jobertabma

I cannot express how grateful I am to all the people that support me, which definitely includes my own family, my family in law, my friends, and (last but not least) my wife! Like you said, the fact that they assembled furniture for my wife and me and basically decorated my home when I was on the other side of the planet shows that they care about the success of the company and that they want to do almost anything to help us succeed. Another great example is that my parents basically forced me to start a company at age 17 to sell security consultancy services instead. Startup life is hard, but the people around me have been amazingly supportive and big advocates of what HackerOne does and stands for. HackerOne wouldn't be what it is today without the support of all these amazing people!

Great question! We launched our own bug bounty program on the day that we announced our platform (November 6, 2013). An hour in, we received our first report that was valid (!). Over the last 3 years, we received a total of 4,517 submissions. Of those submissions, we deemed 161 to be valid and paid $84,300USD to the people that reported them. At this moment, we don’t have any reports in the “new” state and only 3 reports triaged. About 20% turned out to be duplicate, 66% not applicable, and 9.3% informative. The amount of not applicable reports is very high compared to other programs on the platform - this is due to the fact that people try all kinds of things and used our bug bounty program to try it out. About a year ago, we opened up a sandbox for hackers to sign up for their own test program. Because of that and our hacker metrics, our noise volume keeps decreasing.

Jobert here! There’s a number of really cool reports that I’ve seen over the years, but I’d like to highlight a remote code execution bug that was reported to PornHub about three months ago (https://hackerone.com/reports/141956). The report on HackerOne only has a summary attached to it, and I believe they had good reasons to do so, but the researchers posted a really well-written and detailed blog about their findings: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/. They got $20,000USD from PornHub, as well as 2x $2,000 from the Internet Bug Bounty for the bugs that they found in PHP. Sometimes you see that people really go deep and keep trying to solve the puzzle, which can lead to amazing finds like these. These are very capable people and, with that, we're making the internet safer for everyone!

Good question and I'll give you some details on the outage that we had a few days ago. We still host part of our infrastructure on our own dedicated hardware in a datacenter in The Netherlands. Our primary database is also hosted there. Recently, we added new physical servers to our rack and added those to our cluster. Because we wanted to perform some maintenance on our primary database server (increasing disk space), we moved it to new hardware to then make our secondary database server the new primary (switch roles). We do this every once in awhile and doesn't cause any disruption to the service.

In the middle of the night NL time, we saw that the server went completely down. It turns out that the new hardware had I/O issues with the physical disks (we didn’t notice that with other servers running on the same physical node). We use a PostgreSQL backend for HackerOne.com, which keeps part of its database in memory. Because it allocated too much memory (configuration error?), it started swapping to the disk. Because of the I/O issues, the server simply went down and locked itself. Luckily, it was a straightforward procedure to move the secondary to be the new primary, which was hosted on another physical host. Long story short: we’re still looking into what happened exactly with the physical node, and are currently not using it anymore for any production systems.

To mitigate these issues in the future, we’re currently in the process of migrating our infrastructure to AWS!

Good question! We recently released a few new features that give more insights to hackers regarding response times, resolution times, and paid bounties. A good example is Uber's page on HackerOne: https://hackerone.com/uber. The main reason why we haven't released a way to rate and rank programs, is because we don't want hackers to discourage hackers to participate in certain programs for the wrong reasons. An example: we have to avoid that people think a 2 week consistent initial response time is worse than a 3 days consistent initial response time (consistent is key here). It's all about expectation management to the people that are looking for a new target. Consistency is key here. Of course, there's an upper limit to the initial response and "time to bounty", but we're currently figuring out how we should communicate that on program profiles.

Also, we noticed that resolution times are heavily influenced by the company's priorities and severity of reported issues. In some situations, it's acceptable that a company took 4 months to fix an issue. However, this is hard to explain that a company made the right decision when 1 profile shows "1 week resolution time", while the other one shows "4 month resolution time". We're still crunching data and ideas to let this make sense. Related to this: this is why we promote paying bounties within 30 days after a report is submitted, or earlier in case the bug is fixed before that. We believe that the hacker should not have to wait for recognition and a bounty until the company fixed a bug.