs add value. Speak to one of our experts today about how you measure success.

The potential economic downturn challenges even the most successful of organizations. Across the board, companies face headcount and budget cuts, and security teams must do more with less. This is my final blog on this series on how to get more security for your cybersecurity budget and demonstrate success to your leadership. If you want to talk more, Speak to one of our experts today about how you measure success.

In my last blog, I examined why cybercrime increases during economic hardship and why innovation and vigilance are necessary to keep up. But how are organizations supposed to do this when every week I hear from CEOs and CISOs that they have to make increasingly difficult decisions over reducing headcount and budget? We recently surveyed security professionals and heard that over a third of companies made headcount and security budget cuts in the last 12 months. More expect to make similar cuts in the next 12 months.

At the same time, I hear organizations feel pressure to innovate to compete for reduced customer spending. From a technology point of view, this means more digital transformation and outsourcing, which comes with its challenges. According to the 2022 Hacker-Powered Security Report, reports for vulnerability types typically introduced by digital transformation saw the most significant growth, with misconfigurations growing by 150% and improper authorization by 45%. 

The combination of reduced headcount, the introduction of new technology, and increased cybercrime results in organizations seeing their risk escalate. Sixty-seven percent of security professionals surveyed believe the reduced budget and headcount in security would negatively affect their ability to handle cybersecurity incidents.

Following conversations with leading security professionals, CISOs of some of the most secure organizations, and hackers who understand the outsider mindset, I have distilled the following advice for organizations looking to increase attack resistance without increasing spend. 

Harness AI To Do More With Less

Among the main opportunities is the ability of AI to produce useful and well-written texts. Security teams produce a lot of write-ups, reports, and documents. Human oversight will always be needed to make such documents perfect, but now the drafting and heavy lifting can increasingly be outsourced to a chatbot. Cybersecurity vendors will bring untold numbers of AI innovations to bear in and around their products, and customers stand to benefit from them. The competition will be so fierce that prices for customers will remain low for a long time - an excellent opportunity for CISOs to do more with less.

However, reliance on automation and software won’t work without staffing to manage such SaaS offerings. CISOs will be forced to postpone necessary improvements of the cybersecurity posture of their company. They must buckle down and focus on only the most essential, trying to keep the lights on with solutions already deployed, and doing small experiments with new solutions where it is of critical importance. If a breach happens, all hell breaks loose. 

I hear from CISOs that they want better but fewer choices. Often a security incident comes not from a bad actor but from buggy software or disgruntled employees. Why not engage the ethical hacking community to see the gaps in your security strategy? It's hard to know the benefit of your tools unless you're going to test your attack surface. 

Manage Reduced Headcount Without Burning Out Staff By Effective Prioritization And Vendor Consolidation

One of our customers recently told us that the bug bounty program they run is comparable to hiring four full-time pentesters. They spend $200K with HackerOne annually; if a full-time pentester salary ranges from $85-250K, based on experience and skill diversity, that could cost anywhere from $340k-$1M annually for a team with limited experience, diversity, and skillsets. 

For significantly less outlay, companies can get access to a diverse range of expertise and knowledge. Hackers bring their outsider mindset to your system's defenses and let you know quickly where your vulnerabilities are and how you might remediate them. Hackers supplement your internal teams, reduce internal burnout, and make your organization more successful overall.

One customer I spoke to tripled their spend with HackerOne in order to save half of a bigger budgetary number - helping to reduce the pressure to cut headcount. By employing our crowdsourced model they could make significant savings on functions they had been outsourcing to traditional and more expensive vendors. Triage, security analysis, pentesting, and other services can today be obtained cost-effectively from a vendor of crowdsourced security services.

Innovate Securely By Testing Throughout The Software Development Life Cycle (SDLC) 

According to the Systems Sciences Institute at IBM, the cost to fix a bug found during implementation is about six times higher than one identified during design. The cost to fix an error found after product release is then four to five times as much as one uncovered during design, and up to 100 times more than one identified during the maintenance phase. The cost of a bug grows exponentially as the software progresses through the SDLC.

HackerOne customer, AS Watson, used hacker findings to build a new secure code training program for their development teams, monitoring the trends of vulnerabilities and leveraging them to build a training baseline to reduce risk. The training program has helped them increase the quality of the code and reduce vulnerabilities, shifting left as much as possible to secure the SDLC. Their CISO noticed a decrease in total valid reports over the years and reported lowered costs remediating issues in live environments.

Reduce The Risk Of Cybercrime By Having An Outsider Mindset To Identify Security Flaws

It’s riskier to not have an ethical hacking program than to run it. Getting breached or attacked is not a question of if but when. If the most risk-averse organizations are using hackers, you should be too. The U.S. Department of Defense (DoD) was a front-runner in realizing the need to have the outsider mindset protect national security. Since the launch of Hack the Pentagon in 2017, hackers have uncovered more than 45,000 vulnerabilities for the DoD.

You cannot find a replacement for humans when it comes to testing software, whatever additional tools you might use. Humans create problems in the first place, and criminals are successful because they harness the human mind.. The solution needs to be human too. The hacking community far outnumbers the cybercriminals, and 92% of hackers say they can find vulnerabilities scanners can’t. 

A report on HackerOne is submitted every 2.4 minutes, and new customer programs receive an average of 4 high or critical valid vulnerability reports in the first month.

Get A Better Understanding Of Where Risk Originates From By Practicing Transparency, Blameless Retros, And Open Learning As Things Unfold

Being transparent about vulnerabilities is not a weakness and can positively impact your bottom line. Brands like Norsk Hydro and FireEye demonstrated transparency and successfully overcame cyber incidents with their balance sheet intact.  

We publish all our vulnerability reports. We recently received a report from a hacker about a vulnerability in a piece of imaging software we use. We’re not immune to the third-party software risk every company experiences, but we highlight our weaknesses as the best way to fix them. Disclosure has been a core value since we started this company. Organizations must get more comfortable opening themselves up to scrutiny. Sharing vulnerability information is how we build a safer internet and how you can build trust with your customers. 

The potential economic downturn challenges even the most successful of organizations. Across the board, companies face headcount and budget cuts, and security teams must do more with less. Over the coming weeks, stay tuned for more on this topic based on conversations with our customers and hackers about how to get more security for your cybersecurity budget and demonstrate success to your leadership

The tech sector breathed a sigh of relief when the Federal Reserve confirmed its bail out of Silicon Valley Bank (SVB). SVB's client base of big tech and scrappy startups would survive to do business for another day. However, this doesn’t mean the end of the tech industry’s troubles. Security experts have speculated in a Dark Reading article that the bank’s collapse potentially signals a slowdown in investment in cybersecurity startups: "Financial support in the form of lines of credit and venture debt is going to become much more difficult [for startups] to come by," said Rob Ackerman, founder and managing director of AllegisCyber Capital. "SVB was the leading source of that financing and with them gone, the slope of the hill for young startups just became that much more difficult."

A potential slowdown in investment in cybersecurity startups poses a risk beyond a financial meltdown: a lack of innovation in the security industry will drive down our overall resistance to attack. When thinking about a scenario in which our HackerOne founders had been unable to secure the funding that allowed HackerOne to grow to serve thousands of organizations - from tech enterprises and national governments to start-ups and banks - the internet would be a far less safe place for those organizations, and for the hackers themselves. 

Cybersecurity needs innovation. We can’t afford to slow down; cybercriminals jump on opportunities like a financial crisis to find new ways to take advantage of cash-strapped businesses and individuals. Regulatory Data Corp said it saw cybercrime rise by an average rise of 40% for the two years following the last recession’s 2009 peak. The FBI also noted an increase in cybercrime during the same period. Cybercrime also increased during the Covid-19 pandemic, with Interpol reporting a significant target shift from individuals and small businesses to major corporations, governments, and critical infrastructure.

Ethical hackers are our best solution to match the ingenuity and inventiveness of cybercriminals. And with organizations facing headcount and budget reductions, enormous pressure exists to do more with less. A full-time pentester could cost an organization as much as $250,000 a year. For the same price, you could get access to hundreds or thousands of hackers with a hugely diverse range of expertise, knowledge, and approaches to test your defenses. A hacker submits a vulnerability report to the HackerOne platform every 2.4 minutes, and 28.9% of our pentests receive a report within the first day of launch. New customer programs received an average of four high or critical valid vulnerability reports in the first month.

Bias and misconceptions still exist that including hackers in your cybersecurity strategy is risky. However, if the most risk-averse organizations use hackers, you should too. The U.S. Department of Defense became the front-runner in realizing the need for an outsider mindset to protect national security. Since the launch of Hack the Pentagon in 2017, hackers have uncovered more than 45,000 vulnerabilities for the DoD.

Asking hackers to secure government organizations might have sounded crazy initially, but now the U.S., Singapore, and U.K. Ministries of Defense rely on hacker insights to strengthen national security. It’s once-in-a-lifetime ideas like this that we need to stay on top of ever-growing cyber threats. The ideas that will continue to secure investment dollars will be those addressing the most significant requirements organizations have: speed and cost. However, keeping up with cybercriminals while managing budget constraints might mean stepping outside of your comfort zone and testing something new. The comfort zone was created for your organization by vendors eager to have an easy source of high-margin revenue. Their margin is your opportunity to do things in a more efficient way and support true security innovation. 

The potential economic downturn challenges even the most successful of organizations. Across the board, companies face headcount and budget cuts, and security teams must do more with less. Over the coming weeks, stay tuned for more on this topic based on conversations with our customers and hackers about how to get more security for your cybersecurity budget and demonstrate success to your leadership.

A potential slowdown in investment in cybersecurity startups poses a risk beyond a financial meltdown: a lack of innovation in the security industry will drive down our overall resistance to attack. 

Cybersecurity is stretched thin. We all know it, so why state it again? 

Because cybersecurity is thinner today than yesterday. Because many keep repeating the same measures that don’t work. And because there actually is a solution.

Facts are undeniable:

• More cybercriminals today than yesterday, with more powerful tools than yesterday
• More software today than yesterday - in every organization
• Faster software deployment cycles than before, introducing software and new vulnerabilities faster
• An increased dependency on third-party software - elevating software supply chain risks
• As Zero Trust reminds us, no protective boundaries any longer
• Budget sufficiency but staff shortage in every security team

There is a solution. We can make software more secure. We can bring down cyber risk. This will improve employment safety for CISOs, CIOs and CEOs. Budgets don’t have to be doubled. In fact, within existing budgets we are already closing the gap.

No way! That’s what many will think. We need more budget! We are unable to hire more security experts! And if we add more software to automate security, we also add more work to ourselves and more digital attack surfaces that may be vulnerable. 

Yet there is a solution - one that scales with the magnitude of the problem without adding to it.

The solution has been practiced at the Pentagon for the past 6 years with astonishing results. Over 20,000 software weaknesses have been fixed. Weaknesses that rogue states, cybercriminals, and other adversaries would have otherwise used to penetrate the Department of Defense. Singapore and the UK have followed. Inspired by this stellar success, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated every civilian federal agency to run such a program. The private sector should too.

Since the founding of HackerOne, we have been building a solution that can scale to match the ever-growing challenges of cybersecurity, bringing relief to any organization that develops and deploys software. 

We started with bug bounty programs. We expanded the category to cover all forms of hacker-powered security, delivering unparalleled value to all the leading tech companies and many enterprises, achieving astonishing business growth. From there, we are expanding the category again. Our hacker community may be the only thing in the world whose capabilities are growing faster than cybercrime.

Only an unbiased external expert - a hacker - can find the unpredictable situations - the unknown unknowns. Those are the weaknesses that get scored as critical vulnerabilities that must be remediated without any delay.

Ethical hackers represent a level of curiosity and ingenuity that no software tool can match. By enlisting the world’s largest and most powerful army of ethical hackers, there is no cybersecurity challenge we cannot rise to. 

This is why we have been invited to help leading brands such as AT&T, GM, Goldman Sachs, Hyatt, Nintendo, PayPal, Starbucks and so many others. There is no other way to find the most elusive software vulnerabilities. You need to enlist the world’s most creative hackers and security researchers.

This week, we are proud to announce a new funding round led by GP Bullhound, the European advisory and investment firm that has become one of the world’s most successful experts on how to scale a tech business. With their investment, we will accelerate the rate at which we make organizations secure. 

Our new investor knows HackerOne is the clear market leader. They saw the stepping up to a new category and level of performance that HackerOne has undergone during the past 18 months. We have broadened our hacker-powered services to make productive use of the full range of skills that security researchers and ethical hackers possess. Pentests and retests are good examples. We are building out our software platform to help organizations manage the risks associated with their digital attack surfaces. We are investing in vulnerability intelligence in order to provide strategic advice to our most demanding customers. We have built out our customer and hacker success functions to make life easier and more productive for those we serve. 

Going forward, we will keep raising the bar for ourselves in order to provide our hackers even more opportunity to be useful. Customers will be able to get more done through HackerOne with little overhead.

With the new funding, we will play a still stronger game, serving the world with a cybersecurity offering that scales to the full extent of the problem. Given we have been operating at cash flow neutral level for some time, we have a balance sheet and an economic model of unparalleled strength. Call us old-fashioned, but we very much care about capital efficiency.

Today we serve the world’s most discerning customers in use cases such as digital transformation, enterprise assessments, and directed testing. We operate vulnerability disclosure and bug bounty programs for the leading tech companies of the world. We perform pentests and challenges for anyone who needs to know the state of security of their software.

Every week, we deliver thousands of triaged and prioritized vulnerability reports to our customers. Vulnerabilities may sound like bad news, but this is the sort of bad news that becomes good news. For every vulnerability we find, a potential data breach is averted. The return on that investment is enormous. And the model scales.

For customers wishing to reduce the risk of cyberattack, there is no solution as powerful as the one HackerOne offers. We live in uncertain times, but HackerOne is not uncertain about its vital role in bringing down the risk of cyber attack for anyone whose business is digital.

Marten Mickos
CEO, HackerOne

Time is not kind to the security of an organization. The longer you wait, the weaker you are. The more things drag out, the higher the risk of breach. Delays in responding to threats, incidents, and compromises mean exponential cost increases. 

Your organization doesn’t have to be completely secure (which is not even possible), but it has to be more secure than the other targets of the adversary. You must make it unattractive or at least very costly for anyone to try to compromise your digital systems.

On May 12th, 2021, the United States President issued an executive order on improving the nation’s cybersecurity. The order instructs the federal government, among other things, to increase information sharing and collaboration, modernize cybersecurity, enhance the security of their software supply chains, and standardize the playbook for responding to cybersecurity vulnerabilities and incidents. Uniformly, leading experts on cybersecurity have lauded this executive order.

We can all learn from the U.S. government on this issue. Audit or cybersecurity committees of corporate boards should ask their CEOs how they will react to the changing landscape of cyber threats. 

CEOs should work with their CIO and CISO on an organizational Executive Order on improving the company’s cybersecurity. An Executive Order is not a detailed cybersecurity plan or budget (already established by the company’s security leader) but a call to action for the entire company, stating the priority and urgency of improving cybersecurity controls and securing the funding for such initiatives.

Supply chain security serves as a poignant example. It is a well-known area for any cybersecurity leader. But on a corporate level, supply chain security is often a forgotten and underbudgeted topic about which the CEO and the Board know little. 

The data breach in 2013 of a large retail chain, committed through the systems of their HVAC supplier, was an early warning of supply chain risk. The recent SolarWinds breach is a devastating example. It became not an isolated case of one IT system vendor being compromised, but a national affair with over 18,000 of their customers being breached. These are frightening examples of supply chain security vulnerabilities, and there are more. No company is secure until the supply chain is secure. We must find the vulnerabilities in the supply chain and fix them.

When a risk grows higher or more imminent, decision-making must be quicker and more resolute.

Today, every company faces increased cyber risk — from nation-states, organized cybercrime, and rogue actors. All that’s valuable in society and business is stored in or operated by software. So that’s where the criminals go. They exist worldwide, and even when tracked and identified, criminals are difficult to apprehend. As owners and operators of digital systems, we must stop them before they strike, by making system attacks unattractive and expensive.

Read the entire Executive Order on Improving the Nation’s Cybersecurity. It is clearly written, and many sections are applicable to commercial corporations. Think about how security considerations change when application workloads increasingly run on public clouds. Learn about the Zero Trust model. Prepare to launch a Vulnerability Disclosure Program. Order an internal review of supply chain security. Adopt the NIST Cybersecurity Framework. 

To repeat what has been said before, the need to make our digital society secure is urgent. Time is not on our side. 

An Executive Order gives the entire organization unambiguous instruction on important initiatives. It is a way to get ahead of the curve and to play for the future. When we take cybersecurity seriously, we prepare for tomorrow, and we build digital trust with our constituents. 

As we adapt to the pandemic and see global healing, all signs point to massive business growth across the economic landscape. It’s time to play cybersecurity offense and get our security posture in shape. Otherwise, tomorrow’s business opportunity will be captured by somebody else. Time is now.

Marten Mickos

CEO, HackerOne

The merciless killing by police of George Floyd laid bare, once again, the institutionalized racism that plagues the USA. It is worse than racism. What we witnessed was white supremacy and institutional approval of violence against Black people. There are other alarming examples of structural racism and brutality around the world. Racism exists because collectively we allow it to exist.

When groups with power use violence against individuals lacking power, all human ideals break down. We are starkly reminded of the absolute necessity to never stop working for a better society.

At HackerOne we say No to racism. We are here to democratize opportunity across the world. We believe in the aspirations and possibilities of every human being. Hacker-powered security is proof that by working together across all boundaries we accomplish what otherwise would remain unachievable.

There is no room for racism or inequality here. Any belief in or inaction in the face of racism means lack of belief in what HackerOne is trying to accomplish.

We are not free from cultural biases or unconscious racism at HackerOne. We try to face these topics with an open mind, together. This means talking about racism, listening to each other, having our aha moments.

Our dream is a society built on respect and inclusion where every member is and feels safe to pursue their aspirations. Just as we hack software to make it better we must hack society to make it better. Injustice anywhere is a threat to justice everywhere. If we want to change society, we must start with ourselves. We must vote to empower the people who will carry out our mandate to eradicate racism from the fabric of our society.

But racists are counting on us to continue doing nothing. They are certain that before long, we will return to our blissful state of denial, where racism is somebody else’s problem.

We must disappoint the racists.

One hundred million is an enormous number. Today we celebrate with all our hackers the phenomenal milestone of a hundred million dollars in bounties. Hack for Good! Yet we should know that we are only getting going. The digital world is not safe and secure yet. Much more work awaits us. We have one hundred million more bugs to find.

As of May 26, 2020, HackerOne has paid out $100,000,000 in rewards to hackers for their fantastic work in finding security flaws in software. Customers have fixed the holes, preventing cyber criminals from breaking in. Tens of thousands of ethical hackers all over the world have come together to harden our digital connected society. The one hundred million dollars they have earned in recognition of their creative work has paid for food, clothing, homes, vehicles, tuition, travel and pursuit of dreams long held. Software is better for the hackers and hackers are better for the bounties.

There is another 100 million number. We estimate that there are around 100 million security vulnerabilities still out there in the wild. These are the holes through which criminals break in as they look to steal data, install malware, disrupt vital operations, distort facts or threaten democracies. It will take years to find and fix all those bugs. But it also will happen. Although it is early days, we can already see that hacker-powered security is an order of magnitude or two stronger than all the power of blackhats, criminals and nefarious nation states. Time is on the side of good hacking. When we pool our resources and defend ourselves together, there is no adversary that can outpower us.

So far in our history, HackerOne has delivered about 170,000 valid vulnerability reports to its customers. It is impossible to know exactly how many cyber breaches have thereby been averted but we can estimate that it is thousands or perhaps over ten thousand. With the average cost of breach somewhere around $8 million, the savings are in the tens of billions.

Hacker-powered security has already made the world much more secure. And with three quarters of a million of hackers signed up, we are making sure we have the capacity to keep finding vulns and helping customers even as the volume of software keeps increasing at a tremendous rate. With a community that size, we represent the creative and inquisitive power of around 65 quadrillion neurons. There is no cybersecurity challenge that a large group of human brains acting towards a common goal cannot tackle.

The international community of hackers is creating a movement the world hasn’t seen before. Hacking is a philosophy, a mindset, and a way of life. They are motivated by the challenge, learning, protecting information, helping others, financial benefits and simply doing good in the world. The professional benefits shine through in our 2020 Hacker Report, with 44% saying they hack to help advance their own careers. In fact, I have a few predictions for what this community’s future holds.

• Within the next 15 years, we expect to have produced over 500 Chief Information Security Officers (CISOs) out of our hacker ranks. These skilled and motivated people will help reduce cyber risk in key commercial enterprises and government agencies.
• As a result of their creativity and tenacity, we predict hackers will have earned $1 billion in bug bounties within five years, protecting companies and governments alike from persistent and ephemeral threats.

With the COVID-19 crisis hitting the world, there are suddenly much more digital assets exposed to cyber threats, yet much less budgets to spend. How do you manage your security operations in such challenging environments? Defense must grow but costs must shrink. The answer is hacker-powered security. The best hackers in the world stand ready to help you. You get their full brain power, but you share the cost burden with other customers. What you pay is only the exact fraction that is serving you.

The return on investment (ROI) of this model is out of this world. Hacker-powered security has saved the world billions in cyber breaches that did not get to happen, yet it has cost only $100 million in bounties so far.

Let us today celebrate the bounties paid. The heroes in all of this are the hackers. They have learned their trade on their own. They are voluntarily helping companies, governments, you and me. Customers have paid them $100 million in rewards for their finds. That enormous amount of money has already started to change society. Smart people all over the world are seeing an opportunity that they previously did not have access to. Hacker-powered security is not only making the software applications of companies and governments more secure. It is also democratizing and spreading economic opportunity around the world to everyone with that particular type of curiosity and tenacity.

Hackers win, companies win, governments win — and we all win. With the vital help of hackers, we are on a path to building a digital civilization with privacy, safety, security and trust built in. When we hack for good, we will have a future we can depend on and thrive in.

Marten Mickos
HackerOne CEO