Uber can make anyone with a car and a smartphone a part-time cab driver.
Today, three West Coast startups are giving anyone with coding smarts—and good intentions—the chance to get paid handsomely while helping to fill the vast cybersecurity talent gap.
The companies—HackerOne, Bugcrowd, and Synack—are driving the rapid expansion of so-called bug bounty programs that offer rewards to ethical, or “white-hat,” hackers for rooting out and reporting flaws in computer software, hardware, and networks. And the rewards—occasionally gifts but usually cash—can reach as high as six figures for some of the most critical flaws.
“More than just your internal security team, you get the experience and diversity of hundreds of hackers all going after one target,” says Synack co-founder and CEO Jay Kaplan. “Plus, you’re utilizing the skills of a lot of people who have no interest in working full time for cybersecurity companies.”
This crowdsourcing model has added as many as 200,000 hackers to the undermanned cybersecurity workforce, making it a significant element in the security strategies of numerous small businesses and more than a few household brands.
Thirteen of the 24 largest technology sector companies in the Fortune Global 2000 have policies that include vulnerability disclosure programs to encourage hackers to find and report bugs. Seven of those offer bug bounties, including Apple, Google, and Microsoft. So do Starbucks, United Airlines, General Motors, and the U.S. Department of Defense. And, yes, Uber.
All work with one or more of the three companies. Customers pay them to oversee their bounty programs and to get access to their pool of hackers (or more politely, “independent security researchers”). Customers typically pay the bounties as well, although Synack, for one, provides that as a managed service. More noteworthy than who pays is how much: depending on severity, an average of a few hundred to a few thousand dollars for a single bug. Given the Ponemon Institute’s estimate that the average data breach in 2017 cost $3.62 million, it’s small wonder that the organizations adopting bug bounty programs view them as a bargain.
Count Shopify among them. The e-commerce platform for small retailers has paid out more than $700,000 in bounties (for about 700 bugs) since joining the HackerOne platform in April 2015 and is more than satisfied. “Bug bounties are an essential part of our security strategy,” says Peter Yaworski, the application security engineer on Shopify’s bounty program. “We get attention from top hackers—thousands of security researchers who’ve helped us build a more reliable platform.”