Mårten Mickos, CEO at HackerOne: Attitudes towards the ethical hacking community are changing – about time too

No-one could have predicted the path 2020 took and the subsequent acceleration in digital transformation for businesses. This year we have seen an explosion in collaboration tools and online services in a move to offer new and improved remote experiences. However, in turn this has opened up millions of new attack surfaces, which cyber criminals have taken as an opportunity to exploit. The pandemic has caused complex challenges around the world, and this is no different in the cyber security landscape. The National Cyber Security Centre (NCSC) issued advisories throughout the year and recently it was reported that approximately a quarter of all cyber incidents in 2020 were related to the pandemic. Findings from our own Hacker Powered Security Report found similar trends to the NCSC – with 30% of organisations reporting a rise in attacks since the pandemic.


As a result, we are starting to see more organisations choosing to work with the ethical hacking community to strengthen their defenses. Attitudes towards hackers soften with every passing year and we are now at a tipping point where more often than not hackers are seen as a force for good. It certainly is very telling that the US government, considered as quick to prosecute, is now embracing hackers via mandates such as the recent CISA BOD. The US’s Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) in September which in a nutshell requires US federal civilian branches to develop and publish a vulnerability disclosure policy (VDP). Having a VDP programme is no longer optional for these agencies. This is the first step in what I believe will be a chain reaction in organisations adopting vulnerability disclosure practices. The initial mandate starts with federal civilian agencies, and I expect state, city and international governments, and even intelligence agencies, to follow. You could argue that the military was the very first to embrace this approach four years ago with the Hack the Pentagon project and the subsequent VDP challenges and bounty programs run by the army and air force.


Overall, while 2020 has undoubtedly brought challenges, we have also seen many people step up and exceed expectations. People have been bolder, smarter and more positive than might have been expected under the circumstances. For instance, we’ve seen 20 year old hacker, Jack Cable, write opinion pieces to the government, arguing for embracing the friendly hacker community to secure the foundations of democracy.


By the end of 2021 there will be few non-digital organisations. There will be many more that are starting to be digital, plenty in the process of cloud migration and a growing number of organisations that are cloud native and have been digital from the start. The COVID-19 pandemic has forced change and, as we become more digital, we need the ethical hacking community’s skills and expertise to become more secure.


I predict that in five years time the first hacker will pass the $10 million in earnings mark. Even with increased competition, bounty prices continue to rise and more and more businesses will be offering programs to support vulnerability reporting. By 2025 it is my expectation that it will be the exception to perceive hackers as negative.