Why Companies Like Google And Facebook Pay Hackers Millions

Why Companies Like Google And Facebook Pay Hackers Millions


Think about hackers. The term probably brings to mind
hooded figures operating in the dark, probably in a basement,
definitely in secret. They’re exploiting vulnerabilities, stealing our
money or our personal information, and costing
companies millions. In fact, cybercrime costs the world
an estimated $600 billion dollars per year. But the past decade has seen a
rise in a new type of hacker called an ethical hacker, or
a white hat hacker. These men and women want to use
their hacking know-how for good, and a legal market for their
skills has rapidly emerged. There’s this creativity, there’s this curiosity
and there’s this kind of almost mischief in how you think. But then that’s coupled with a
strong moral framework and ethical framework to actually use
that for good. These hackers help companies protect
themselves by finding vulnerabilities before the criminal hackers do. When an ethical hacker finds a bug,
they disclose the security issue in exchange for cash or other rewards, in
what’s known as a bug bounty program. So we’re like
a neighborhood watch. We come to your house, we look for ways
to break in, and if we can break in, we tell you. We don’t break in, we tell you
how we could have done it. Companies like HackerOne, Bugcrowd and Synack
have sprung up to connect freelance hackers with corporations that
offer bug bounty programs. This has led to the creation
of a geographically dispersed network of cybersecurity experts, a.k.a. hackers, who are integral to the
safety of corporations in every industry from tech to finance
to national defense. We work with MasterCard, we work
with Fiat Chrysler in the automotive space, we work with Cisco
in the engineering I.T. technology space, you know
Department of Defense, Pinterest. These days, hackers can make a lot
of money identifying security flaws for companies like these. The payout for finding a single,
highly critical vulnerability can be tens of thousands of dollars, and some
companies have paid out millions overall. I know Verizon Digital Media
actually just passed $7 million dollars in bounties paid. Uber has paid out
over $2 million dollars. Hacking for good is gaining traction
and there’s big money at stake. So it may be time for the public
to rethink its conception of what being a hacker really means. Ever since computers have existed, people
have been trying to break into them. Back when these machines were
clunky novelties found only in universities and large corporations, hackers
were commonly seen as tinkerers, technology enthusiasts who
liked exploring and altering existing computer programs. They made improvements that helped
move the industry forward. But with the emergence of the
personal computer in the 1980s, cybercrimes became much more common. From the comfort of their
living rooms, self-taught programmers learned how to break into and manipulate
important systems, pirate software and spread viruses. I broke into mostly websites
belonging to corporations, governments, military agencies and
just defaced them. I changed them. A lot
of people went to jail. Like a lot of
people got nasty letters. A lot of people got
knocks on the door. And that’s really the history of
hacking that actually precedes this season that we’re in now. Ended up getting arrested several times
by the federal government for that. And they sent me to prison for
27 months, 10 months and 14 months. Three separate occasions. Ellis began hacking in the 1990s,
and DeVoss in the early 2000s. By then, the hacker stereotype was
already well established, thanks to media like the popular 1983 movie
WarGames, which revolved around a disaffected but intelligent teen accidentally
hacking into a top secret military supercomputer nearly starting
World War 3. Even though the young protagonist wasn’t
malicious, the idea that computer whizzes could gain access to systems
like this terrified the public. After Ronald Reagan watched the film,
he proposed a number of anti-hacking bills resulting in the Computer Fraud
and Abuse Act, which prohibits anyone from intentionally accessing
a computer without authorization. And it hasn’t really
been changed since. So it is legal in the sense that
if there is authorization, then at that point they have safe harbor. But outside of that,
it is basically illegal. Because the law doesn’t really define
what “authorization” means, it isn’t exactly clear how it relates to
our new reality, where cybersecurity is increasingly outsourced. Security used to be
something you fix internally. It’s very secretive, it’s not
transparent, it’s not open. And we’re seeing a shift towards
security becoming more and more collaborative and enlisting
outside help. For a company, enlisting this outside
help often means starting a bug bounty program, in which corporations pay
hackers who report bugs or vulnerabilities in their software. What’s believed to be the first of
these programs came about in 1983, when a Silicon Valley startup called Hunter
& Ready offered a free Volkswagen Beetle to anyone who identified a
bug in its operating system. Over a decade later, in 1995,
Netscape began offering more straightforward financial incentives for finding flaws
in its popular browser, Netscape Navigator. The idea took a while to
catch on, but by the mid-2000s, security companies iDefense and TippingPoint,
as well as the Mozilla Foundation, offered similar programs. Other tech giants eventually followed suit, giving
rise to a new crop of startups like Bugcrowd, HackerOne and
Synack, which connect ethical hackers with companies offering
bug bounty programs. When starting one of these programs,
a company simply describes what type of vulnerabilities they want to be notified
of, what parts of their site hackers can test, and what
types of testing are allowed. They also determine how much
each bug is worth. Then the bug bounty platforms
verify the legitimacy of the vulnerabilities, coordinate payouts to hackers
and work with the companies to ensure that bugs are properly fixed,
greatly reducing the burden on a company’s in-house security team. On average, you get about a thousand
dollars per find, and the highest bounty we’ve paid is $100 thousand
dollars for a single vulnerability. Companies pay a fee to use bug
bounty platforms like HackerOne, but for the hackers themselves, these sites are
free and easy to join. You fill out your Twitter
handle, your LinkedIn I.D., your GitHub I.D., you know, that’s really the starting point
of how we figure out how to connect you with the
right programs going forward. Every time when you file a vulnerability
report to a company, you get scored by how good it was
and how serious it was. And then you are collecting points,
we call them reputation points. And then we can see in all these
metrics how good they are, what their special skills are, and that’s how we
can pick the right talent for every job. For hackers who were previously
operating illegally, the fact that you could now make good money this
way seemed difficult to believe at first. I was introduced to bug bounties
in 2014, but I didn’t actually participate because it still seemed like it
was too good to be true. Because if I get in trouble for
hacking illegally again, it’s life in prison. And I wasn’t willing to take
that risk on something that was so new. Eventually though, hackers like
DeVoss realized these platforms were for real, and their networks
have been growing rapidly worldwide. We have half a million
hackers in our network. Half of them are 24 years or younger. Some of them are as
young as 15 or 16. They can be all over the world. They have endless curiosity. They like to outsmart systems. And they figure out how to break
in, before the criminals can do that. Today, over 1,400 organizations use HackerOne
and over 1,200 use Bugcrowd. Even though many of these organizations
have their own internal security teams, the complexity of software
these days pretty much guarantees they’ll still have some weak spots. I don’t think there’s ever been a
company that’s come onto the platform that has had just zero vulnerabilities in
it, no matter how mature it is. There’s always something, because
humans make mistakes. And in recent years, these mistakes
have led to some high profile disasters. Equifax paid a $700 million
dollar settlement to consumers for its 2017 data breach. And in 2019, Yahoo! agreed to pay an $117.5 million dollar settlement for a series
of hacks that exposed the personal information of up to
three billion accounts. If you have a data breach, the average
cost to you is $7 million dollars, and many have had breaches that have
cost them $100 million or more. We help averting the breaches by
fixing the vulnerabilities ahead of time. And the price you pay for that is a
fraction of a fraction of the cost of a breach. Research and advisory
firm Gartner estimated that globally, cybersecurity spending would reach
$124 billion in 2019. Overall, the high cost of
preventing and mitigating cybersecurity threats has spurred a wide range of
companies from United Airlines to the Department of Defense to Goldman Sachs
to adopt bug bounty programs over the past five years. Probably the turning point in adoption for
what we’re doing was when the Department of Defense launched the Hack
The Pentagon project, which we’re now very much a part of. So there you have the world’s
largest organization, with the most powerful weapons in the world, unlimited budgets,
and they’ve concluded that to be truly secure, they need
the help of hackers. And we’ve found already over
12 thousand vulnerabilities for the Department of Defense. That’s like the greatest part of it, is
being able to hack like the U.S. government and military, and not worry that
your door is going to get kicked in by a SWAT team anymore. Because that’s happened four
times to me. These days, rather than getting
arrested, DeVoss’s hacking obsession has made him wealthier than
he’d ever imagined. In total, he’s netted well over $1
million dollars over the course of his ethical hacking career. I’m at $840 thousand dollars
just on HackerOne for 2019. If you add in the other platforms,
then I’m a little over $900 thousand for the year. Only a select
few have matched his success. But their backgrounds provide an
interesting glance into a diverse network. We have six hackers today who
have made more than a million, and the first one to get to a million
was 19 year old Santiago Lopez in Buenos Aires. So no university education, no background
in a tech center in the world. Just endless curiosity, a good
sense of computers and mathematics and hard work. And
he earned a million. CNBC got Lopez on the phone
to talk about his accomplishments. At the beginning, when I started hacking,
I didn’t knew that I was going to make a million. It
was like impossible for me. So it was a very good surprise. But despite the incentives for hackers
and organizations alike, the grand majority of companies still
don’t offer bug bounties. Actually, most don’t even offer
any sort of vulnerability disclosure program, which would allow hackers to
report bugs without fear of punishment. A vulnerability disclosure program
is extremely similar to a bug bounty program. You’re still allowed to
hack into the system as long as you report it to them. The only difference is you don’t
get paid for your vulnerabilities. While this may seem like an easy
win for organizations, the most recent HackerOne security report revealed that 93
percent of companies on the Forbes Global 2000 list don’t
have any vulnerability disclosure policies. Without a proper channel
to report security issues. HackerOne says nearly 1 in 4 ethical
hackers have failed to disclose a vulnerability that they’ve found. Luckily, the industry is showing some
trends in the right direction. At the end of 2019, the
Cybersecurity and Infrastructure Security Agency issued a draft of a mandatory
directive that would require all government agencies to adopt
vulnerability disclosure policies. HackerOne and Bugcrowd hope this means
that more companies will follow suit. And to ensure that the talent
pool is able to meet the growing demand, both even offer their own
free educational initiatives to teach newbies the basics of hacking. The Internet is a pretty,
pretty gnarly place these days. And really what it comes down to
is that you can’t control what an attacker is going to do, but you can
control where your defenses are up to when they arrive. As for the
individuals on these platforms, they just want people to know that despite what
you may have heard about “hackers”, in the world we live in
today, they’re often on our side. They always see the hacker like the bad
guy, but he’s the good guy now. We’re here to help. We’re not just
some sketchy people in their mom’s basement who are out
there to cause damage. We’re professionals who work in the
industry who actually wanna make the companies better.

100 comments

  • If you are payed by the company to reveal vulnerabilities doesn't that make you an employee and not a hacker? the term 'ethical hacker' is a antonym, like saying that a soldier is a ethical murderer

  • I usually dont do this but i recommend [email protected] or hackgoodness on instagram for any phone spying or gps tracking services. with their help , I was able to spy on my wifes phone to see alll her text messages, phone calls, facebook messenger chats, whatsapp chats and more! they were able to install my iphone 8 as the mirror phone so i was viewing everything remotely without stress! just contact [email protected] or hackgoodness on instagram for help

  • I use Yandex and DuckDuckGo

  • Google "do something good" for the people lol

  • 12:14 literally just http://hackertyper.com/

  • The penalties for hacking are disproportionately harsh.

  • Walter Kai Yuen Pang

    you are not 'making the companies better' !!! you are making their systems 'more secure' !!!

  • Thanks for Uploading.

  • veronica Fernandez

    Ich habe Fred Anderson oft benutzt und es hat mich nicht im Stich gelassen. Es macht alle Arten von mobilen Penetration. Sie können unbegrenzten, nicht nachvollziehbaren Zugriff auf die Social-Media-Konten, Textnachrichten, Anrufe und vieles mehr eines Partners / Ehepartners erhalten. Ich kontaktierte sie per E-Mail Andersontech65 @ gmail.com

  • Everyone these people are preparing for something. Something big. In my city where crime isn't as bad as in the big city we have these military EQ too.
    I am guessing they are getting ready for a collapse of the country.

  • This is just outsourcing quality control so they don't have to put people on a payroll… Reduced overhead for the company but less jobs for technical experts. And the so called "Hackers" are getting robbed in the process…

  • When I hear hacker I think of hackers in a game

  • The word "hacker" always make my ears cringe to the fact that its such a broad general term like saying you work in "Construction" or a "Hospital" but since most people don't know the difference between http or https they are often portraid as god with no knowledge of the systems… There are so many different terms and words that are misconstrue and mispopularized. A hacker had a deep knowledge of network systems, not just someone that can run scripts or has scamming organization in India to trump people into comfirming their identity praying on people's fear.

  • "White-hat hackers" are also called "software testers" and they've existed since computers were invented. The only difference here is they are independent contractors instead of full-time employees — so they don't get paid unless they find errors.

  • 11swallowedinthesea

    I know Hacking Text Markup Language.

  • So like Batman

  • I HAVE BLOCKED FACE BOOK AND GOOGLE, they are trash.

  • Maxime Lusignan-Laplante

    10 years ago there was a definition between hacker and pirate

  • Is this a joke hacking using Mac book and Windows bad Idea At least linux

  • Unethical Hacker=Hoodie but Ethical Hacker=White Hat 🤔

  • If you cant beat them join them.

  • People love to be slaves, and they have to stay in the future.

  • I should have stayed a CS major lol

  • But Google & Facebook use their platforms to censor centrist or middle-right discourse to alter the outcomes of elections in support of far-left parties. That is a cancer to democracy, which can only survive when free speech can flourish.

  • Whole Food Plant-Based Man

    I miss the hackers who gave the world cheat codes in video games.

  • lol SO FAKE / actually think i will block this channel

  • Google: Hiring hackers
    Google's executive: "So I see you're running Gnome"

  • Thinking of those "ethical hackers", I wonder if they don't want to make a real change in this world for better and do something like Mr. Robot.
    Instead, they become just puppets of the system. (Alarms ringing at the NSA righ now! 🚥🚥🚥😂)

  • Hacking 101

  • Skip ad.

  • This is 20 years out of date

  • Legal hackers? Haha now thats a good one

  • except… they don't.

  • If these hackers can come out with a software to prevent facebook and google from spying and stealing your data, they would earn more than what google and facebook is paying right now.

  • I have a wonderful solution – just shut down the stupid Internet. I know how life was before, and how we all lived together, and it was BETTER!

  • Welcome to the wonderful world of governments and huge amounts of stolen dollars, controlling The People with their own tax dollars.

  • ☠MrHairyNutz☠

    I wouldn't help any corporation or the government for that matter.

  • ☠MrHairyNutz☠

    This is how they identify hackers & the laws are vague enough you can still get arrested by the government which is how they use this as leverage for you to work for them.

  • My name My last name

    Yet most of us give our personal data willingly such as face book and using google to search?

  • As an entrepreneur, I would LOVE only paying software testers on a performance basis.. No HR, no benefits, no fuss.. Seems like a win win for Enterprise..

  • Those were Chinese hackers, now these are American hackers.

  • This is precisely why I'll never take the mark.

  • The company I work for was recently hacked using a randsomware program that essentially shut down normal operations… Since we work with the sick and disabled it really put hundreds of people’s lives at risk! I hope they find whoever did it and charge them with attempted murder! Though I doubt they will catch any of them since I’m sure the attack came from overseas.

  • The intro really had me cringing

  • Hopefully they don’t turn to the dark side 😂

  • I don't share what I learn that is true ethics I see and don't tell!

  • This NEWS and VIDEO is one of the BEST video and NEWS I have the HONOR to see and listen too.
    BRAVO, the media has woke up and is telling the true story, the FACT story and is not only CONTENT CREATION but education and INFORMING the populatoin.
    GREAT VIDEO!!!!

  • I install a youtube adblocker on firefox and I feel like a hacker

  • Q: Why Companies Like Google and Faebook Pay Hackers Millions

    A: Antifragility

  • This company is a intelligence agencies dream come true!

  • yea guys exactly .. you are like neighborhood watch , you brake in steal and leave.

  • nothing ethical about the business practices of silicon valley.

  • Hypocrity

  • the relevance of hacking 2020… OOOOOOKKKKKK

  • the hacker of the i love you virus the year 2000 / Onel de Guzman from the philippines where is he now?

  • I love you Angel Hackers !

  • Bugcrowd really made my life much easier.

  • Sounds horrible

  • hacking is illegal it doesn't matter who you are or work for not even gov

  • Welcome to 2020 CNBC… this is nothing new?

  • Imagine a Netscape operating system on all your smartphones today.

  • Not all hackers are bad! Ethical hacking is very very important now-a-days!

  • Wait until an "ethical" hacker finds a big enough vulnerability that outweighs the reward for reporting it.

  • When the hackers work for the corporations…who will save us from the_______?

  • Sucessful Billionaire

    What about video games I can get into them get free coins

  • why its illegal to steal money from these uber rich companies while they legally rob the poor ?

  • the govt should establish a hacking school to produce more white hackers

  • The knives are out for Bernie because they know he can win and he is serious about an attempt to change things.

  • ….Wealthy-Corporate Scams made legal for U DON'T GET PAID…FREE LABOR and Intellectual Property Theft.

  • Governor Of Habsburg Netherlands

    I

  • Governor Of Habsburg Netherlands

    Migraines

  • Big Daddy Toyota Corolla

    Was this written by a 13 year old kid who just watched a movie involving a "hacker"?

  • Oh look at me! I found a way to be plugged into the matrix, ohh, I mean corporation!

    I deserve this monopoly money for saving a trillionaire another billion dollars.

    Now that the corporation recognises my value and legitmaises me, you would be plain ignorant to laugh and say I live in my mom's basement. I got a cool million bucks for Tappin at my keyboard while watching Slavs bump uglies on one of my 5 screens.

    They don't need to offer me a place of work cos I don't need friends, fresh air or sunlight.

    I was one of the first hatchlings of the new breeding program to test if Autism wasn't simply left to nature but could be nurtured through our education system.

    Friends say I have mastered the talk-ward (talking awkwardly).

    Just me and my basement.

    Now that I have been entrenched into forever servitude, I mean assimilated! Ill be a good corporate shill for CNBC.

    ffs BORG!

  • To be honest these people are underpaid. If you don’t believe me go study to be an ethical hacker and you tell me how many people in the world can do what they do.

  • How did you come up with $600B/yr figure?

  • Imagine dating a hacker 😂 zero creeping

  • 12:15 – "You can't control what a hacker is going to do"

    Precisely; it's stated by someone ostensibly in this industry…yet I have yet to encounter a single "white hat hacking" company or any company seeking vulnerability identification/assessment, willing to listen to, much less pay for, the reality of what "hacking" entails and the vectors of attack that are almost always present in, if not encompassing the entirety of, a given real world hack.

  • For the consumer, this is a wolves in sheeps clothing scenario. Basically, in many of these circumstances, it’s keep your friends close and enemies closer. No wonder living off the grid is gaining more and more traction year upon year. Millennials eat your hearts out.

  • Any way to recover pictures and videos of my android phone after a force reboot ?

  • Did anyone else read the title as 2 separate things or is just me?…why companies like google…and…facebook pay hackers millions…is funny but it could be understood this way too

  • Bruno Josimar João Manuel Josimar

    I just joined bUnited.

    bUnited is a good cause that pays people a lot to help it grow. It's really easy. Last time these guys started something similar, they paid out over $160 million.

    Find out how much you will get paid.

    https://bUnited.com/invite/BDGR-6019/25/

    It’s free, no hassle and for a good cause.

  • Wow, looks like a win-win

  • Ahh, good ol American cowardice and the political fear-mongering that takes such easy advantage of it… We have many different movies to thank for many different instances of both fear-induced over-reaction and advantageous politician capitalization for personal political benefit. Hell, Americas obsession with reality tv and perhaps fast food resulted in an unqualified, obese, fast food cramming reality tv show star with a lifetime history of corporate failure, bankruptcies, and underhanded scamming of contractors, small businesses, employees, investors, and even hard-working middle-class folks desperate to provide a better life for themselves and their families becoming president! Then that president claiming to be a conservative more than tripled the deficit for the exclusive benefit of the top 10% richest Americans! Ohh America, you truly are the "best & brightest" aren't you?

  • I am pro black hackers because companies are to igorants on hiring good programmers that must make good secure software.

  • They need diversity in the team ….some countries have aggressive black hats

  • Santiago Lopez doesnt look like typical ol school hacker…in this new era they even wearing suits!

  • Blibli, the Indonesian eCommerce giant has grown to 5000 employees in the last year. They say they could attain this with the help of peopleHum. How did one platform help so many people? Watch here: https://s.peoplehum.com/t6gv9

  • Only people who has 140 and above iq can do that

  • So good hackers, please secure my phone from traitors of india.

  • Why Chinns are not under the ladar? From coast to coast go figure Trump negotiations

  • They aren't hackers, they're white hats or IT pros.

  • Really? 15,000 possible hacks of the department of defence? And they get like a trilliona year? That's unacceptable.

  • hackslord,com got me 15,000 usd

  • Thanks for having English captions or subtitles

  • Amazing information about raising hacking culture, and what all we can do just in one click at sitting in anywhere… keep making such crucial and informative content… CNBC

  • I like the idea of picking the lock of someone's front door, waltzing in ("ta-da!") and then asking for a reward for doing so.

    "Oh and I know this guy who makes awesome front doors"

Leave a Reply

Your email address will not be published. Required fields are marked *