San Francisco — When even the Department of Defense has a “bug bounty” program to find and fix vulnerabilities before adversaries can exploit them, it’s not a stretch to say the concept of encouraging friendly hackers to try to crack an organization’s digital defenses is now a widely accepted security practice.
But the idea works much better when security managers open the gates to a wider set of hackers across a fuller range of their systems — a shift that takes greater trust and relationship building, said Justin Calmus, vice president of hacker success at HackerOne, at a Passcode event Monday on the sidelines of the RSA Conference.
“There’s a common misconception that hackers do not play by the rules,” said Mr. Calmus.
Concern that security researchers may sell what they find on the black market, Calmus said, ignores the fact that “we have hackers making upwards of $500,000 a year. Why would you risk that to go down [the black market] path?”
HackerOne helps companies set up and manage their bug bounty programs. The most successful ones, said Calmus, draw in a diversity of hackers, encouraging them to look across a wide variety of systems, and give them up-front information to save them time.
Not all hackers are interested in the same sorts of problems, a point underscored by Luke Young, a senior security engineer at LinkedIn who reports bugs through HackerOne’s platform.
When he was a teenager, Mr. Young looked to turn digital vulnerabilities into quick recognition and a cool t-shirt from companies he admired.
In college, he wanted to make money more efficiently, so he shifted to bugs that were unique and had a higher payout.
After college, he hunted occasionally just to stay sharp and challenge himself, meaning he would go after only very nuanced bugs.
These different motivations lead these security researchers to focus in different places. Some hunt Web vulnerabilities, others look into network security and infrastructure security.
“When you combine all these different types of skillsets and you have such a large scope, your company’s risk profile drops significantly,” said Calmus.
Bug bounty hunters also live all over the world, with India and Brazil being sources of top talent. Attracting an international mix of researchers can be helpful in finding security gaps in localized versions of software and in having eyes on your systems all day, every day.
Cultivating strong relationships with a broad range of researchers increases the chances of getting early warnings. When Calmus worked on security for HR software company Zenefits, he once got a message at 2:00 a.m. from a bounty hunter who wanted to make sure he knew immediately about a vulnerability.
“It makes me feel really good to know that I have that relationship built that somebody can text me at any point in time … and they just have your back,” he said.
These relationships also can lead to good hires. Young landed an internship at LinkedIn as a teenager after he brought bugs to their attention. Finding application security engineers is notoriously difficult, but bug bounty programs help managers identify talented programmers and begin to court them — and bring them onto the teams that help secure software in the first place.