海角大神

San Francisco 鈥斅燱hen even the Department of Defense has a 鈥渂ug bounty鈥� program to find and fix vulnerabilities before adversaries can exploit them, it鈥檚 not a stretch to say the concept of encouraging friendly hackers to try to crack an organization鈥檚 digital defenses is now a widely accepted security practice.聽

But the idea works much better when security managers open the gates to a wider set of hackers across a fuller range of their systems 鈥斅燼 shift that takes greater trust and relationship building, said Justin Calmus, vice president of hacker success at HackerOne, at a Passcode event Monday on the sidelines of the RSA Conference.

鈥淭here鈥檚 a common misconception that hackers do not play by the rules,鈥� said Mr. Calmus.

Concern that security researchers may sell what they find on the black market, Calmus said, ignores the fact that 鈥渨e have hackers making upwards of $500,000 a year. Why would you risk that to go down [the black market] path?鈥�

HackerOne helps companies set up and manage their bug bounty programs. The most successful ones, said Calmus, draw in a diversity of hackers, encouraging them to look across a wide variety of systems, and give them up-front information to save them time.

Not all hackers are interested in the same sorts of problems, a point underscored by Luke Young, a senior security engineer at LinkedIn who reports bugs through HackerOne鈥檚 platform.

When he was a teenager, Mr. Young looked to turn digital vulnerabilities into quick recognition and a cool t-shirt from companies he admired.

In college, he wanted to make money more efficiently, so he shifted to bugs that were unique and had a higher payout.

After college, he hunted occasionally just to stay sharp and challenge himself, meaning he would go after only very nuanced bugs.

These different motivations lead these security researchers to focus in different places. Some hunt Web vulnerabilities, others look into network security and infrastructure security.

鈥淲hen you combine all these different types of skillsets and you have such a large scope, your company鈥檚 risk profile drops significantly,鈥� said Calmus.

Bug bounty hunters also live all over the world, with India and Brazil being sources of top talent. Attracting an international mix of researchers can be helpful in finding security gaps in localized versions of software and in having eyes on your systems all day, every day.

Cultivating strong relationships with a broad range of researchers increases the chances of getting early warnings. When Calmus worked on security for HR software company Zenefits, he once got a message at 2:00 a.m. from a bounty hunter who wanted to make sure he knew immediately about a vulnerability.

鈥淚t makes me feel really good to know that I have that relationship built that somebody can text me at any point in time 鈥� and they just have your back,鈥� he said.

These relationships also can lead to good hires. Young landed an internship at LinkedIn as a teenager after he brought bugs to their attention. Finding application security engineers is notoriously difficult, but bug bounty programs help managers identify talented programmers and begin to court them 鈥� and bring them onto the teams that help secure software in the first place.