HackerOne – The Biggest Bug Bounty Platform
Jozsef Konnyu

HackerOne – The Biggest Bug Bounty Platform

Our world would be insecure without bug bounty platforms. We don’t know who we can or cannot trust. If we find a vulnerability in a software as a white hat hacker, we would be afraid to report it to the software owners because we wouldn’t know what their reaction would be. Will they reward or sue? The same fear is present on the other side. As a software or IT company, we were worried about the agreement of the external penetration tester because we were afraid that the related information would come to a bad man.

Fortunately, nowadays bug bounty platforms solve these problems. One of the biggest is HackerOne.

It all started in 2011 when Jobert Abma and Michiel Prins tried to find the vulnerabilities of more than 100 high-tech companies, including Google, Facebook, Microsoft, Twitter, and Apple. There were a few companies that ignored their reports; however, their ambitions can be considered a success, because they contacted Alex Rice, who was the Head of Product Security at Facebook. Jobert Abma, Michiel Prins, Rice, and Merijn Terheggen together founded HackerOne in 2012.

The founders: Michiel Prins, Jobert Abma, Alex Rice en Merijn Terheggen

HackerOne is a brilliant platform on which the software owners and hackers are in close contact.

For Hackers

If you are a hacker and like finding bugs, then I have good news for you. On HackerOne, there are so many companies that are willing to pay you for bug reports. The scale is different for every company, but the minimum price is $25 for a bug, and the maximum price can reach $100,000.
According to some surveys, the most money-generating vulnerability is the remote code execution or bug. By using these, bots or bad guys can get more information about the vulnerable program in an unauthorized way.
If you have found something, then you can report it to the program operator via HackerOne.

For Businesses

There are many companies in the world that believe their products are 100% secure. In practice, this statement remains true until someone finds the first vulnerability. In this situation, the intention of the bug hunter is important. All companies are afraid that people with bad intentions will be able to destroy their softwares.
If you have a company and don’t want the bad guys to be the first to find the hidden bugs in your product, use HackerOne.
As a company, you have to pay a specific price every year. Then you can create a rewards table. On this table, you need to indicate the price you are able to pay for a vulnerability per type.
If a hacker finds a bug in your product, then he will create a report for you. In this report, he will present the problem, note how to reproduce, and even make suggestions for a solution.


Of course, until the problem is solved, the report is kept private, but you can decide at the end of the case if you want to change the report status to the public to let others gain experience from it.
Although BitNinja will not fix your system’s vulnerabilities, it can help you so that the bad guys will not able to access these critical points.
If you are a beginner, don’t worry about it. HackerOne has great tutorials for bug hunting. In this regard, we have a good reputation for you. After that, we will start a series of articles about the most famous vulnerabilities.

We Explain

In each article, we explain how to take advantage of that vulnerability, and, in general, how can you get protection against it. Finally, we will tell you what kind of solutions BitNinja can provide for your vulnerable points. If you are interested in this topic, please subscribe to the BitNinja newsletter for more.



Next parts:

Share your ideas with us about this article

Previous posts

Old IoT Botnet has been Revived
The “Hello, Peppa!” botnet and the /ept/out.php vulnerability were newly discovered attacks by our Attack Vector Miner. But now, it has recognized the reactivation of a forgotten IoT botnet. This botnet exploits the D-Link router DSL-2750B  remote command execution. What does the attack look like?  The discovered pattern is the /login.cgi?cli= as you can see below:  In the case of the D-Link router DSL-2750B firmware 1.01 to 1.03, there’s an option for remote command execut...
WAF rules explained - The BitNinja Ruleset
In a previous article, we’ve discussed the BitNinja safe minimum ruleset for the BitNinja WAF, that consists of 15 rules from the OWASP Core Ruleset, along with 6 rules from the BitNinja rules category. These rules can be safely enabled on the root location pattern on your server. In the BitNinja Ruleset, there are 5 categories: The Virtual Honeypot category, which has 2 rules The WordPress Backdoor Protection category with 3 rules The Drupal Remote Execution Protection, also with 3 rules The Modx Revolution Remote Execution Protection category with 1 rule The Scanner Detec...