Starting out back in 2012, HackerOne has become one of the best platforms in the world when it comes to bug bounties, handing out millions in rewards and keeping people everywhere safe thanks to the many bugs discovered by white hats. We wanted to know more about HackerOne, about the ethical hackers that work with the company, the security landscape we all navigate, and more, so we had a chat with Lauren Koszarek, HackerOne Director of Communications.
Not only has Koszarek been leading the company's communications efforts for over four years now, but before she joined HackerOne she used to handle the security response communication for folks at BlackBerry. That being said, let's go ahead and learn more about the company that is changing the way the world sees hackers in TechNadu's interview with Lauren Koszarek.
TechNadu: HackerOne has grown a lot in the past couple of years. What do you think drove this growth beyond the company's notoriety? Are people now more concerned about cybersec than they used to be?
Lauren Koszarek: The perception of hackers is changing. With the frequency of cyber attacks swelling to new highs, companies and government organizations are realizing that in order to protect themselves online, they need an army of highly skilled and creative individuals on their side — hackers. As more organizations embrace the hacker community, safer customers and citizens become.
In 2018 alone, Hackers earned over $19 million in bounties on HackerOne, almost the entire amount awarded in the years prior combined. And while the most successful find it very lucrative, it’s about so much more than money. Many are finding career-building opportunities through bug bounties, with companies hiring from within the hacker community at a faster clip than ever before. Companies are utilizing bug bounty reports and hacker engagement as an enhanced resume of proven skills that will impact company goals and security efforts from day one.
Hackers represent a global force for good, coming together to help address the growing security needs of our increasingly interconnected society. The community welcomes all who enjoy the intellectual challenge to creatively overcome limitations. Their reasons for hacking may vary, but the results are consistently impressing the growing ranks of organizations embracing hackers through hacker-powered security—leaving us all a lot safer than before.
TechNadu: Are you seeing a lot of hackers changing hats these days? What is motivating them?
Lauren Koszarek: We view hackers as one who enjoys the intellectual challenge of creatively overcoming limitations. Hackers are heroes, they are in it for the good and there is more opportunity than ever before. While money remains a top motivator, there are other motivations including the opportunity to learn tips and techniques, “to be challenged”, career advancement, and to be part of the mission to protect and defend and to do good in the world. Overall, they want to improve and build upon their skill sets, have fun and contribute to a safer internet in the process.
TechNadu: Santiago Lopez managed to win over $1 million via HackerOne last year. Do you think the regular hacker can do bug bounties for a living, or was this a fluke? What's your advice?
Lauren Koszarek: We are increasingly seeing more of our hackers reach significant milestones as a result of their hard work and dedication. Santiago Lopez was the first hacker to surpass $1M, and just days later top hacker Mark Litchfield did the same and other hackers are not far behind on the HackerOne platform.
With over $19M paid in bounties on HackerOne alone last year, there are tremendous opportunities for hackers with the skill and will. And bug bounty programs are creating opportunities across the entire globe for hackers. Top earners can make up to 40x the median annual wage of a software engineer in their home country respectively.
We continue to find from our annual surveys of our Hacker Community that hacker training continues to take place outside of the traditional classroom. In fact, 81% learned their craft through blogs and self-directed educational materials like Hacker101 and publicly disclosed reports. For more data about the hacker community, check out The 2019 Hacker Report.
TechNadu: Hackerone had managed to strike deals even with the US DoD, which was quite impressive. Did they approach you, or was it the other way around and you were the ones with the idea? Do you hope for a repeat experience?
Lauren Koszarek: The U.S. Department of Defense has been a champion of hacker powered security programs and supporter of the hacker community for some time. HackerOne was first contacted by the DoD to conduct the first Hack the Pentagon program in 2016 as a pilot. The results far exceeded expectations, with 138 unique vulnerabilities identified and hackers earning more than $150,000 for their contributions.
Following the success of the pilot program, the U.S. DoD has awarded two additional contracts to HackerOne for persistent time-bound bug bounty programs and the U.S. DoD’s ongoing vulnerability disclosure program (VDP), which include public-facing assets, as well as time-bound bug bounty programs for more sensitive assets. Today, thousands of vulnerabilities have been reported through the global VDP, and the U.S. DoD has awarded over $500,000 to hackers who have reported valid flaws in the department’s public-facing systems. The second and third contracts with the U.S. DoD are still very much active.
HackerOne also partners with other government agencies globally including MINDEF and GovTech Singapore, The European Commission, The U.S. General Service Administration and The United Kingdom’s National Cyber Security Centre.
TechNadu: Should youngsters nowadays be encouraged by their parents and teachers to start hacking responsibly? What are some key things they should learn to make sure they keep on the ethical path?
Lauren Koszarek: I think it’s awesome for parents to encourage their kids to hack -- we can’t encourage it enough! HackerOne’s co-founders started hacking when they were as young as 13. Today we see hackers as young as five reporting vulnerabilities to companies, with a little help. Today, over 50% of our community is under the age of 24, and they are actively reporting bugs and earning bounties. Young people are the future of security and as curious digital natives, they are proving to be tremendous hackers.
There are great free tools available to aspiring hackers today such as Google Gruyere, and Hacker101, as well as HackerOne’s hacktivity with thousands of publicly disclosed reports to learn from.
TechNadu: In today's society, is hacking still a "dirty" word, in your opinion? Have views shifted among the masses?
Lauren Koszarek: Most dictionaries and pop culture mistakenly define “hacker” with a malicious connotation and that needs to change. In 2018, 70% of IT pros wanted the Cambridge dictionary definition of a hacker changed to show hackers in a favorable light. Currently, it reads like: a hacker as "a person who is skilled in the use of computer systems, often one who illegally obtains access to private computer systems". Versus a more accurate definition like MIT uses, “One who enjoys the intellectual challenge of creatively overcoming limitations.”
However, we do see the perception of the term ‘hacker’ changing, especially in recent years.
Nearly two-thirds of Americans (64%) think not all hackers act maliciously, according to a recent HackerOne survey of 2,000 Americans. While 82% of Americans believe hackers can help expose system weaknesses to improve security in future versions. Millennials (ages 18-34) are most likely to believe that hacking is a legitimate profession (57% vs. 31% of those aged 35+).
As US presidential candidate Beto O’Rourke recently stated: "The hacker mindset could be very helpful to society. Hackers describe the world as it really is, not how it's supposed to be."
With ethical hacking on the rise, hacking is starting to earn its place as a legitimate profession. With the Santiago Lopez, the first teenager to earn over $1M hacking ethically this year.
TechNadu: What do you think is the bug with the highest impact to ever be discovered via HackerOne?
Lauren Koszarek: Over 120,000 valid vulnerabilities have been reported to organizations on HackerOne. Nearly 20,000 of those were critical or high severity vulnerabilities, so it would be impossible to just pick one. Every bug discovered and reported through HackerOne is important because it was previously unknown, unresolved, open for exploitation.
In 2017, a technology company paid $75,000 to a hacker for reporting three unique vulnerabilities that, when chained together, produced a remote code execution (RCE) that required no user interaction to exploit. The exploit chain could have allowed an attacker to steal credit card information, deploy mass ransomware campaigns, take over user accounts, attack employee accounts, and access infrastructure code. This is just one example of a critical finding reported by the skilled hacker community on HackerOne. Every time a vulnerability is safely resolved, we are all a little safer.
TechNadu: Some companies choose to create their own bug bounty programs, while others stick to platforms like HackerOne. Is any of these better than the other? What are some advantages and disadvantages, in your opinion?
Lauren Koszarek: With over 350,000 hackers registered and more than 120,000 customer vulnerabilities reported working with a platform like HackerOne with an established community and track record is far easier. HackerOne’s hacker community is the largest in the world making it easier for companies to attract top hacker talent for their programs. Many companies that launch programs on their own end up joining HackerOne to work with our fantastic community.
TechNadu: When it comes to cybersec, what do you think is the biggest threat we face nowadays?
Lauren Koszarek: Over the last 20 years, there has been an amazing growth in Internet connections and usage. Everyone and everything is going online. The world depends on the Internet. Ten years ago, it would've been unheard of that cars would download their software update over the air and install it themselves. Today, it's completely normal and we almost expect that every car we buy from now on will do the same.
With any advancements in technology, the attack surface for criminals grows too. Back in the day, when criminals needed money, they'd rob a bank. Now they can hack online games, a bank, an insurance company, even the stock exchange. If you wanted to take over a car, you had to physically steal it versus using the Internet. If a country is at war, they don't need to send in people to gather intelligence. They collect it over the Internet.
With technology innovations, comes new risks that weren’t fathomable pre-internet. Hackers are the immune system of the Internet. We need hackers to make sure the world can keep innovating and protect society.
TechNadu: The IoT industry is notoriously bad when it comes to security. Do you have any of these devices at home? What do you do to stay safe?
Lauren Koszarek: When shopping for IoT products, look for quality devices as you often get what you pay for. Cheap devices often take shortcuts to meet a lower price point, and security is frequently the first item that gets chopped.
Before you buy, understand how updates are handled and how often (and for how long) updates should be expected.
Lastly, consider the device's connectivity and if you need that feature. If you’re not going to use your smartwatch to switch on and off your smart light bulbs, or you don’t envision using your smart TV’s internet browser, consider disabling it in the name of security. I encourage you to review the settings to understand what’s enabled and shut down the connections you’ll never use.
TechNadu: What is the achievement you are most proud of, in your career?
Lauren Koszarek: At HackerOne we are on a mission to empower the world to build a safer internet. When I first joined the company in 2014, hackers had found just over 5,000 vulnerabilities and we thought that was a huge number. Today, that number is over 120,000 and it still feels like we are just getting started. Every time a hacker finds their first vulnerability they make the internet safer and build their resume at the same time. There is nothing more rewarding than watching the success of our hackers and getting to be part of their success story.
There you have it, folks! How do you feel about hackers these days? Let us know by dropping a note in the comments section below and please share the article online. Follow TechNadu on Facebook and Twitter for more interviews, tech news, guides, and reviews.