- White hat hackers legally hack into companies to help them find vulnerabilities and bugs, and organizations like Uber, Starbucks, Airbnb, Spotify, Atlassian, and even the Department of Defense are welcoming white hat hackers to help secure their systems.
- These hackers often are rewarded thousands of dollars through sites like HackerOne and Bugcrowd, or they may work inside a company on a “red team” by simulating attacks to help identify vulnerabilities.
- Here’s what it’s like to work as a white hat hacker, and how they got started in hacking.
- Visit Business Insider’s homepage for more stories.
For white hat hacker Jesse Kinser cybersecurity is a lifestyle. In her day job, she helps protect her company’s products as LifeOmic’s product security director. When she goes home, after her child sleeps, that’s when she starts hacking.
As a white hat hacker, she breaks into systems – not to steal information, but to find vulnerabilities and bugs. Outside of work, she hacks to help protect technology companies, retail stores, health care companies, insurance providers, and even government entities. She’s hacked for companies like Starbucks, Uber, and Airbnb.
“Things are constantly changing, which keeps me engaged,” Kinser told Business Insider. “All these companies are building cool new products and I get to be the first to break them.”
Today, major organizations like Uber, Spotify, the Department of Defense, and Atlassian are increasingly using platforms like Bugcrowd and HackerOne, which welcome white hat hackers to break into those systems and reward them for finding bugs.
In return for finding vulnerabilities, these hackers are paid with something called a “bug bounty,” or a cash award for finding a bug. Kinser says she’s made thousands from these payouts. Some white hat hackers have even become millionaires through bug bounties.
The rise in companies opening up their systems to white hat hackers heralds a major shift in attitudes towards security. Companies are becoming more involved in the security community and actively engaging hackers to find or report security vulnerabilities.
It’s in the best interest of these companies too. Otherwise, they could face data breaches, privacy violations, or major financial loss.
Perceptions about hackers are also changing, says HackerOne co-founder and CTO Alex Rice. For example, former presidential candidate Beto O’Rourke was a member of one of Texas’s most high-profile hacking groups called the Cult of the Dead Cow, and few batted an eye at it.
“I think one of the really interesting things about the perception the hacker community has is how quickly we jump to a stereotype about what people say when they imagine a hacker,” Rice told Business Insider. “They imagine someone in their basement, usually a really antisocial individual, but when you look at the people who are participating in contributing value to the platform, the diversity of their backgrounds and the paths they took to hacking is really astonishing.”
‘Hacking and cybersecurity are a lifestyle’
Kinser has been hacking for 13 years now. In high school, she got her start in hacking when she programmed her watches to switch TVs on and off. In college, she started doing research on various security topics and eventually worked for the Department of Defense. She eventually ran the bug bounty program at Salesforce, and she started hacking there as well.
Now, after work, Kinser will usually spend time with her family. When her child goes to sleep, she starts hacking. She says if she finds something good, she may stay up until 2 a.m.
When Kinser is hacking a website, she starts by using it just as any person would, but with the motive of an attacker. She’ll create an account and think about where sensitive data might live. For example, on a retail site, people can create accounts where they enter their credit card information. She’ll try hacking those areas first.
“It’s a challenge,” Kinser said. “I always said hacking and cybersecurity are a lifestyle. I’m pretty much all in all the time.”
André Baptista, a 25-year-old professor at the University of Portugal, is also a white hat hacker who has made over $130,000 in bug bounties. He first got his start when he found a book in his father’s cabinet about programming. He would later study computer science in college.
However, he started hacking when he became involved in Capture the Flag (CTF), a hacking game in which players try to find vulnerabilities in simulated scenarios. He was the captain of his university’s CTF team and qualified for a hacking event in Las Vegas, but after this, he says his “life changed completely.” At the event, he didn’t find any bugs.
“I was a little disappointed with myself because I was good because I qualified in the first place, but I didn’t know how to hunt for real world vulnerabilities because I was used to simulated scenarios,” Baptista told Business Insider.
From then on, he resolved to learn to find actual bugs, and he started practicing everyday. About two or three years ago, he learned about HackerOne and realized he could use it to find actual vulnerabilities. And in February 2018, he found his first real bug.
“The payouts are really amazing as well,” Baptista said. “My life has changed completely because of HackerOne.”
Both Kinser and Baptista frequently travel to attend hacking events. Baptista says his job gives him lots of flexibility. After doing his master’s degree, his university kept him on as a professor. He can teach classes, and every month, he can fly somewhere to attend a HackerOne event.
Still, he says he sometimes feels pressure when other hackers find bugs at events, and he doesn’t find any. Other times, it’s the other way around.
“I love to be in multiple places,” Baptista said. “I love to do some hacking when I’m working at the university when I have some spare time between meetings and classes…When I go somewhere like London, Amsterdam when I go there, I’m very inspired because I have no other distractions and I can hack and find some critical bugs.”
The red team
White hat hacking also happens within some companies. Brianna Malcolmson leads Atlassian’s Red Team, which looks at threats that could target Atlassian and then simulates them. The term red team started in a military context, when countries would run simulations of what the opposition could do.
The team runs attacks on Atlassian, such as a phishing attack to get someone to install malware. Besides finding and gathering data about vulnerabilities, it educates the company about security, the kinds of risks it can face, and how each employee can get involved in improving security.
Atlassian also has a blue team, which practices and trains up on what happens if there’s a security incident. The blue and red team have somewhat of a rivalry, Malcolmson says. While the red team has to work hard at not getting tripped up at the protections the blue team put in place, the blue team has to work at protecting the entire company.
“Really in the last five years, the number of internal red teams have gone up a lot,” Malcolmson told Business Insider. “Red teaming was a thing in the military since the 60s and 70s. It’s expanded more recently into tech companies. Now there are more red teams at all the Silicon Valley tech companies than before.”
Malcolmson says that even though the red team has an adversarial relationship with the blue team, it’s actually quite friendly.
“We see ourselves as serving the company and serving the needs of not only all Atlassian teams, but specifically of the blue team,” Malcolmson said. “When we give our results, we always try to take it from a place of, we did some bad things but no blame is being assigned …We want to keep it a learning experience.”
‘Essentially good guys who think like bad people’
Rice says that even as little as five years ago, hacking was synonymous with being a criminal.
“The people who had these skills were largely pushed underground,” Rice said. “The folks who did it did it out of a labor of love. It wasn’t the most obvious way to create a living. It was really a smaller community that was overwhelmingly people who were there because they were passionate about making technology secure.”
Casey Ellis, founder and CTO of Bugcrowd, says white hat hackers are “essentially good guys who think like bad people.” Bugcrowd brings these hackers together to hunt for vulnerabilities.
“This is a concept that the average lay person can understand,” Ellis told Business Insider. “Try explaining firewall to grandma and she will possibly get it but more likely glaze over, whereas this idea of neighborhood watch for the internet, that’s a pretty intuitive concept.”
Now, security is a critical conversation for any company, as one mistake that companies can make is having developers work around the cloud to get their products to the market without thinking about security.
“It’s pretty crazy to think about how you would have hackers partner with enterprises but that’s exactly what’s happening today,” Rice said. “We’re able to be more transparent about it. We’re able to teach people how to hack in an environment that’s underground. We’re able to compensate people for it fairly. We’re embracing hacking as a necessary and critical step.”
Although hackers may come from all walks of life, there’s still a lack of diversity in the hacking community, as it’s still predominantly men. According to a Bugcrowd report, only 4% of the global hacker community is female.
Kinser says it’s sometimes discouraging when she goes to a hacking event and is the only woman, but it also motivates her to do outreach programs or work with HackerOne to invite more women.
“Instead of getting super discouraged about being one woman being the only woman in a room of 50 men, I try to use that to reach out and encourage participation,” Kinser said. “Even in my day-to-day job, it’s mostly men.”
How to start hacking
To get started in white hat hacking, Kinser suggests reading hacking reports and learning about how hackers break into a system. She also suggests learning to build applications yourself, which can teach where security holes may lie.
“You don’t have to be an expert, but if you’re hacking a website, you need to know how a website works before you try to break it so you can understand how it works,” Kinser says.
Likewise, Baptista recommends learning to program and trying to build web and mobile apps. He also says people should start doing CTF’s, where he got his start in white hat hacking.
For questions about hacking, there’s a large community of white hat hackers online.
“That’s a key thing that’s usually overlooked,” Kinser said. “You think of people who sit and a corner and work by themselves. Sometimes it is that, but at the same time, we lean on each other too. That’s what’s so powerful about these hacking events. Reach out to people in the community and ask questions. Don’t be shy to do that.”
Her biggest piece of advice is, don’t be intimidated.
“Everyone has to start somewhere and this can be a daunting industry so you just have to jump in,” Kinser said. “Most importantly, learn from each other.”