White hat hacking has entered the mainstream for the good of all.
“If you see your neighbor’s door is unlocked, you might say, ‘Hey, your door is unlocked.’ You don’t expect your neighbor to open up the door with a shotgun and try to attack you,” said Adam Bacchus, Director of Program Operations for HackerOne.
There was a time in the not-too-distant past when that kind of welcome was the standard response from organizations whose security vulnerabilities were discovered and exposed by infosec whistleblowers commonly known as hackers.
These days, some of the world’s largest organizations open their systems to white hats, or ethical hackers, inviting them to find system and product vulnerabilities or “bugs” before they can be discovered and exploited by others with criminal intent. Even the U.S. Department of Defense is in on the action, holding Hack the Pentagon, Hack the Army, and Hack the Air Force events.
“It’s gone from a place where people got thrown into jail or forced to do community service or forced to not use a computer for a couple of years, to a point where organizations are ready and willing to pay huge amounts of money (to find bugs),” Bacchus noted. “With Intel, I think their top bounty is $250,000. It’s crazy to see how much it has changed.”
In 2011, Dutch hackers Jobert Abma and Michiel Prins attempted to find security vulnerabilities in 100 prominent high-tech companies. They discovered flaws in all of the companies, including Facebook, Google, Apple, Microsoft, and Twitter. Dubbing their efforts the Hack 100, Abma and Prins contacted the at-risk firms.
While many firms ignored their alert, then-CEO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Rice, Abma, and Prins became friends, and together with Merijn Terheggen founded HackerOne in 2012.
The following year, the company hosted a program encouraging the discovery and responsible disclosure of software bugs. The effort, funded by Microsoft and Facebook, was known as the Internet Bug Bounty project. In 2015, the company launched a Vulnerability Coordination Maturity Model to assess how well organizations handle vulnerability reports, setting a standard for the infosec community.
At the outset, bug bounties were modest: often just company swag such as hats or tee shirts, or perhaps a note of thanks. Today, when organizations look for white hat hacking parties to find and report vulnerabilities, they come to companies like HackerOne, who take over the administrative duties involved in coordinating bug bounty payments to hackers. To date, the white hats of HackerOne have identified and fixed over 50,000 security vulnerabilities, and the firm has facilitated payments exceeding $20 million.
The Making of a White Hat Hacker
Bacchus’s interest in hacking was sparked, in part, by watching a movie. “I saw the 1995 movie Hackers, and thought, ‘that’s so cool—they can take things and make them work in ways that aren’t supposed to.’ The whole mentality around curiosity, understanding how something works so deeply that you can pull it apart and put it back together in a way that’s completely unexpected,” he said.
“That sort of thing was really exciting for me and for a lot of hackers out there. That mindset enables hackers to look at software and pick it apart and find those vulnerabilities that maybe require some creativity or thinking about it from a different angle that you might not catch with your existing security processes.”
How, exactly, does an aspiring security researcher start their journey? “Not every single person can put on their hacker hat and say ‘I’m going to be a hacker’ and it just happens. It does require some work. That said, on average the top-performing researchers make 2.7 times more salary than a software engineer in their home country,” Bacchus stated. “In India, top researchers make 16 times the median salary of the local engineer, which is pretty crazy.”
Over the past few years, online academies such as Udemy, Simplilearn, and Coursera have begun offering white hat hacking courses. EC-Council offers a well-regarded Certified Ethical Hacker credential for cybersecurity pros. The course covers 340 attack technologies commonly used by hackers.
Bacchus speculates that 94 percent of organizations have no method for finding security vulnerabilities, creating a “huge, huge amount of scope” yet to be unlocked.
“As more organizations spin up these programs and more money flows into the industry, there will be more and more doors opening for hackers to take this on as a full time career.”
Inside the White Hat Hacking Mindset
There are common aspects of the hacker personality that are elemental to the makeup of any successful individual: desire, curiosity, and persistence. Yes, it’s true: hackers are just like you and me. Mostly.
Take Belgian white hat Inti De Ceukelaire, one of HackerOne’s top-rated researchers.
“I wasn’t good at video games and I was always looking for ways to game the system and to win the game without being good,” he told BOSS.
That curiosity very nearly ran afoul of an entertainment monolith when he searched for and found a way to use their game console to play games created by their direct competitor.
“I posted a blog post about it online and it got removed immediately,” he recalled. “I accidentally found the thing all the hackers were looking for without knowing anything about hacking.”
Because he did not make the exploit public, he sidestepped the threat of litigation. The misadventure brought him into the hacking community for good. He was 15.
A cash-strapped, music loving teen, De Ceukelaire was “playing around” on the Metallica.com website and found a software bug. He decided to make the band’s tour manager aware of his discovery.
“I was really afraid because in those days there was no responsible disclosure procedure,” he told BOSS. “I was terrified because Metallica has lots of money and I was still in school and they could sue me and my life would be over.”
A week after reporting the bug to the band’s management, they responded, rewarding De Ceukelaire with concert tickets, backstage passes, and a chance to sing backing vocals on one song. “It was really cool,” he recalled. “Then I thought, ‘I hacked Metallica! This is something I should keep doing.’”
In those halcyon days—a mere five years ago—organizations grateful for hacker help would respond with swag, and that was enough to delight many researchers.
“Most companies now don’t provide festival tickets or backstage passes, but they give a good chunk of money for it so I’m happy with that,” he added.
De Ceukelaire came into his own when jail was a heartbeat away for researchers, despite their intent.
“I’m a good guy. I don’t want to hurt anybody. I just like breaking stuff and helping people. That’s what HackerOne allows me to do without legal risks, which is awesome. I want to hack companies to help them, and it’s so rewarding to see that they finally learned to appreciate the work of ethical hackers. I love it.”