Inside Security@ Dallas: Insights to Attract Elite Researchers and Prove ROI
HackerOne’s flagship conference, Security@, landed in Dallas on May 13 to welcome professionals with insights from top researchers and tips from customers on developing more effective bug bounty programs.
Security leaders from CBRE and TikTok explained that the impact of crowdsourced bug bounty programs makes demonstrating ROI easy, while top security researchers revealed that programs with clear commitment and communication get their attention.
If you missed it, we’ve highlighted the event’s biggest insights.
Customers Value Offensive Security to Simplify Reporting and Tap into Deep Researcher Talent
Alan Sebastian, Vice President of Cybersecurity at CBRE, and Benzi John, Leader of the Privacy and Data Protection Office at TikTok, shared the value of their security programs.
From the start, Sebastian says it simplified how they manage vulnerability reporting altogether and allowed CBRE leadership to focus on other priorities.
“That’s where HackerOne came in. It gave us a place to funnel everything, properly standardize things, and put protocols and metrics behind it,” he said. “And it also stopped people emailing executives in different countries who don’t want to manage all of that.”
Without a team in place to manage the influx of vulnerability reports, Sebastian said HackerOne’s triage support funnels and organizes issues into an easy-to-handle flow of tasks.
John highlighted a different, but just as valuable, experience with TikTok. Leveraging one of the first official privacy bug bounty programs at HackerOne, John explained the difference between security and privacy issues.
If a TikTok user marks a video as private but it is then viewable by the world, that goes beyond security and becomes a privacy issue, he said. And these instances may not be due to bugs at all.
“You've got issues from mothers who are trying to make TikTok videos who are able to point out that privacy implication,” John said. “You don't need to be tech savvy to be able to point out that privacy implication.”
Both say the value of their security programs is easy to demonstrate to leadership. Sebastian praised the breadth of talent security researchers offer, citing a recent bug bounty in which one researcher exfiltrated an entire application’s data in a single day—a critical finding that CBRE could address immediately.
And for John, the well-publicized scrutiny on TikTok makes HackerOne a crucial asset in his commitment to securing the user’s privacy on the platform.
“We are very much invested, and HackerOne has been a boon for us,” he said. “This program has totally shifted the paradigm as it relates to being able to identify these issues.”
Researchers Look for Responsive Programs, and Embrace Hackbots (with a Human-in-the-Loop)
Two top security researchers also took the stage to describe their motivations, which programs keep them coming back, and their take on the rise of hackbots. Rojan Rijal (@ophionsecurity) and Jasmin Landry (@JR0ch17) aligned on their passion for deeply understanding the digital environment that gives them an edge in bug hunting.
“My goal when I’m hacking is to know as much about the application as the product's development team knows it,” Landry said. “I want to know the application better than other hackers so they cannot find bugs that I’m looking for.”
Rijal adds that accessing personal information, for example, in a financial company, is a clear way to show the customer the impact of his findings and the value of his skills and HackerOne’s platform. But the collaboration with customers is another motivator.
“I like to have a direct talk with the customers and share what I'm finding,” he said, “even just to say, ‘I think I’m close to a vulnerability. Do you think there's a way to exploit this?’”
In fact, in addition to the challenge of a bug bounty, both Landry and Rijal look for open communication with the customer and a legitimate commitment to security when evaluating security programs.
Rijal says it’s clear when a company is using a bug bounty program to truly respond to vulnerabilities quickly rather than just checking a box for compliance. The speed of response and interest a customer shows in the vulnerability findings indicate a quality program for researchers.
In their years as security researchers, Landry and Rijal note that while technology has expanded attack surfaces and vulnerabilities have evolved, many of the same tricks are still in play. The real novelty on the rise, however, is hackbots.
These AI-driven tools are designed to spot and exploit vulnerabilities autonomously. They adapt dynamically and, unlike scanners, can hack applications on their own using advanced machine learning techniques.
HackerOne embraces the growth of hackbots and expects security researchers to build their own, just like Rijal has. He says it supports him in automating some of the data parsing tasks, such as converting data into easier-to-use formats, but he makes sure to personally manage parts of the process that involve sensitive data.
And Landry agrees, with plans to develop his own soon.
“It’s like hacking with a friend, where you can have two people working on the same thing at the same time so you can get more results,” he said.
Don’t Miss Your Chance to Attend Security@
Couldn’t make it to Dallas? We’ll be in London on June 4, Seattle on June 24, and Charlotte on September 9. Join our Security@ network and look for an event coming to a city near you.
