In recent years, bug bounty schemes have become a popular method for companies to find the talent needed to discover and fix security flaws in their platforms and products.
With so many companies clamoring to gain the attention of a limited pool of skilled security professionals and enthusiasts, simply credit for finding an issue is not always enough of a lure.
However, bug bounties are a way to dangle the financial carrot, also issue credit where credit is due, as well as open up a line of communication between ethical hacker and companies.
To plug the gap between companies which had no established bug bounty systems in place and researchers who wanted to be paid for their efforts, HackerOne has gained quite a following, with hundreds of companies using the service to run their own programs -- and some using interesting tactics to keep the ball rolling.
Uber, for example, uses a virtual treasure map to help hackers uncover vulnerabilities and runs a loyalty program to keep researchers keen, while Shopify and GitHub boosted payouts this year for extra coverage. In addition, Zenefits sponsored an event at Black Hat this year that offered double bounties to those attending the conference in Vegas.
In a blog post on Wednesday, CEO of HackerOne Marten Mickos outlined the success so far of these programs, of which over 50,000 vulnerabilities have so far been found and fixed.
There are over 100,000 hackers registered with HackerOne, and over $20 million has been paid so far in bounties. By 2020, the company predicts that $100 million will be issued in rewards for resolving 200,000 bugs, and potentially over one million hackers will be registered with the program.
While difficult to predict, Mickos estimates that 16,000 of these vulnerabilities will be critical issues.
"Let's further assume that every 10th of those critical vulnerabilities could have led to a data breach or costly security incident if left unfixed," the executive says. "Knowing that the average cost of a data breach is $7 million in the US, we can estimate a total saving of around $10 billion dollars."
According to HackerOne, some of the most successful hackers on the platform are earning most than 18 times the salary of an average software engineer in their home countries, and with such financial rewards to be had, the success of such programs is likely to continue.
"The bounties hackers are awarded for their contributions to a safer internet are changing lives," Mickos says. "They are paying for education, supporting their families, buying homes and cars, and building a future that may not have been possible otherwise."
"Through the relationships with security teams, hackers are starting new careers and building fantastic skills and resumes. The future is brighter when we work together," he added.