White Hat hackers earned $21 million in the past year, an increase of $10 million over the prior year.

Edward Gately, Senior News Editor

September 6, 2019

11 Min Read
Security Roundup
Shutterstock

White hat hackers are becoming millionaires and are helping to alleviating the ongoing cybersecurity talent shortage.

HackerOne announced six hackers have become the first in the world to earn more than $1 million each from hacking for good. They range from Santiago Lopez, a 19-year-old hacker from Argentina, to Mark Litchfield from the United Kingdom and Tommy DeVoss from the United States.

In total, hackers earned $21 million in the past year, an increase of $10 million over the prior year, according to HackerOne. Typically, hackers from the U.S., India and Russia dominate earnings, collectively pulling in 36% of the total value of awarded bounties globally. But the presence of Argentinian, Swedish, Australian and Hong Kong hackers in the top six earners demonstrates the global opportunities available, it said.

To find out more about the increasing prevalence of and financial opportunity from white hat hacking, we spoke with Luke Tucker, HackerOne‘s senior director of marketing.

Channel Futures: There are now six millionaire hackers. What does that say about the significance and growth of hacking?

Tucker-Luke_Hacker-One.jpg

Hacker One’s Luke Tucker

Luke Tucker: What excited me even more beyond the six are the 50, 100, 1,000 and 400,000 on their tail. We’re excited about the overall long-term perspective. With our industry today, with the skills shortage that we see, this community of individuals is where the future is. We could potentially have 500 CISOs that are going to come out of our community in the next decade or so, and that’s presenting the financial opportunity beyond just the pay-for results, incentive-driven bounties, which is our bread and butter, and what we will continue to expand and preach, and empower both customers and hackers to come together.

CF: Sounds like hacking is going to be playing a big role in alleviating the ongoing cybersecurity talent shortage.

LT: Yes, absolutely. With the hackers on the one side and customers on the other, there’s a talent agency component to it; how we can match the current need from the customers that we know intimately and continue to expand a relationship with, with the opportunities that we see on the hacker side. We will work with both parties to help find a long-term position if that’s what makes sense.

So there’s more than just the bug bounty realm that is going to be presented to them, and that includes seven to 10 hackers that have made a name for themselves on our platform and found that they were looking for full-time employment, and they were able to receive that from a customer on HackerOne. We don’t shy away from that; we want to empower that as well. That is why we’re seeing millionaire hackers and why we’re going to see probably double that in the next six to 12 months. It will continue to escalate. Out of the six, there are another probably several dozen that are over a half-million.

CF: What does it take to become a millionaire hacker? Those six millionaires are very different individuals from different parts of the world.

LT: Every single one of them is from a different country, which is quite amazing … and they all come from very different backgrounds and different ages. You could put a capture-the-flag challenge in front of these six hackers and they would …

… each go about it a little bit differently to try and find the flag. They have their own methods; a lot of them have found recipes essentially that have just worked. So when I think of these six, and the diverse perspectives and the backgrounds that they come from, the common ingredients are going to be threefold: creativity — they collaborate with other hackers and they put in the time. They will do what others won’t do. They’re going to listen in on a webinar for an hour and a half to try and find some obscure information that they hadn’t read in documentation.

CF: Does all of this mean that hackers are more widely accepted and valued by companies and customers of all kinds out there?

LT: I would agree with that. I think you see that when you look at the adoption from customers. HackerOne has over 1,500 customers on our platform. That alone from the growth a year ago, two years ago, three years ago, as a startup company, you’re seeing the market really adopt and buy into that. Six out of the 10 top financial services companies in North America are running some form of hacker-powered security, either a bug bounty program or a vulnerability disclosure program. We’re seeing it expand both geographically as well as across industries.

CF: Is hacking becoming more competitive as more people become interested?

LT: It’s not a zero-sum game in that necessarily. One of the great things that we see reflected in a very strong way is how much collaboration there is, and when they do that, they’re able to drive the vulnerability severity higher, so they’re able to kind of chain something where they otherwise wouldn’t have. They can say, “Hey, I got this far and I’m trying to reach that next point, but I’m at a loss,” and then their friend comes in and they’re able to collaborate and solve something together. That’s the power that we see day in and day out. Is it more competitive? I think where we’re seeing the growth [is] the new programs coming in, the other opportunities. We are rolling out more than just the bounty programs; there’s pay-for effort kind of work, which is any financial opportunity, if you want to come in and do compliance-driven work on a pen test, you can get paid for those services. There’s more to the pie there where we’re able to say this amazing community is providing so much value in the security of these companies.

CF: It is getting tougher for hackers to stay one step head of cybercriminals, and finding vulnerabilities before cybercriminals can?

LT: I would actually say the opposite. I will position that there are way more white-hat hackers out there that are working to secure our companies and corporations … and when you incentivize them property I can guarantee they are putting in the time to secure the assets to the best of their ability, and there are more and more companies that embrace that. Now, there is no such thing as perfect security – that will never be the case – and it’s always in both hands, not either/or. If we’re really trying to secure the assets to the best of our ability, we need to have more people …

… properly incentivized with the legal avenue and the safe harbor for them to say if you see something, say something; and even better, here’s a dollar amount I put in front of you for your incentive-driven research to report and we will celebrate your work. I strongly believe there are more top hackers that are doing what we would call white hat work in the general sense to defend both from the nation-state side all the way down to the small businesses, the corner coffee shops and whatnot, even the SMBs of the world.

Checking In with Symbol Security

Last November, Symbol Security rolled out a new phishing simulation platform and planned to make a big channel play.

The phishing simulation not only includes real phishing that has occurred, but customized phishing templates with vendors a company works with — and not just big-name vendors, but local ones too.

Sandman-Craig_Symbol-Security.jpg

Symbol Security’s Craig Sandman

Craig Sandman, Symbol’s president and co-founder, tells us his company now works with about 20 MSPs and MSSPs, and is now is targeting the agent community.

“Our growth has really been fueled by the partner community, and it’s really been fueled by listening to the marketing and seeing where security awareness has opportunities for improvement,” he said.

Symbol has seen a sharp increase in the number of MSPs and MSSPs on its platform in the last couple of months, Sandman said.

“It’s mostly been them reselling somebody else’s platform,” he said. “One of the critical items we’re working through this month is branding for MSSP and MSPs, so not only can they operate the platform as their service, but very soon will have it be a branded experience. And shortly after that, we’ll give them the ability to upload their own content into their own service. So for the MSP and MSSP, the security awareness story can be their story, and not some third-party story. I can be their offering.”

Symbol has seen increasing demand across several industries, Sandman said.

“We’ve seen a pick-up in the state and local municipality sector,” he said. “There’s been a lot of ransomware, and unfortunately these events hit municipalities, so I’m not surprised to see that increase from an adoption perspective. Beyond that, we’ve seen really a mix of many different verticals depending on where partners have relationships … some retail, staffing companies, health care, legal, so there’s been quite wide adoption.”

Palo Alto Networks Shells Out $75 Million for Zingbox

Palo Alto Networks is acquiring Zingbox, an IoT security company, in a deal that’s expected to close this quarter.

Zingbox’s cloud-based service, and AI and machine learning technology for device and threat identification capabilities, will accelerate Palo Alto’s delivery of IoT security through its next-generation firewall and Cortex platforms. Organizations will gain the ability to improve the visibility and security of their …

… IoT landscape, according to Palo Alto.

Once combined, Palo Alto will offer IoT security with visibility and automated in-line prevention integrated with its platforms.

Arora-Nikesh_Palo-Alto-Networks.jpg

Palo Alto Networks’ Nikesh Arora

“The proliferation of IoT devices in enterprises has left customers facing an enormous gap in protection against cybersecurity attacks,” said Nikesh Arora, Palo Alto’s chairman and CEO. “With the proposed acquisition of Zingbox, we will provide a first-of-its-kind subscription for our next-generation firewall and Cortex platforms that gives customers the ability to gain control, visibility, and security of their connected devices at scale.”

Zingbox’s products will continue to be available to customers after the transaction closes.

Earlier this summer, Palo Alto unveiled plans to buy Twistlock, a provider of container security, and PureSec, a serverless architectures security provider, to extend its Prisma cloud security strategy.

Trustwave Unleashes New Cloud-Based Cybersecurity Platform

Trustwave‘s new cloud-based cybersecurity platform serves as the foundation for the company’s managed security services, products and other cybersecurity offerings.

The Trustwave Fusion platform connects enterprises and government agencies to a security cloud comprised of the Trustwave data lake, advanced analytics, threat intelligence, a range of security services and products, and Trustwave Spiderlabs, the company’s team of security specialists.

Schueler-Chris_Trustwave.jpg

Trustwave’s Chris Schueler

Chris Schueler, Trustwave’s senior vice president of managed security services, tells us the platform will provide his company’s partners with the ability to easily leverage a multicloud-enabled platform that aligns with their strategic initiatives for their clients.

“Specifically, because the platform can connect to all public and private clouds while providing a single data lake and analytics engine, it opens up a lot of possibilities for partners to leverage it with their clients,” he said. “With its hierarchal structure, partners can easily configure their customers in suborganizations and aggregate them for holistic analysis or leverage Trustwave’s managed security services for Tier 2/3 advanced analysis and SpiderLabs threat intelligence capabilities.”

The platform provides a “significant competitive advantage” when it comes to automation and orchestration across both multicloud and on-premises environments, Schueler said.

“It provides the unique advantage of essentially having a security operations center (SOC) in your pocket, giving partners mobile capabilities that enhance the value of their services,” he said.

Comcast Business Announces Strategic Initiatives with Fortinet, Akamai

Comcast Business has unveiled strategic initiatives with Fortinet and Akamai designed to drive increased innovation in cloud-based cybersecurity solutions for customers of all sizes, including SMB through enterprise.

“In today’s hyperconnected world, cyberthreats are becoming more sophisticated and prevalent,” said Bob Victor, Comcast Business’ senior vice president of product management. “No organization is too large or too small to be a target. These strategic initiatives will drive increased cybersecurity innovation across our product portfolio, helping customers of all sizes stay protected and secure. We’re thrilled to work with these two industry leaders and look forward to unveiling the output of these relationships in the near future.”

Comcast Business is collaborating with Fortinet to bring advanced security solutions to midsize and enterprise customers via Comcast Business’ ActiveCore SDN platform. It also is partnering with Akamai to develop cloud-based cybersecurity solutions designed to protect small business customers from increased cyberattacks.

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like