HackerOne CTO Alex Rice explained that the safest software firms are those with the highest bug bounties
If you want to find the safest software on the market, look for the companies posting the biggest bug bounties for hackers. This was one of the lessons given by cofounder and CTO of HackerOne, Alex Rice, on stage at WIRED Security. Rice urged the audience to “engage hackers in a meaninful and productive way”.
“We will all be better off the more we encourage hackers to use their creativity for good, rather than leaving them on the outside.”
The likes of Android, iOS and Chrome are posting huge bounties asking hackers to prove they can carry out a full takeover of devices. “If you care about security you should go buy a Chromebook right now,” said Rice. “But there are only a handful of these outliers.”
HackerOne was created as the first vulnerability coordination and bug bounty platform – it encourages hackers to find bugs in a company’s software, and then pays them for finding the vulnerabilities while reducing their personal risk. Rice is working to ensure companies are capturing the creativity of the hacking community, giving the example of opportunities missed in the past – like that of Samy Kamkar.
Kamkar had what all hackers have, said Rice, an “incredible curiosity for how tech works and can serve us”. “We need to leverage that incredible curiosity all hackers exhibit and make it a force for good.”
Companies have held up this progress because of their own security concerns, said Rice. Oracle has it built into its own terms that customers, despite having paid to use its products, cannot look for vulnerabilities within them.
HackerOne has been helping integrate hackers to the core security work carried out by the likes of Twitter. They have hackers working on everything from full software takeovers, to internet of things vacuum cleaners and connected cars.
Rice said that after six months of working with them, a company typically ends up with 70 hackers on staff. By this stage, those hackers have found on average 99 vulnerabilities, 25 of which are critical.
“It’s a phenomenal example of taking that curiosity and applying it to learn in a constructive, safe manner. Organisations that do this long enough – beyond hackers just telling them about vulnerabilities – start getting them to work on software lifecycles. They have realised the earlier in the process you have hackers engaged, the better off you will be.”
Even the US Department of Defense is in the game – during its inaugral one-month-long bug bounty, 138 vulnerabilities were found. The first was found in under 13 minutes.
“I can’t think of a more valuable lesson from hackers.”