Since its founding, HackerOne has been on a mission to empower the world to build a safer internet. HackerOne helps over 800 diverse organizations collaborate with the hacker community to produce more secure technology. We believe every organization that creates connected technology needs a Vulnerability Disclosure Policy. This rings especially true wherever a security incident would place the safety of others in jeopardy.
Because of the important role vulnerability disclosure plays in the collective security of the Internet, the thought that HackerOne would disable an organization’s security@ email or refuse to host a vulnerability disclosure policy has been unthinkable.
Last week a situation was surfaced by several in the community that exposed a special case and cause for us to reexamine our policies. We’ve been listening to these diverse perspectives and have found excellent arguments on both sides. We also sought out expert opinions and advice from legal experts, advisors, hackers and our customers.
This blog to aims to clarify HackerOne’s position and encourage transparency and discussion on our policies.
On April, 24, consumer spyware company, FlexiSPY, tweeted plans to move their bug bounty program to HackerOne. Similar to many in the community, this tweet is how we were alerted to their intention to move their program. We are not currently hosting their program.
This situation has had a positive impact on our internal process and given us the opportunity as a company to have a healthy conversation around where we draw the line in instances where a customer does not align with our values.
Should FlexiSPY be permitted on the HackerOne platform?
In Favor: Companies should defer judgement to the courts rather than make arbitrary moral judgements. Relying on companies to be arbiters of morality sends us down a dark path. Besides, until the courts intervene, an open market will continue to enable FlexiSPY to operate a bug bounty program in some form or another.
Against: There is clear evidence and broad public consensus that FlexiSPY is operating illegally, but the wheels of justice turn too slowly. HackerOne should do the right thing – act now.
In Favor: Vulnerabilities are universally bad. As long as FlexiSPY is permitted to market software designed to spy on kids and victims of domestic abuse, vulnerabilities will put those individuals at risk. It is impossible to confidently predict the collateral damage of an exploited vulnerability. On balance, if someone is infected with spyware they’re probably better off infected with secure spyware.
Against: Vulnerabilities are universally bad. But fixing them benefits the spyware company more than it protects the victims. On balance, these victims are minimally impacted by vulnerabilities so fixing them predominantly helps the spyware vendor. Exploited vulnerabilities might even lead to the spyware being detected and removed sooner.
In Favor: FlexiSPY has not published a vulnerability disclosure policy or committed to no legal action against hackers. Both protective steps would be required should their program be hosted on HackerOne.
Against: Enabling a spyware company to market their product security as “Secured by HackerOne” directly supports their sales efforts and leads to further distribution and victimization.
These are powerful arguments with deep implications. While many individuals that we greatly respect in the community have been quick to draw the line, we sought to take more time to deliberate the issue. We know that wherever we draw the line will have implications far beyond this one case.
Where we draw the line: Connecting to the HackerOne community
HackerOne currently has two core offerings:
Security@ – Hosting vulnerability disclosure programs for security response and PSIRT teams.
Bug Bounty – Enabling companies to connect with top hackers from the community to proactively improve security.
We continue to believe that every organization must have a vulnerability disclosure program. Everyone benefits when organizations establish open lines of communication with the hacker community. But the community’s feedback has caused us to question if this policy should continue to be extended to bug bounty programs as well.
Going forward, it will not.
HackerOne will always make vulnerability disclosure programs available to all organizations that operate legally and commit to working with hackers in good faith. These organizations are welcome to host their security@ on the HackerOne platform. We will not take action against them based exclusively on moral judgements.
However, engaging proactively with the HackerOne community through a bug bounty program is a privilege that is only afforded to organizations that conduct themselves in an ethical manner. In our assessment, FlexiSPY actively infringes upon the rights of others and markets on questionable legal premises. Their business conduct is not in line with our ambition to build a safe and sound internet where the sovereignty and safety of each participant is respected. As such, FlexiSPY will not be permitted to host a bug bounty program on HackerOne.
It is our hope and belief that this policy strikes a closer balance between our responsibility to secure technology and our responsibility to not enable further illicit usage and propagation of that technology. You are an important part of helping us navigate our responsibilities in this area. Any and all feedback is welcome and genuinely appreciated.
Marten Mickos, CEO – HackerOne
Alex Rice, Founder and CTO, HackerOne
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.