Why Companies Like Google And Facebook Pay Hackers Millions


Think about hackers. The term probably brings to mind
hooded figures operating in the dark, probably in a basement,
definitely in secret. They’re exploiting vulnerabilities, stealing our
money or our personal information, and costing
companies millions. In fact, cybercrime costs the world
an estimated $600 billion dollars per year. But the past decade has seen a
rise in a new type of hacker called an ethical hacker, or
a white hat hacker. These men and women want to use
their hacking know-how for good, and a legal market for their
skills has rapidly emerged. There’s this creativity, there’s this curiosity
and there’s this kind of almost mischief in how you think. But then that’s coupled with a
strong moral framework and ethical framework to actually use
that for good. These hackers help companies protect
themselves by finding vulnerabilities before the criminal hackers do. When an ethical hacker finds a bug,
they disclose the security issue in exchange for cash or other rewards, in
what’s known as a bug bounty program. So we’re like
a neighborhood watch. We come to your house, we look for ways
to break in, and if we can break in, we tell you. We don’t break in, we tell you
how we could have done it. Companies like HackerOne, Bugcrowd and Synack
have sprung up to connect freelance hackers with corporations that
offer bug bounty programs. This has led to the creation
of a geographically dispersed network of cybersecurity experts, a.k.a. hackers, who are integral to the
safety of corporations in every industry from tech to finance
to national defense. We work with MasterCard, we work
with Fiat Chrysler in the automotive space, we work with Cisco
in the engineering I.T. technology space, you know
Department of Defense, Pinterest. These days, hackers can make a lot
of money identifying security flaws for companies like these. The payout for finding a single,
highly critical vulnerability can be tens of thousands of dollars, and some
companies have paid out millions overall. I know Verizon Digital Media
actually just passed $7 million dollars in bounties paid. Uber has paid out
over $2 million dollars. Hacking for good is gaining traction
and there’s big money at stake. So it may be time for the public
to rethink its conception of what being a hacker really means. Ever since computers have existed, people
have been trying to break into them. Back when these machines were
clunky novelties found only in universities and large corporations, hackers
were commonly seen as tinkerers, technology enthusiasts who
liked exploring and altering existing computer programs. They made improvements that helped
move the industry forward. But with the emergence of the
personal computer in the 1980s, cybercrimes became much more common. From the comfort of their
living rooms, self-taught programmers learned how to break into and manipulate
important systems, pirate software and spread viruses. I broke into mostly websites
belonging to corporations, governments, military agencies and
just defaced them. I changed them. A lot
of people went to jail. Like a lot of
people got nasty letters. A lot of people got
knocks on the door. And that’s really the history of
hacking that actually precedes this season that we’re in now. Ended up getting arrested several times
by the federal government for that. And they sent me to prison for
27 months, 10 months and 14 months. Three separate occasions. Ellis began hacking in the 1990s,
and DeVoss in the early 2000s. By then, the hacker stereotype was
already well established, thanks to media like the popular 1983 movie
WarGames, which revolved around a disaffected but intelligent teen accidentally
hacking into a top secret military supercomputer nearly starting
World War 3. Even though the young protagonist wasn’t
malicious, the idea that computer whizzes could gain access to systems
like this terrified the public. After Ronald Reagan watched the film,
he proposed a number of anti-hacking bills resulting in the Computer Fraud
and Abuse Act, which prohibits anyone from intentionally accessing
a computer without authorization. And it hasn’t really
been changed since. So it is legal in the sense that
if there is authorization, then at that point they have safe harbor. But outside of that,
it is basically illegal. Because the law doesn’t really define
what “authorization” means, it isn’t exactly clear how it relates to
our new reality, where cybersecurity is increasingly outsourced. Security used to be
something you fix internally. It’s very secretive, it’s not
transparent, it’s not open. And we’re seeing a shift towards
security becoming more and more collaborative and enlisting
outside help. For a company, enlisting this outside
help often means starting a bug bounty program, in which corporations pay
hackers who report bugs or vulnerabilities in their software. What’s believed to be the first of
these programs came about in 1983, when a Silicon Valley startup called Hunter
& Ready offered a free Volkswagen Beetle to anyone who identified a
bug in its operating system. Over a decade later, in 1995,
Netscape began offering more straightforward financial incentives for finding flaws
in its popular browser, Netscape Navigator. The idea took a while to
catch on, but by the mid-2000s, security companies iDefense and TippingPoint,
as well as the Mozilla Foundation, offered similar programs. Other tech giants eventually followed suit, giving
rise to a new crop of startups like Bugcrowd, HackerOne and
Synack, which connect ethical hackers with companies offering
bug bounty programs. When starting one of these programs,
a company simply describes what type of vulnerabilities they want to be notified
of, what parts of their site hackers can test, and what
types of testing are allowed. They also determine how much
each bug is worth. Then the bug bounty platforms
verify the legitimacy of the vulnerabilities, coordinate payouts to hackers
and work with the companies to ensure that bugs are properly fixed,
greatly reducing the burden on a company’s in-house security team. On average, you get about a thousand
dollars per find, and the highest bounty we’ve paid is $100 thousand
dollars for a single vulnerability. Companies pay a fee to use bug
bounty platforms like HackerOne, but for the hackers themselves, these sites are
free and easy to join. You fill out your Twitter
handle, your LinkedIn I.D., your GitHub I.D., you know, that’s really the starting point
of how we figure out how to connect you with the
right programs going forward. Every time when you file a vulnerability
report to a company, you get scored by how good it was
and how serious it was. And then you are collecting points,
we call them reputation points. And then we can see in all these
metrics how good they are, what their special skills are, and that’s how we
can pick the right talent for every job. For hackers who were previously
operating illegally, the fact that you could now make good money this
way seemed difficult to believe at first. I was introduced to bug bounties
in 2014, but I didn’t actually participate because it still seemed like it
was too good to be true. Because if I get in trouble for
hacking illegally again, it’s life in prison. And I wasn’t willing to take
that risk on something that was so new. Eventually though, hackers like
DeVoss realized these platforms were for real, and their networks
have been growing rapidly worldwide. We have half a million
hackers in our network. Half of them are 24 years or younger. Some of them are as
young as 15 or 16. They can be all over the world. They have endless curiosity. They like to outsmart systems. And they figure out how to break
in, before the criminals can do that. Today, over 1,400 organizations use HackerOne
and over 1,200 use Bugcrowd. Even though many of these organizations
have their own internal security teams, the complexity of software
these days pretty much guarantees they’ll still have some weak spots. I don’t think there’s ever been a
company that’s come onto the platform that has had just zero vulnerabilities in
it, no matter how mature it is. There’s always something, because
humans make mistakes. And in recent years, these mistakes
have led to some high profile disasters. Equifax paid a $700 million
dollar settlement to consumers for its 2017 data breach. And in 2019, Yahoo! agreed to pay an $117.5 million dollar settlement for a series
of hacks that exposed the personal information of up to
three billion accounts. If you have a data breach, the average
cost to you is $7 million dollars, and many have had breaches that have
cost them $100 million or more. We help averting the breaches by
fixing the vulnerabilities ahead of time. And the price you pay for that is a
fraction of a fraction of the cost of a breach. Research and advisory
firm Gartner estimated that globally, cybersecurity spending would reach
$124 billion in 2019. Overall, the high cost of
preventing and mitigating cybersecurity threats has spurred a wide range of
companies from United Airlines to the Department of Defense to Goldman Sachs
to adopt bug bounty programs over the past five years. Probably the turning point in adoption for
what we’re doing was when the Department of Defense launched the Hack
The Pentagon project, which we’re now very much a part of. So there you have the world’s
largest organization, with the most powerful weapons in the world, unlimited budgets,
and they’ve concluded that to be truly secure, they need
the help of hackers. And we’ve found already over
12 thousand vulnerabilities for the Department of Defense. That’s like the greatest part of it, is
being able to hack like the U.S. government and military, and not worry that
your door is going to get kicked in by a SWAT team anymore. Because that’s happened four
times to me. These days, rather than getting
arrested, DeVoss’s hacking obsession has made him wealthier than
he’d ever imagined. In total, he’s netted well over $1
million dollars over the course of his ethical hacking career. I’m at $840 thousand dollars
just on HackerOne for 2019. If you add in the other platforms,
then I’m a little over $900 thousand for the year. Only a select
few have matched his success. But their backgrounds provide an
interesting glance into a diverse network. We have six hackers today who
have made more than a million, and the first one to get to a million
was 19 year old Santiago Lopez in Buenos Aires. So no university education, no background
in a tech center in the world. Just endless curiosity, a good
sense of computers and mathematics and hard work. And
he earned a million. CNBC got Lopez on the phone
to talk about his accomplishments. At the beginning, when I started hacking,
I didn’t knew that I was going to make a million. It
was like impossible for me. So it was a very good surprise. But despite the incentives for hackers
and organizations alike, the grand majority of companies still
don’t offer bug bounties. Actually, most don’t even offer
any sort of vulnerability disclosure program, which would allow hackers to
report bugs without fear of punishment. A vulnerability disclosure program
is extremely similar to a bug bounty program. You’re still allowed to
hack into the system as long as you report it to them. The only difference is you don’t
get paid for your vulnerabilities. While this may seem like an easy
win for organizations, the most recent HackerOne security report revealed that 93
percent of companies on the Forbes Global 2000 list don’t
have any vulnerability disclosure policies. Without a proper channel
to report security issues. HackerOne says nearly 1 in 4 ethical
hackers have failed to disclose a vulnerability that they’ve found. Luckily, the industry is showing some
trends in the right direction. At the end of 2019, the
Cybersecurity and Infrastructure Security Agency issued a draft of a mandatory
directive that would require all government agencies to adopt
vulnerability disclosure policies. HackerOne and Bugcrowd hope this means
that more companies will follow suit. And to ensure that the talent
pool is able to meet the growing demand, both even offer their own
free educational initiatives to teach newbies the basics of hacking. The Internet is a pretty,
pretty gnarly place these days. And really what it comes down to
is that you can’t control what an attacker is going to do, but you can
control where your defenses are up to when they arrive. As for the
individuals on these platforms, they just want people to know that despite what
you may have heard about “hackers”, in the world we live in
today, they’re often on our side. They always see the hacker like the bad
guy, but he’s the good guy now. We’re here to help. We’re not just
some sketchy people in their mom’s basement who are out
there to cause damage. We’re professionals who work in the
industry who actually wanna make the companies better.

100 Replies to “Why Companies Like Google And Facebook Pay Hackers Millions

  1. Because the tech companies have been such an upstanding example of upholding constitutional law and basic human morality. You can put lipstick on a pig but it's still a pig. They cannot be trusted. Oh and cnbc. Get your trash propaganda off my feed!

  2. when your hacking good of bad.. meaning there something that you want too know.. what mostly is hidden. maybe its problem something hidden make people. want to discover.. even so people will do anything to find out what there is to find. nor it might be a little silly thing.. but the enjoyment is greater.. to complete the task to hack.

  3. when there is software there is always a back door. no matter how good its made on security.
    not until it becomes hardware.!

  4. simple form when using firefox or chrome your able to using basic hacking skills to enter any website where you want to go.. FBI Or CIA. etc.. a org website can be unlocked by simple mistake. so its not so secure.

  5. even if your only using hackers software you can leaner do much more then simply you can understand. because the software itself. is already advanced above human understanding.

  6. Hmmm, I'm pretty, pretty skeptical about all this BS, to say the least….So, would that mean you use sloppy engineers to create buggy software and then use skillful engineers to find the bugs. So gradually end users have developed a sort of "Stockholm Syndrome" with regard to buggy software. They believe it is normal, expected, and inescapable. It is a very doubtful proposition. Is not it that mentality which produced Boeing 737 Max – create a crappy product and give it to Malaysia so their pilots find the bugs and report them back to Boeing for rewards (if they can land the plane). Is that another insane Millennial mind born idea?

  7. I don't know guys it's like inviting the burglar into your house giving them full access to install things for later…

  8. If cybercrime costs the world $600 billion dollars per year let the world pay it. Its about companies not the people.
    Commercial in disguise.

  9. so if they're giving the hackers authority to find ways to hack things on there sites. Couldn't a hacker just decided to hack the site and steal money from the site

  10. What would save these companies billions on so-called loses is to … not make predictions of how much money they ought to be making and then going even further to then accuse hackers or other ne'er-do-wells of stealing these projected billions.
    Simpler: dont count your chickens til they've been hacked.

    You can use that quote.

  11. Who created hackers? Can't sell ANTI VIRUS if you ain't got viruses. Classic hagelian dialectic…. Problem, reaction solution. One gang run the world.

  12. HACKERS DELIBERATELY WRITE OBSCURE CODE WITH THE EXPRESS INTENT OF INSERTING VULNERABILITIES THAT ARE HARD TO DISCOVER… (AND WITH ENOUGH VULNERABILITIES, HACKERS CAN "DISCOVER" "BUGS" ON A REGULAR BASIS, THEREBY ENSURING ENOUGH BUSINESS VOLUME TO JUSTIVY CREATING AN ENTIRE INDUSTRY. ALL ANTI-MALWARE COMPANIES CORRUPTLY CONTRIBUTE TO THE PROBLEM ENSURING ETERNAL JOB SECURITY.

  13. It doesn't seem like Facebook is hiring any white hackers…How come Facebook/Instagram are looking more and more like the Darknet with animal abuse content and Pedophilia videos?!…Are the white hackers not able to block that content from the source or are they busy blocking the people who report it? btw …Facebook is not the only social media allowing that terrible content…

  14. This whole concept is extortion im sure some mean wee but what happens when the "white hat" hacker does not get paid? how do you know the white hat did not create the problem to begin with, good or bad they should be programmed out, is there a good burglar and a bad burglar? the best burglar is the one that's not in your house.

  15. A cute idea, and valuable, but I can see how a hacker might discover problems, and if bounty isn't big enough, passing it onto another hacker for bigger money.
    AND WHAT IF a hacker registers and then is CAUGHT with unauthorized access, they just claim they were testing for vulnerabilities, so they have an excuse for their real motives.

  16. Kinda like how the DNC hired Crowdstrike right? LMAO vault seven taught us anyone can pretend to be anyone and the cia created the toolset the most dangerous hackers are using thank you cia thank you nsa for paying intel for a back door and thank you for paying microsoft for a back door.

  17. "These hackers help companies protect themselves". So Casey Ellis thinks it's moral for hackers to use their know-how to PROTECT corporate monstrosity? Corporations are private tyrannies that essentially mirror the totalitarian model internally. A hacker's morals would need to be seriously compromised (to use a familiar term) in order to think that this is "ethical", righteous, and good. Hackers who'd like to leverage "morals" would be better off using what they know to raze massive corporations to the ground, where they belong. [email protected] "moral" hacking that defends these deeply exploitative, anti-democratic institutions.

  18. It's no different than the locksmith business in the physical world. If we build secure systems (whether digital infrastructures or door locks), we also build an industry of people who can access/brute force those systems if needed.

  19. It's time the public rethink their idea of what a hacker is? Do you not hear how convoluted this is? You're basically trying to make us believe that all hackers are these brave, honest, altruistic people. The truth is, the only reason that these people have a job in ethical hacking is because there are other hackers who are NOT good people, and who are out to do harm. If all hackers were honest, good people, then there would be no hackers, or at least no ethical hacking jobs, because it wouldn't be required.

  20. In later centuries: Bruh, i can't find a criminal hacker, my boss is gunna throw me.
    Me: Oh, yeah cuz all the criminal hackers are now white hat hackers
    Friend: So, basically No Money? for that?
    Me: don't worry y'all will go through poverty then there will be new rise for criminal hackers.

  21. I really don't mind white hat hacker. If you want to hack and you do it to expose a bug and tell the company so they can close it, I am ok with it. Especially if you have the goal of protecting people data and information in your own way. Not everyone can be a police officer and not everyone can be a hacker. Like anything else, we are not perfect. Sometime it's niche that we all have that we are truly good at one skill and not with other skills. I have people that is HR experts and doesn't want anything to do with Tech or how to fix it. They just want it to work and vice versa.

    If your a white hat hacker and you want to protect people data on a website etc, by all means I am ok with it.

    What you don't want is Blackhat hacker. I am pretty sure you all know why…

  22. When he was a young boy, Julian ASSANGE was an ethical hacker.
    When he grow up, he didn't hack anymore, but collected documents that he received from some people, for justice and peace.
    Julian ASSANGE should be free.

  23. If you are payed by the company to reveal vulnerabilities doesn't that make you an employee and not a hacker? the term 'ethical hacker' is a antonym, like saying that a soldier is a ethical murderer

  24. I usually dont do this but i recommend [email protected] or hackgoodness on instagram for any phone spying or gps tracking services. with their help , I was able to spy on my wifes phone to see alll her text messages, phone calls, facebook messenger chats, whatsapp chats and more! they were able to install my iphone 8 as the mirror phone so i was viewing everything remotely without stress! just contact [email protected] or hackgoodness on instagram for help

  25. Ich habe Fred Anderson oft benutzt und es hat mich nicht im Stich gelassen. Es macht alle Arten von mobilen Penetration. Sie können unbegrenzten, nicht nachvollziehbaren Zugriff auf die Social-Media-Konten, Textnachrichten, Anrufe und vieles mehr eines Partners / Ehepartners erhalten. Ich kontaktierte sie per E-Mail Andersontech65 @ gmail.com

  26. Everyone these people are preparing for something. Something big. In my city where crime isn't as bad as in the big city we have these military EQ too.
    I am guessing they are getting ready for a collapse of the country.

  27. This is just outsourcing quality control so they don't have to put people on a payroll… Reduced overhead for the company but less jobs for technical experts. And the so called "Hackers" are getting robbed in the process…

  28. The word "hacker" always make my ears cringe to the fact that its such a broad general term like saying you work in "Construction" or a "Hospital" but since most people don't know the difference between http or https they are often portraid as god with no knowledge of the systems… There are so many different terms and words that are misconstrue and mispopularized. A hacker had a deep knowledge of network systems, not just someone that can run scripts or has scamming organization in India to trump people into comfirming their identity praying on people's fear.

  29. "White-hat hackers" are also called "software testers" and they've existed since computers were invented. The only difference here is they are independent contractors instead of full-time employees — so they don't get paid unless they find errors.

Leave a Reply

Your email address will not be published. Required fields are marked *