Our world would be insecure without bug bounty platforms. We don’t know who we can or cannot trust. If we find a vulnerability in a software as a white hat hacker, we would be afraid to report it to the software owners because we wouldn’t know what their reaction would be. Will they reward or sue? The same fear is present on the other side. As a software or IT company, we were worried about the agreement of the external penetration tester because we were afraid that the related information would come to a bad man.
Fortunately, nowadays bug bounty platforms solve these problems. One of the biggest is HackerOne.
It all started in 2011 when Jobert Abma and Michiel Prins tried to find the vulnerabilities of more than 100 high-tech companies, including Google, Facebook, Microsoft, Twitter, and Apple. There were a few companies that ignored their reports; however, their ambitions can be considered a success, because they contacted Alex Rice, who was the Head of Product Security at Facebook. Jobert Abma, Michiel Prins, Rice, and Merijn Terheggen together founded HackerOne in 2012.
The founders: Michiel Prins, Jobert Abma, Alex Rice en Merijn Terheggen
HackerOne is a brilliant platform on which the software owners and hackers are in close contact.
If you are a hacker and like finding bugs, then I have good news for you. On HackerOne, there are so many companies that are willing to pay you for bug reports. The scale is different for every company, but the minimum price is $25 for a bug, and the maximum price can reach $100,000.
According to some surveys, the most money-generating vulnerability is the remote code execution or bug. By using these, bots or bad guys can get more information about the vulnerable program in an unauthorized way.
If you have found something, then you can report it to the program operator via HackerOne.
There are many companies in the world that believe their products are 100% secure. In practice, this statement remains true until someone finds the first vulnerability. In this situation, the intention of the bug hunter is important. All companies are afraid that people with bad intentions will be able to destroy their softwares.
If you have a company and don’t want the bad guys to be the first to find the hidden bugs in your product, use HackerOne.
As a company, you have to pay a specific price every year. Then you can create a rewards table. On this table, you need to indicate the price you are able to pay for a vulnerability per type.
If a hacker finds a bug in your product, then he will create a report for you. In this report, he will present the problem, note how to reproduce, and even make suggestions for a solution.
Of course, until the problem is solved, the report is kept private, but you can decide at the end of the case if you want to change the report status to the public to let others gain experience from it.
Although BitNinja will not fix your system’s vulnerabilities, it can help you so that the bad guys will not able to access these critical points.
If you are a beginner, don’t worry about it. HackerOne has great tutorials for bug hunting. In this regard, we have a good reputation for you. After that, we will start a series of articles about the most famous vulnerabilities.
In each article, we explain how to take advantage of that vulnerability, and, in general, how can you get protection against it. Finally, we will tell you what kind of solutions BitNinja can provide for your vulnerable points. If you are interested in this topic, please subscribe to the BitNinja newsletter for more.