SFCS: We Talk to HackerOne's Bug Bounty Advisor Rena Chua

Welcome to 2020, hacking enthusiasts! Christmas is over, we've celebrated the New Year, and we're all a little heavier and looking forward to January being over. At MyHackerTech we've been busy talking to influential people in the cybersecurity field to provide more great (and hopefully useful) content for our Stories From Cybersecurity series.

This time we talked to Rena Chua, Bug Bounty Advisor for HackerOne. We hope that by reading Rena's story you deepen your understanding of the many routes into the cybersecurity industry, get an insight into her role, and come away with some useful resources. Let's take a look.

NANCY: How did you become a bug bounty advisor?

RENA: I am endlessly impressed by the hacker community and what they can accomplish. It is so gratifying that a nineteen-year-old in Argentina and a software engineer in Singapore can collaborate from across the globe with a common goal of defense. This diverse, creative, and expansive community is what drew me to HackerOne, and the business model of crowdsourcing these individuals to hack for good is what inspires me.

NANCY: What skills do you think are necessary to become a good bug bounty hunter?

RENA: The majority of our hackers continue to learn their skills outside of the classroom. According to last year’s Hacker Report, training continues to take place outside the classroom with 81% of our hackers learning their craft mostly through blogs, self-directed educational materials and publicly disclosed reports. Only 6% have completed a formal class or certification on hacking.

Most hackers enjoy the process of sharing their research. That is why many of our hackers learn their skills via continuous learning — reading blogs, books, and collaborating with other hackers. To be a good bug bounty hacker, one must really enjoy the intellectual challenge, be curious, have a thirst for knowledge, and have perseverance, as finding your first critical bug won’t happen overnight.

Ethical hacking is a relatively new concept in Asia-Pacific (APAC), and we have an untapped pool of talent waiting to be fostered. It's a personal challenge to discover how we can educate the companies in APAC on the benefits of hacker-powered security, build trust in the region, and groom the next generation of ethical hackers. With bounty rewards only given for real-world security bugs, this business is a win-win situation for both organizations and hackers, and I look forward to seeing where we can take it.

NANCY: What are the main benefits of a hacker-powered security program?

RENA: Businesses process more sensitive data and more personal information than ever before, and all software has bugs. It’s human nature. The challenge is identifying the security holes and taking the actions necessary to fix them before the bad guys exploit them. The answer lies in inviting those who can think like attackers but will act as your defenders: friendly hackers.

At the same time, software development lifecycles are increasingly continuous. As companies work overtime to push code, criminals work overtime to find ways to break in. For security teams, it can often feel impossible to scale security with product development. Innovation is outpacing traditional security measures. Working with hackers allows you to provide security at the speed of innovation.

Even if a team has some of the brightest minds on board, there’s nothing like opening up your work to the rest of the world; you are guaranteed to learn something. By working with a global community of hackers, any organization — big or small — can get around the clock coverage and they only pay for the vulnerabilities that actually exist in their infrastructure, not the hours put in.

NANCY: How do you see the cybersecurity industry changing over the next decade?

RENA: Hacker-powered security is an increasingly global trend in cybersecurity. The number of hacker-powered security programs has grown by at least 30% in each region of the world, with Latin America leading the pack again with year-over-year growth of more than 41%, followed by North America (34%), EMEA (32%), and APAC (30%).

At the same time, Federal Governments across the globe had the strongest year-over-year industry growth at 214%, and last year saw the first launch of programs at the municipal level. This strong growth was higher than any other industry and, with recent legislation to encourage hacker-powered security across the globe, we only expect growth in the government sector to increase in the decade to come, with organizations like Government Technology Agency of Singapore (GovTech) and the Ministry of Defence (MINDEF) leading the pack, having already worked with 189 hackers across five Government Bug Bounty Programs (GBBPs).

NANCY: Do you have any advice for aspiring bug bounty hunters? Do you have any recommended reading or resources?

RENA: Yes! While spending money on paid programs can be worth it as a supplement to learn more and learn faster, the number one way our hackers learn is from reading other publicly disclosed vulnerability reports. Any hacker signed up on HackerOne can read publicly disclosed vulnerability reports on our Hacktivity Feed, which is a good way to keep up with the latest research. In addition, reading Peter Yarwoski’s Web Hacking 101 eBook is also a recommended read for new hackers, as it is based on real vulnerability reports disclosed on HackerOne’s Hacktivity pages.

There are many free resources out there that we encourage new hackers to check out. We always recommend our own HackerOne blog post, “How to become a successful bug bounty hunter”; “Getting Started in Bug Bounty” by Sahil Ahamed, Security Engineer at Zomato; “Resources for Beginner Bug Bounty Hunters”; and the following video “How to get started in bug bounty - 9 X Professional Tips”

And for training, we always recommend the following training tools: Hacker101, which includes several Capture-the-Flag exercises and more; Cybrary, a free platform for cybersecurity training; HackEdu, which offers free and paid interactive web application security training courses; and Bug Hunter University, Google's Bug Hunter University.