HackerOne

History

2022: Disconnecting users from Russia and Belarus

March 17, 2022 it became known that the international platform for the search for vulnerabilities HackerOne did not pay to Belarusian to the hacker $25 thousand. He was supposed to receive this amount for the found vulnerability under the program. Bug Bounty The company's policy is HackerOne explained by the fact that the hacker is in the sanctions zone. About this writes "" Businessman with reference to the account of the hacker in. Twitter

As reported, under the Bug Bounty program ("hunting for" bugs), companies pay a reward to hackers for found vulnerabilities in their information systems, services or applications.

Hackers from the sanctions zones cannot participate in financial transactions, so the rewards for the vulnerabilities they find will be redirected to UNICEF (UN Children's Fund). wrote on his Twitter Marten Mickos, CEO HackerOne

Mikos later clarified that the company sends hackers' rewards to the fund only after their consent. But HackerOne withholds payment to hackers from countries subject to sanctions (Russia, Belarus, etc.).

As of March 2022, all Russian and Belarusian hackers were removed from the HackerOne, confirmed independent expert on information security Denis Batrankov.

Under the Bug Bounty program, Yandex, Ozon, VK, Tinkoff Bank, etc., operate in Russia. Most of them offered payments through HackerOne. Researchers can continue to use this platform by registering an account with a person not associated with Russia or Belarus, admits the leading engineer CorpSoft24 Mikhail Sergeyev. In his opinion, HackerOne have no competitors in Russia.

Focusing on the development of the service precisely for Russia is a bad option. As of March 2022, we have few companies that allocate money for such services, the analogue should be international. emphasizes Mikhail Sergeyev

Yandex had separate projects on the HackerOne, but the company completely switched to its own service, "Hunting for Mistakes," a source familiar with the situation told Kommersant. VK is also looking for solutions and platforms to continue the Bug Bounty program.

Tinkoff said that after the suspension of HackerOne activities, the bank has no technical opportunity to continue the Bug Bounty program on this platform. According to him, Russian companies are considering a domestic analogue of HackerOne from Rostelecom.

The creation of a Russian platform for identifying vulnerabilities in state information systems is being discussed in the Ministry of Digital Affairs, the ministry said. Positive Technologies and Rostelecom declined to comment. The Russian IB company Positive Technologies wanted to launch such a platform in May 2022.

Difficulties in paying Bug Bounty fees harm not only researchers, but also companies and their customers - the level of user protection around the world is decreasing, says Kaspersky Lab chief technology expert Alexander Gostev.

Vulnerabilities should be searched continuously, only in this way can you reduce the potential risks of cybersecurity. Alexander Gostev believes

Russian "white" hackers are losing their earnings. Large Russian companies have rewards of more than $10 thousand for critical vulnerabilities found, said Andrei Naydenov, head of the Infosecurity a Softline Company security analysis unit. He also noted that in small companies and rewards are small, and in some they are absent altogether^[1].

2020: Ethical hackers hacked the Pentagon 12.5 thousand times

The HackerOne platform published the results of the work of the so-called ethical hackers, who for rewards find vulnerabilities in the IT systems of companies and government agencies. In 2020, as part of such campaigns, the Pentagon hacked about 12.5 thousand times, which was the highest among HackerOne participants.

The second place in the number of vulnerabilities was taken by the manufacturer of digital content Verizon Media, in whose systems found about 6.7 thousand shortcomings. About 4 thousand shortcomings were found in the products and systems of Mail.Ru Group. Moreover, these two companies launched their vulnerability search programs 2.5 years earlier than the US Department of Defense.

Ethical hackers hacked the Pentagon 12.5 thousand times

Unlike non-state companies, the US Department of Defense does not pay for the vulnerabilities found, but accrues points, which in total allow bug hunters to take part in similar closed programs and receive a generous reward. For comparison: Verizon Media pays an average of $400-500 for detecting one error.

An expert in the field of information security from Romania managed to earn the largest amount on HackerOne in the history of the platform - according to the results of 2020, the amount of remuneration received by him for finding vulnerabilities reached $2 million.

The IB-specialist Cosmin Iordache working under nickname inhibitor181 became the leader in earnings on the HackerOne platform specializing in testing of safety of computer systems. The community reported this on its Twitter account.

By the end of December, 2020 $82 million are paid to the hackers connected to the HackerOne platform in 170 countries in total. More than 6 million baghunters use the service, which is almost twice as much as by the end of 2019. They are looking for vulnerabilities on orders from 1700 government agencies and commercial enterprises.^[2][3]

2019: World's First Millionaire Baghunter

In early March 2019, HackerOne, a company developing a platform for finding vulnerabilities for money, introduced Santiago Lopez, a 19-year-old self-taught hacker from Argentina, who became the world's first millionaire baghunter. More details here.

Notes