HackerOne listed our founding vulnerability as an NFT on OpenSea and donated the proceeds — 3.3 ETH / $7,086.19 — to Hack the Hood. Today, we sat down with co-founder Michiel Prins to talk about why we did this, what this means, and what’s with the cake. 

What is this founding vulnerability, really? 

Reported July 27, 2011, the founding vulnerability is the first vulnerability report Jobert and I ever submitted to Facebook, even before the company had established a bug bounty program. It was a simple Cross-Site Scripting (XSS) in Facebook Mail — the predecessor of Facebook Messenger. Perhaps more importantly, this is how we met our co-founder Alex Rice, which ultimately led to the founding of HackerOne in 2012! I guess you could say the rest is history.

Fun facts:

  • After the introduction of the Facebook bug bounty program, the committee decided to retroactively award us with $3,000 for this XSS.
  • This demonstrates the Wild West of Cross-Site Scripting, pre-dating widespread adoption of Content-Security Policies.
  • This also pre-dates origin sandboxing on iOS when content is served with the “Content-Disposition: attachment” header. In older versions of iOS this content would execute in the same origin. Just think for a moment about how unreal that sounds in 2021. We’ve come a long way, internet!

What is an NFT? 

NFT stands for non-fungible token. 

Fungible means something can be exchanged or substituted and can hold the same value. It’s interchangeable, like the dollar, gold, bitcoin, or poker chips. Non-fungible is an asset that can’t be substituted and it has unique attributes that make it different from something else in the same asset class. In the physical world, think of the Mona Lisa. It’s a painting (asset class), but it is one of a kind (non-fungible). A token is a digital certificate stored on the blockchain. Therefore, non-fungible tokens are unique digital assets publicly authenticated on the blockchain, like Nyan Cat and the NBA’s Top Shot clips. In this case, a one-of-a-kind piece of art depicting our founding vulnerability. 

Why did you do this? 

HackerOne was founded with three core visions: 

  • Ignoring hackers will be viewed as negligence.
  • Cybersecurity must be collaborative. 
  • Transparency breeds trust. 

Today, the hacker community has now grown to over one million registered hackers, representing the community’s exponential potential. In the past year, hackers reported over 50,000 valid vulnerabilities to organizations, with a 63% increase in the number of hackers submitting valid reports in the past year alone. Hacking became a new and safe hobby for many in the midst of the pandemic. Ten hackers have already earned over one million dollars. Many more hackers on the platform are hacking, mentoring, and growing together as part of the learning community on Hacker101. This community exemplifies the impact collaboration can have on organizations and emphasizes the importance of investing in the future of hacking. 

Being open to working with hackers is becoming systematized by industry and regulatory bodies, with the US making hacker-powered security mandatory for all federal civilian agencies and NIST and the Internet of Things Cybersecurity Improvement Act listing the implementation of a vulnerability disclosure program (VDP) as a core part of building an effective cybersecurity strategy.

We are building a culture of knowledge-sharing and community, breaking the mold of traditional, secrecy-based security. Every day, hackers make organizations from the biggest corporations, to the fastest start-ups, to the most sensitive government and defense institutions demonstrably safer. 

As we approached our Incorporation Day, April 19, we wanted to get back to our roots. What better way to do this than to invest in future hackers through a donation in STEM education, and celebrate everyone who has been a part of our journey with a one-of-a-kind NFT?

But what do NFTs have to do with it?  

There are so many fascinating parallels between the world of blockchain and the world of hacker-powered security. Both seek to level the playing field — democratizing access and removing the need for prior experience. Economic opportunity is a key tenet — enabling participation across the globe. Transparency is key — transactions in cryptocurrency are public, traceable, and permanently stored, just as vulnerability disclosure is core to strong security. Both are about empowerment — bringing power to the individual or the researcher. The opportunities and applications for both are endless. 

While both hacker-powered security and blockchain technology have surpassed countless milestones, this is only the beginning, and the best is yet to come. 

So you mentioned a donation. Where did you donate to and why? 

Selected by the global hacker community, all proceeds from the sale went to Hack the Hood, a non-profit that provides programs, resources, and opportunities to youth from Black, Latinx, and Indigenous communities to help them learn the skills to achieve economic mobility and succeed in tech careers and community building. 

So what’s next for HackerOne in its ninth year? 

Our CEO Marten Mickos said it best: 

Tweet: https://twitter.com/martenmickos/status/1382367062245339138

In 2021, expect new product enhancements that empower customers and hackers to make the internet safer. Be on the lookout for bold new investments in areas untapped. And be ready to collaborate with the world’s most trusted hacker community, because together, we hit harder. 

So, what’s with the cake? 

I’ve gotten a lot of questions about the cake over the past 24 hours. For those who asked, at age 17, after a nudge from our parents to keep us out of trouble (hacker gotta hack, right?), Jobert and I started a security consultancy company. Companies could pay us to break their systems and we’d tell them how we did it. You can imagine that most companies over a decade ago wouldn’t contract two 17-year-olds for security research though. 

To generate business, we would visit local entrepreneur happy hours that we knew were well attended by people from the IT industry. We needed a way to persuade them into letting us look at their systems. We came up with an offer they couldn’t refuse: we look at your website for 30 minutes and if we don’t find anything, we’ll buy your team a cake. But, if we do find a way to hack your site, you invite us over for a meeting with cake. Who doesn’t love cake?! 

News of our cake deal spread. We ended up with a lot of cake as well as a solid reputation in The Netherlands. By age 20, our customers ranged from large international organizations and governments to small, innovative startups.

Spoiler: We never bought a target cake. 

Any last words for the buyer and bidders? 

Thank you for your support over the past nine years, and especially today. The hacker-powered security industry is what it is today because of you. As I said, the opportunities are endless, and I can’t wait to discover those alongside hackers and believers like you

HackerOne Founding Vulnerability NFT

Figure: HackerOne’s Founding Bug NFT owned by BugBountyHunter on OpenSea

Posted by Charlie