Suppose a Hacker discovers a security vulnerability in [Company] (or any Developer). Would they call customer support? Would they hope to walk into [Company] offices? Why should [Company] trust that it's worth their time to investigate? On the other hand, how would our hacker trust [Company] in this situation? What could [Company] do here to intimidate the researcher? What if [Company] doesn't respond at all?
HackerOne focuses on solving the problems with vulnerability disclosure in its various forms. This practice describes the problems involved with the passage of vulnerabilities from their finders (Researchers / Hackers) to their owners (Developers / Response Teams).
Here's an example of how broken disclosure opportunities can make things complicated:
Whistle-Blower Faces FBI Probe
http://archive.wired.com/
MIT Students Get Top Marks for Hacking Boston Subway
http://www.wired.com/2008
The interesting thing is that both the Hacker and Developer value a peaceful and productive interaction here. The Hacker and Developer can both benefit greatly provided the conversation has a bit of structure, pre-set expectations, and precedence with other research interactions to set norms across the board. Bounties help a lot too.
How it works: Hackers sign up to find bugs in various technologies whose owners have expressed an interest in collaborating towards stronger security. To get a glimpse of it in action, check out an actual vulnerability coordinated between a hacker and Twitter:
Subdomain Takeover on media.vine.co
https://hackerone.com/rep
TL;DR - HackerOne offers a platform that promotes a positive disclosure experience in pursuit of its mission of securing all the things, with Hackers and Companies working together for the benefit of all.
HackerOne focuses on solving the problems with vulnerability disclosure in its various forms. This practice describes the problems involved with the passage of vulnerabilities from their finders (Researchers / Hackers) to their owners (Developers / Response Teams).
Here's an example of how broken disclosure opportunities can make things complicated:
Whistle-Blower Faces FBI Probe
http://archive.wired.com/
MIT Students Get Top Marks for Hacking Boston Subway
http://www.wired.com/2008
The interesting thing is that both the Hacker and Developer value a peaceful and productive interaction here. The Hacker and Developer can both benefit greatly provided the conversation has a bit of structure, pre-set expectations, and precedence with other research interactions to set norms across the board. Bounties help a lot too.
How it works: Hackers sign up to find bugs in various technologies whose owners have expressed an interest in collaborating towards stronger security. To get a glimpse of it in action, check out an actual vulnerability coordinated between a hacker and Twitter:
Subdomain Takeover on media.vine.co
https://hackerone.com/rep
TL;DR - HackerOne offers a platform that promotes a positive disclosure experience in pursuit of its mission of securing all the things, with Hackers and Companies working together for the benefit of all.
No comments:
Post a Comment