Companies are Paying Millions to get Hacked — on Purpose
The old sports adage, “the best defense is a good offense,” is being deployed by corporate America when it comes to cybersecurity.
HackerOne, a San Francisco-based “vulnerability coordination and bug bounty platform,” reports that it has some 800 corporate customers who paid out more than $15 million in bonuses to white-hat hackers since its founding in 2012.
Most of that bounty was paid in the past two years, as companies have become more aware of their cyber vulnerabilities.
Clients that have used the platform include General Motors, Uber, Twitter, Starbucks and even the US Department of Defense.
According to HackerOne Chief Executive Marten Mickos, companies of all kinds are shelling out increasing amounts of money to fight fire with fire by employing benevolent hackers to thwart break-ins from outside hackers.
Google, as he points out, has paid out about $3 million through its own hacker bonus program. Uber has paid out $860,000 over the past year to use his platform.
The increased use by consumers of internet-connected devices (the so-called “internet of things”) is also resulting in a “rapidly growing” demand for white hats, according to Mickos, who points to 2015’s hack of Mattel’s Wi-Fi enabled Hello Barbie. “It may sound silly, a doll,” he says, “but it’s your child.”
Another 2015 wake-up call occurred when the controls of a Jeep were commandeered by a hacker using a laptop miles away. Parent Fiat Chrysler had to recall more than a million vehicles as a result of the incident (in which no one was hurt) — a lesson that was not lost on other automakers like GM, which signed up with HackerOne, and Tesla, which established its own bonus program.
“[Benevolent] hackers are in very high demand,” according to Adam Malone, director of cyber investigation and breach response at PwC. The demand for the skill set is also expanding beyond the freelancers, he says, with a select few hackers bringing home “a six-figure range pay up to half a million.”
“I lead a team of guys that go into a company that has been
breached,” he explains. “I primarily hire people most experienced in