Every business knows that to maintain security, you need the primary pillar: the right employees. Some businesses know that these employees also need the second pillar: the right tools such as Acunetix and Invicti. However, still, not enough businesses know how to deal with hackers and some choose to look the other way.

In the light of the recent two payoffs considered the biggest in history: $6M in June and $10M in May, and the increasing threat of cyber-warfare, let’s have a look at why many hackers prefer to work independently and why companies find value in such huge payoffs.

Can I trust a hacker?

The biggest problem that companies have when working with external security experts is trust. The term hacker is still used mostly in a derogatory manner by the media. A lot of people perceive hackers as kids who break into places for fun or as criminals. This could not be farther from the truth and from the original meaning of this word.

Hackers are independent security experts. They are the freelancers of the security world. Instead of working full-time on your internal security team, they prefer to work from their home, for many companies. And more and more companies want to work with them.

Why do security experts choose to freelance?

The worldwide demand for security experts is huge. You would think that everyone who has the right skills and experience should be able to find a good job in this field. However, this is not the situation in every country. Some of the best-skilled hackers come from countries where the IT industry is heavily underdeveloped. To find regular full-time employment, they would have to migrate, often leaving their current life and/or family behind. Many of them are not ready for such a decision, so they prefer to work remotely.

Despite the shift to remote work that happened because of the COVID-19 pandemic, many companies don’t offer full-time remote employment because of tax regulations. Instead, they propose permanent B2B contracts where the hacker would have to register in their country of residence as a freelancer. Faced with such a situation, many hackers prefer to freelance for many instead of getting stuck with one client.

Why is bounty hunting difficult?

The world’s biggest IT corporations are the most security-conscious. Companies such as Google, Facebook, and Microsoft are fully aware of the value of hackers. They have public-facing vulnerability disclosure policies (VDPs), they have well-managed procedures, they offer substantial bounties, and they pay on time. Working with such a partner is a pleasure but the competition is huge so it’s difficult to score a bounty.

On the other hand, smaller software manufacturers pose a different problem. Most companies have no VDPs in place at all. If freelancers find security problems and contact such businesses, they are sometimes treated in an unpleasant way. This may range from ghosting, through denial, all the way to threats of being reported to the authorities! The fact that such treatment happens at all is very disappointing – it should not be the case in the modern IT world.

The adoption of vulnerability disclosure policies is on the rise but mostly among enterprises. World governments are also among the leaders of adoption. It seems that in this aspect smaller companies have a lot to learn from big organizations.

How to work with hackers?

If you want your assets to be secure and you still don’t have a public-facing vulnerability disclosure policy, you might want to rethink your position as soon as possible. The exponential growth of the market means that the demand for IT security personnel will still keep rising. With more and more companies creating VDPs and offering bounties, hackers will have even more incentive to stay independent. All in all, in the future you may have no choice but to work with freelancers because almost nobody in this field and available for work would be interested in full-time employment.

The most important aspect when working with hackers is to understand that their goal is not to harm your business. If it was, they would not be hackers (but criminals) and they would not contact you about a vulnerability (but take advantage of it). Their goal is to earn a living by helping you resolve your problems. If you don’t treat them right, they will publish the findings anyway and spread the word so other hackers won’t touch your product (but criminals will).

Embrace the third pillar

If there were no hackers, there would be no Acunetix and Invicti. There would be no IT security at all. All the best tools on the market were created by hackers and then developed into comprehensive solutions. All the vulnerability scanner manufacturers still need hackers and hire hackers (either as part of their teams or as freelancers) to supply you with new vulnerability detection techniques – we do, too.

That is why Invicti is very passionate about the hacking community and about bringing businesses and hackers together. Our products are designed to help both businesses and freelancers. By automatically detecting vulnerabilities we make it possible for freelancers to focus on new discoveries. By integrating with other systems, we help businesses assess and manage all the vulnerabilities easily.

To have the best security policy possible, use all three pillars. Hire the right team to be the core of your internal work. Get Acunetix or Invicti to take the load off that team and make their job much easier. And last but not least, design a public-facing vulnerability disclosure policy to work efficiently with external experts.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.