$100M in bounties paid via HackerOne to ethical hackers

I've started handling the security inbox at Buffer now and we use a normal email approach. I can honestly say that the experience is pretty much the same and I feel like the issues you describe are independent of Hackerone (perhaps the scale increases?).

From my end, there are a lot of trivial things I have to go through where it's low effort on the researcher end (And I've even had automated searches where the researcher has sent mails to us assuming we'd have the same issue because of some similar HTTP Header or something similar). Thankfully I've gotten faster at keeping these out but it still takes up more time than needed.

From the researcher end, I assume it's frustrating where they put in the effort to craft a well documented mail and I have to inform them that it's a duplicate or known issue that we are currently working on a fix for. It's a hard call and I'll often have to use a judgement call on these. But it's made harder still when I'll suddenly see an issue that has existed for a long time be reported by a single researcher. And then in a matter of two days 3 to 4 other researchers will pop up with the exact same issue leading me to believe that either there's different accounts under the same name, or some kind of researcher group that works together in sharing findings (And maybe bounty).

Basically, I'm not sure how much this is a HackerOne issue vs a general bounty program pain ¯\_(ツ)_/¯

As a bug bounty hunter, I can attest to having an awful experience at times. The three companies I have worked with @ HackerOne have all taken forever to payout or fix bugs. Currently, I have been waiting 4 months to be paid by a company on HackerOne, for a pretty dang high impact bug that leaves all their customers vulnerable; I checked today, & they still haven't fixed it, let alone paid out.

You also have to be aware of policy changes. I've noticed companies remove language that told how much they'd pay out. Some companies have a mandatory pay out of 7-14 days but they are rare; with everyone else, you just have to hope they pay you, and they do, I guess... whenever they feel like it.

> you have no way to know if other person has reported the same issue, so you spend hours if not days documenting a vulnerability and creating proof of concepts (PoC) and it is only after your submission that you get a message saying “closed: duplicate issue”.

Yes. I would say 2/3 of my reports were resolved this way. Sadly I can't fault either HackerOne of the company -- I don't see a viable alternative.

Same here. 90% of reports are from folks that didn't bother to read the terms and sending in useless reports. As a researcher, I'd spend days chasing something down just to get $50 for my finding months later.

HackerOne has people screening reports that don't seem very technical.

They closed one of my reports for being a "denial of service" attack when it was a crash caused by malformed input. I've also heard of others having the same issue.

We can fix that issue with the title with s/by/via/. Thanks!

As contentious as reporting bugs can be during the development process, while working at the same company as the developers, I'm not at all surprised that ethical disclosure is terrible, especially with a monetary motivation.

> People reporting the most trivial things and we would have to pay them anyway just to move on, otherwise they would end up ranting for days.

sounds these "hackers" have an incentive to be stubborn over non issues

Is there a feasible way to ask an organization if they're aware of a vulnerability before you put in too much work on it? Can the query be ambiguous enough to avoid a free service rendered?

>“closed: duplicate issue”

cool, posting my PoC on pastebin then

> HackerOne is proud to announce that hackers have earned $100 Million in bug bounties by hacking for good on our platform.

(Tangent) Can anyone recommend a coherent interpretation of that statement?

I know what it means for an individual person to be proud. And I could see an argument for extending that notion to a group of persons if every person in the organization was proud.

But I assume HackerOne has had employees / members come and go over time. And I also assume that some of the past or current members don't share that feeling of pride for this particular milestone.

So the only interpretation I can think of is that the person writing the PR was being sleazily vague. I.e., trying to get the audience to take a sentiment that's only meaningfully applied to individual humans / animals, and getting them to unwittingly apply it to a brand name instead.

Is there a better explanation that eludes me?

$100M is 1000 people getting paid $100k. $100k isn't a particularly good programmer salary, and is a very high bug bounty salary. From what I've heard, HackerOne/BugCrowd high earners basically just end up spamming as many companies as they can with web vulnerabilities like clickjacking that are low impact but everyone has, and live in very low cost-of-living areas like South America. It's a lot of repetitive hustle and not secure.

Infosec twitter people aren't the ones doing bug bounties. A lot of them are blue team cybersecurity, doing network engineering and IT, or do penetration testing for networks which is a different wheelhouse. Some of them might be reporting exploits to Zerodium/ZDI/other exploit brokers, but they keep a low profile and it is very different from "bug bounties".

> Anyway, are people making lucrative careers out of bug bounties?

Not really, no.

Sure, the top 20 hackers on H1 do make a very decent living (you can listen to the story of Dawgy-G on Darknet Diaries ep60 about that). But realistically, if you are that good at it you can get paid much more doing a 'real' infosec job.

Bug bounty hunting platforms like H1 do give you the freedom to work whenever you want, wherever you want on your own terms. Basically gig economy.

Personally I do bounty hunting every now and then because I enjoy the learning experience from it. But looking at the time it takes me to discover a bug and writing a detailed report only to receive a couple hundred USD for it, it really isn't worth my time in a professional sense.

I'd say I make about 25USD/hour from it. Of course this is highly dependent on your skills. And it is also highly dependent on where you live whether 25 USD/hour is actually enough to make a living.

Sometimes you can get lucky and stumble upon a valuable bug and make a couple of grand for only an hour worth of work, but most of research you'll do will yield you knowledge, not money.

> Anyway, are people making lucrative careers out of bug bounties?

I'm pretty sure a reasonable number are doing quite well for themselves after currency conversions. It would be quite challenging to replace a typical Bay Area security architecture salary with bug bounties, though. Few people are equipped to find and claim $10k+ bounties twice a month, every month.

>They've done a great job getting anyone who is remotely curious the ability to dabble.

Any suggestions where to start? I'm several years out of the scene and would love to be reacquainted.

> Anyway, are people making lucrative careers out of bug bounties?

There's a strong power law distribution - the top folks make a lot of money (say, > $500k/yr) and then it quickly drops off from there.

I've seen and experienced that too! I follow a bunch of members of the community and seeing all the support they have for newcomers and people of color makes the field even more attractive to me. Kudos to them!

I see bug bounty programs as just being another example of InfoSec charlatanism. People do bug bounties because InfoSec people say you should do bug bounties, and not doing what InfoSec people say you should do implies some sort of malfeasance. But the value of them is remarkably questionable. For starters they are absolutely not a replacement for pen testing, having a bug bounty is not a sufficient substitute for any of the pen testing that you should be doing. The value of the bugs you have reported are also typically incredibly low value. Most of the reports you get through bug bounty programs are just the output of open source scanning and static analysis tools. You get no-effort reports for things like frame-able content and “your mobile app has a dependency, which has a dependency, which was compiled with marginally sub-optimal flags”. Actually valuable reports do make it through, but I seriously doubt having a bug bounty program is more effective than publishing a security email address on your website. They’re mostly just spam generating services that invite people to try pressure you into coughing up some money for largely trivial nonsense.

There are several other important price inputs to this market, including scanning services (thousands quarterly) and consulting penetration testing (tens of thousands annually). Most companies that offer bounties have also had pentests done; nobody believes that pentesters are underpaid (though maybe they should).

The reality is probably that 80% of the vulnerabilities disclosed on bounty platforms just aren't worth that much. Certainly: companies that lack security expertise but manage bounties tend to radically overpay bounties; I'd of course be curious to see a breakdown of that $100MM by bug class.

"reducing that by selling information to a different broker, who will eventually find someone to weaponize or monetize a piece of the exploit" This has become the standard way of monetisation for the more capable ones who don't want or don't see the point to do the crime itself. ATM skimming kits, carjacking kits, etc. The problem is that security is not rewarded at all.Even a top level expert with very deep knowledge gets peanuts in comparison to the cost businesses incur when they get hacked.

Obviously there's a way to make the market more efficient, let black hats compete to purchase exploits on the same platforms .... of course that's likely illegal, for good reason. Instead we have two markets with only a few people playing in both so price signals are likely weak

I don't think it's entirely fair to say there is no competition in this market. In the end companies are still competing for a limited supply of ethical hackers. Except that it is a bit of an unusual market, since both sides are operating with very limited information.

Perhaps it will become more stable when people realise you can sell negative results as well (either implicitly by cooperating, or through an actual market). Anything that can bridge the gap between hackers wanting to get paid for their efforts and companies wanting to pay for results would help.

More volume would also help, in the end it's hard to sustain a whole industry on just tens or hundreds of millions per year.

Make your program private, increase your bounties 3-5x, put in a $1k+ first bug report bonus and invite in people who have previously reported good and/or well documented bugs and you'll save time and get a lot more out of it

These free-for-all bug bounty programs are a drain on resources that could be better spent elsewhere

The real value hackerone and similar should be providing is filtering out the time wasting reporters and the vendors who slow roll on reports - but they do neither of those

This is correct in theory but not in practice. Commodity bug bounties have become somewhat of a failed experiment. For most companies, they cost more than they are worth, and that cost doesn’t even come from the reward payout.

agree. and the term "hacker" has been driven through the ground and back up so many times its lost and changed meanings. Now "i got hacked" is akin to the dog ate my homework or I gave someone my password.

For what it’s worth, nobody who actually works in security uses it, and they mostly cringe when others do. That and “cyber” are pretty good smell tests that you’re interacting with someone who is very out of touch.

Yes. You should generally think less of companies that use it.

It's funny since this term is rising in popularity in recent years, at exactly the same time that "hack" seems to be coming more popular in everyday use and losing some of its stigma. "IKEA hacks", "life hacks", etc.

Well in the philosophy problem space, ethics and morals are clearly a complex matter haha.

If someone’s ethics is to maximise chaos, then a full disclosure on 4chan is _technically_ the _most_ ethical action for this person.

curious to know, what's the term which people in the infosec community use then? pen-tester? cybersecurity researcher?

Are you asking what would happen if you defraud the company you work for?

What if you put anthrax in a birthday cake?

It's still illegal. Besides, planting a bug and solving it would still involve faking version control records to insert the bug.

You might be able to get away with it once but the bean counters wouldn't let you fool them twice in that regard. Unless you had a guy on the inside etc. but it's turtles all the way down.

I believe that most platforms have restrictions barring you from submitting bug reports if you're affiliated with the company offering them.

You would be an unethical hacker I suppose

It would be more sensible to just report existing bugs via the platform instead of reporting them to the project manager.

I can only hope you're not self-employed.