Hackers Averting Threats

Posted on by Marten Mickos

Hacking is here for good, for the good of all of us.

Over the past six years, over 1,000 data breaches have occurred globally. Each day, consumers fear the discovery of yet another data breach. The stakes are high: financial institutions, healthcare organizations, e-commerce companies, big-box stores, media companies—in essence, anyone relying on technology—can lose everything in a data breach. But some of the most recent breaches have one thing in common: they were detected, discovered and reported by good hackers.

Businesses that partner with hackers to discover vulnerabilities have a key advantage over those that do not. Ethical hackers think like attackers but act like defenders. Over half a million of these ethical hackers have willingly signed up to find vulnerabilities so that companies can fix bugs before they be criminally exploited. To date, over 140,000 vulnerabilities have been surfaced and fixed by hackers and customers on the HackerOne platform. The Department of Defense (DoD) alone has received over 12,000 vulnerability reports from hackers around the globe through their Vulnerability Disclosure Program (VDP), significantly reducing their risk of system compromise. No wonder the VDP run by the DoD recently won the prestigious DoD CIO Team Award.


As companies work overtime to push code, criminals work overtime to find ways to break in. The innovation that powers today’s technology has outpaced our ability to build a supportive security infrastructure. Companies that try to scale their security as fast as their growth will inevitably fail. Working with hackers allows you to provide security at the speed of innovation.

The only way to achieve digital security is to acknowledge that all software contains vulnerabilities, and that hackers have the skills and toolkit necessary to find them. When you ask external hackers to try to break in and report their findings, you get the best view possible of your digital attack surface. Or, to quote Joe Sullivan, CSO of Cloudflare, “Not running a bug bounty program amounts to cybersecurity negligence.”

The practice of listening to external security experts and rewarding them for their discoveries is gaining ground across industries, becoming a best practice for businesses and governments alike. The NIST Cybersecurity framework recommends ethical hackers, as do other similar frameworks by DoJ, DoD, UK’s NCSC and others. Companies such as IBM, Intel, Qualcomm, Goldman Sachs, General Motors, Hyatt Hotels, Starbucks, Lufthansa, Spotify, Twitter, Uber, Lyft, AirBnB, Salesforce and more have determined that hacker-powered security is a vital piece of a functioning security posture.

In its S1 filing for going public, Slack Technologies listed three pillars of their cybersecurity program:

  • Organizational security, including personnel security, security and privacy training, a team of dedicated security professionals, policies and standards, separation of duties, regular audits, compliance activities, and third-party assessments;
  • Secure by design principles by which we assess the security risk of each software development project according to our secure development lifecycle and create a set of requirements that must be met before the resulting change may be released to production; and
  • Public bug bounty program to facilitate responsible disclosure of potential security vulnerabilities identified by external researchers and reward them for their verified findings.

Tech startups, large enterprises and government agencies have all seen the writing on the wall. Cyberthreats are increasing, not decreasing. Technology is useful, but it cannot protect us. Staff shortage is chronic, and burnout is ubiquitous. But an enormous community of ethical hackers stands ready to help. They will look for vulnerabilities, review attack surfaces and conduct pen tests so that your organization can reduce their cyber-risk.

We are hacking for good!

Marten Mickos

CEO, HackerOne

Hackers & Threats


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs