Interview: Laurie Mercer, HackerOne

If you feel you have considered all of the options to hire people, why not consider those people who are actively and ethically seeking vulnerabilities in your company?

The bug bounty industry has become big business in recent years as disclosure laws have become more transparent and companies have become more receptive to vulnerability disclosure. Speaking to Infosecurity, Laurie Mercer, solution engineer at HackerOne, confirmed that customers’ bug bounty programs have actually resulted in the researcher being hired, and he was seeing bug bounty programs as a direct recruitment process.

According to the most recent HackerOne hacker report, about 12% of hackers on HackerOne make $20,000 or more annually from bug bounties, and over 3% of whom are making more than $100,000 per year. A quarter of hackers rely on bounties for at least 50% of their annual income, and 13.7% said that their bounties earned represents 90%-100% of their annual income.

Is there an ulterior motive of HackerOne’s customers to hire those that they work with? Mercer said that HackerOne does see customers build relationships with the hackers, and hackers are repeatedly on the same customer programs.

“From a recruitment aspect, Yelp realized this was a way to find talent as [the researchers] were people they typically couldn’t reach as they had not finished college or did not have security experience that gets them through HR screening,” he said.

“Recruiters can also see the report quality which speaks to a lot of companies about interacting in a corporate environment.”

So do HackerOne, who has 166,000 registered users, see this as a way of a company recognizing a way of hiring an individual without visible certifications and experience? Mercer agreed, saying that this model is challenging the cybersecurity skills gap “by finding an innovative way to find talent and matching talent to the need.” 

He explained that roughly two-thirds of its registered users are professionals undertaking penetration testing, and about 4% are students, while some do vulnerability research to build out their resumes.

HackerOne launched the Hacktivity feed to encourage companies to disclose who did what and the timeline of discovery, investigation, triage and remediation, and it has encouraged collaboration and learning with its Hacker101 initiative.

Mercer said: “We get messages from schoolkids telling us that they read our Hacktivity feed. A hacker named Jack Cable is using the bounty money to pay for college.”

Cable is a 17-year-old from Chicago who ended up with 200 vulnerability reports out of HackerOne’s top 3000, and Mercer said that he has since completed work experience and will be interning with the digital arm of the DoD soon.

HackerOne has subscriptions with customers who publish policies, and the 166,000-strong hacker community on the other side. “The hackers enroll to participate in a bug bounty or responsible disclosure effort, and that eventually gets to the customer and they are awarded with a bounty or we award them with reputation,” Mercer said. “In the middle we handle triage and community management.”

He explained that the reputation system is like a league table, where every time a hacker submits a vulnerability that is accepted, they are rewarded reputation points and similarly if they submit a vulnerability which is rejected, they lose reputation points.

So how easy is it to become a registered member? Mercer said to think of it like a pyramid: at the bottom there is someone who is curious who joins for interest in finding things and there are some programs they can submit on, and as they go up the pyramid there are people who have a known reputation. Higher up you get researchers who have additional vetting, who can work with private customers.

That additional vetting can include knowing more details about the hacker, including their address, but also checks on their legal background can come into play. Asked if having a criminal record is a problem, Mercer said that it really depends on the client, as “some see it as an advantage and poacher turned gamekeeper.”

In conclusion, Mercer was asked if he felt that increased exposure to ethical vulnerability research and customer engagement was better equipping a future generation of cybersecurity professionals? He answered that when hackers are able to interact with security teams at large government organizations or major brands it encourages them.

“We're all benefitting from the work of the ethical hacker community, because it's helping the overall security of the internet, but the opportunities provided by the companies that participate also helps encourage hackers, helps them build experience, and sometimes even get jobs as a result,” he said.

“I do think the growing popularity of vulnerability disclosure and bug bounty programs help encourage the next generation of cybersecurity professionals while also helping them build experience and skills earlier than they could before these programs existed.”

What’s Hot on Infosecurity Magazine?