Should you pay hackers to help you?

Is it akin to hiring thieves to enter your house and test if your safe is secure? Not quite.

Last week I was in Tel Aviv at CyberWeek, one of the world’s top cybersecurity conferences, which attracted an eclectic mix of hackers, cyber-professionals and government officials. The verdict on the current state of cybersecurity readiness among governments and enterprises worldwide: poor.

If cybersecurity were a country, it would have the 13th highest GDP in the world. According to, cybercrime generated US$1.5 trillion in profit in 2018. Fortune reported that in 2015, cybercrime became more profitable than the drug trade. And Biztech says that whaling attacks (where the victim is a C-level executive) have jumped 200% in 2018.

“Hackers use the same cutting-edge technologies and tools that legitimate users do,” Michael Rogers, former Director of the US NSA and Commander of the US Fleet Cyber Command told Team8 CEO Nadav Zafrir at a session at CyberWeek. “We cannot defend what we can’t see and don’t know. Ideally, the pain suffered by one attack should be a lesson learnt by many. However, the pain is repeated over and over and nobody learns.”

If hackers will always be one step ahead of the defenders, would it be wise to pay hackers to hack into an enterprise for money? In fact, attract hackers from around the world to an invited “honeypot” and pay ones who find bugs in the millions of lines of code hidden in complex layers of software. It’s akin to letting a thief into your house – while you’re in.

It’s called “Bug Bounty” and is a legit business. How big is the bounty? About US$57m so far, from just one company: San Francisco-based HackerOne has crowdsourced hackers to find bugs in Google, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, Qualcomm, Intel, Starbucks, Dropbox, GM, EU, the US Defense Department, and the Singapore’s Mindef.

On July 1, 2019, Singapore’s GovTech and the Cyber Security Agency (CSA) signed up for the third time with HackerOne’s bug bounty initiative to get ethical hackers (called White Hats) to test for vulnerabilities in exchange for money. The program will run for two months and cover nine Internet-facing government services. About 300 hackers will be invited and offered bounties ranging from US$250 to US$10,000 per bug found, depending on severity. 

HackerOne is the world’s largest platform for White Hats. It was founded by Dutch native, Michiel Prins. He had a natural gift (if we may call it that) of hacking. “I was 13 years old growing up in the Netherlands and I wanted to find new ways to beat video games. To cheat the game, I quickly learned I needed to learn to venture deeper into the code. This was my first introduction to hacking,” Michiel was quoted by Yitzi Weiner in Thrive Global.

While his school punished him, his mother saw the talent and encouraged him. In 2012, he teamed up with his school buddy Jobert Abma (the two of them had also hacked into their high school’s TV network) to embark on a challenge they dubbed “the hack 100 list”, where they hacked 100 of the biggest companies.

“That’s how we met Alex Rice, head of product security at Facebook, who along with Sheryl Sandberg decided that they needed to work with hackers like us on a regular basis,” Michiel told Yitzi Weiner. “Later that year, we founded HackerOne.”