HackerOne - Experts & Thought Leaders

HackerOne, a pioneer in finding and fixing critical vulnerabilities and AI safety issues, published When ROI Falls Short: A Guide to Measuring Security Investments with Return on Mitigation, a report that revealed security pioneers’ negative perceptions surrounding ROI for the measurement of cybersecurity value. The whitepaper also introduced Return on Mitigation (RoM) — a new metric that helps security pioneers quantify the financial value of protecting their businesses from cyberattacks. Cybersecurity budgets Challenges in quantifying ROI for cybersecurity effects have led to reduced cybersecurity budgets As the average cost of a data breach grows to nearly $5 million in the US, challenges in quantifying return on investment (ROI) for cybersecurity products have led to decreased cybersecurity budgets. ROI remains the gold standard for justifying cybersecurity spending and measuring investment efficacy, yet most security pioneers say applying it to cybersecurity presents challenges. Hardest part of ROI  “The hardest part of ROI in security is quantifying it,” said one VP of Security at a Fortune 500 Manufacturing Company. “It's challenging to measure the cost of a vulnerability or compare solutions, especially when considering factors like reputational damage, downtime, and revenue impact." HackerOne’s report In HackerOne’s report, 550 security pioneers—including CIOs, CISOs, and security directors—revealed: ROI overlooks incident response and long-term stability, which over three-quarters of security pioneers (77%) prioritise in evaluating their cybersecurity approach.  Sixty-nine percent of security pioneers also believe ROI overemphasises direct costs and fails to account for indirect costs like incident response and training.  More than half of pioneers stated that ROI fails to consider enough factors contributing to cybersecurity value, including cost savings from avoided breaches and non-financial benefits like protected brand reputation and customer trust.  Value of security investments “When it comes to breaches, we all intuitively know that an ounce of prevention is worth a pound of cure,” said Alex Rice, co-founder and chief technology officer, at HackerOne.  “But without the right metrics, it’s hard to advocate for the value of security investments. Return on Mitigation reframes proactive and preventive work as a value driver.” Impact of cybersecurity initiatives RoM is a metric that security pioneers can use to gain a more holistic view RoM is a metric that security pioneers can use to gain a more holistic view of the financial impact of cybersecurity initiatives and communicate how cybersecurity efforts align with an organisation’s financial goals to executives and board members.  RoM’s formula quantifies the financial impact of proactive cybersecurity investments by measuring avoided financial losses from a breach — costs prevented by mitigated risks like regulatory fines, legal costs, reputational damage, and business disruptions.  Security investments “Return on Mitigation’s (RoM) data-driven approach allows us to demonstrate the real impact of proactive mitigation to the board, ensuring our security investments not only protect the bottom line but also strengthen customer trust,” said Rossini Moraes, Information Security Manager at Inter&Co. “RoM allows me to justify a $300,000 investment against a potential $5 million critical breach,” said a Head of Cybersecurity at an enterprise financial infrastructure provider. “(With this metric), I can show how mitigating vulnerabilities through continuous, offensive security testing can prevent costly breaches and justify the spend." HackerOne customers can experiment with RoM with the platform’s AI copilot, Hai. 

HackerOne, the cybersecurity company dedicated to eliminating vulnerabilities through continuous testing, announced updates to its intelligent copilot Hai. Hai’s new program insights synthesise data across a customer’s programs, giving them instant understanding and actionable summaries of performance, results, and trends. Now more seamlessly integrated into workflows, Hai continues to help customers save time by making it easy to understand comprehensive program data, improve team communication, and automate tasks for efficient vulnerability management. Customers are also using Hai more than ever, with adoption surging nearly 500% since April. Impact of security program  “Speed is critical for remediation, yet a lot of vulnerability management tasks are still manual and disjointed. Context gets lost, and security teams waste time searching for the information they need to make strategic decisions,” said Michiel Prins, Co-founder and Senior Director of Product Management at HackerOne. “Hai’s program insights solve this by giving customers instant visibility into the right trends so they take action on what will make the biggest impact for their security program.” Human-in-the-loop approach Hai’s human-in-the-loop approach enables customers to take faster strategic action while eliminating repetitive, manual tasks during vulnerability management. With Hai’s support, customers: Strengthen their understanding of program data. Hai can summarise lengthy vulnerability reports into actionable takeaways. Program insights offer at-a-glance visuals to quickly benchmark performance against platform data or detect patterns like reoccurring security risks for more consistent remediation strategies. Improve communication and collaboration across stakeholders. Hai offers writing assistance to help customers craft clear and concise messages to security researchers and internal teams, including language translations, grammar, and tone suggestions.  Accelerate remediation with contextual suggestions and custom Hai “Plays.” Hai automatically adapts to offer relevant follow-up suggestions within existing workflows for deeper insights. Hai Plays also eliminates repetitive tasks by allowing teams to build custom workflows informed by their organisation’s unique domain knowledge and business processes. Automate workflows across the software development lifecycle. Hai can generate custom vulnerability scanner templates, including Nuclei and Burp Suite, to improve scanner consistency. Hai also integrates with HackerOne Automations for dynamic automation that adapts to changing conditions, reducing manual program work. Cybersecurity posture Hai helps customers get the most out of the HackerOne Platform, which offers bug-bounty programs “When it comes to vulnerability management, we’re always looking for ways to make the process more efficient," said Clara Andress, Bug Bounty Operations Manager at Zoom. “Hai gives us actionable suggestions that have eliminated busy work, so we can complete tasks faster and think strategically about continuously improving our overall cybersecurity posture.” Hai helps customers get the most out of the HackerOne Platform, which offers bug bounty programs, vulnerability disclosure programs (VDPs), pentest as a service, and AI red teaming.  Hai’s actionable suggestions This year, HackerOne has accelerated Hai’s evolution, focusing on greater independence, enhanced contextual awareness, and personalised insights.  These advancements enable proactive, tailored recommendations that streamline vulnerability management workflows. Already, over half of HackerOne’s customers leverage Hai’s actionable suggestions and insights to boost efficiency and strengthen their security posture.

Crypto.com, trusted by more than 100 million customers worldwide and the industry pioneer in regulatory compliance, security and privacy, announced that it has upgraded their existing bug bounty program with HackerOne, providing up to USD $2 million in rewards for the reporting of security vulnerabilities.  This is the first time a bug bounty program with HackerOne has reached USD $2 million, and represents the largest available across all bug bounty programs with HackerOne - in the crypto industry and beyond.  Finding critical security gaps “Security and compliance are at the foundation of everything we do at Crypto.com,” said Kris Marszalek, CEO of Crypto.com. “As our business and the industry continue to grow, it’s critically important that we remain focused on our core principles, and this new bounty program does that by setting a new bar.”  “When you operate a global app serving more than 100 million customers, finding critical security gaps before bad actors do is essential to system integrity and customer trust,” said Kara Sprague, CEO of HackerOne. “This record-breaking bounty reflects the significant emphasis Crypto.com puts on consumer protection and their appreciation of the value the ethical hacking community can provide.”  Ethical hacking community “Crypto.com’s responsiveness and dedication to hacker program engagement makes their commitment to the global ethical hacking community second to none,” said Chris Evans, CISO and Chief Hacking Officer of HackerOne. “The top programs on our platform do not just follow our best practices but continuously raise the standard for how all organisations should engage with and reward ethical hackers.”  Enhancing safeguards and consumer protection “While we have dedicated significant efforts to achieve top-tier security certifications, maintaining security assurance requires continuous focus and improvement,” said Jason Lau, Chief Information Security Officer of Crypto.com.  “We have always respected and partnered with the ethical hacking community as an extension of our security team. Deepening our relationship with HackerOne through this milestone and setting this landmark bounty underscores our commitment to enhancing safeguards and consumer protection. We look forward to continuing to productively engage with this community.” Cloud security and privacy certifications Crypto.com became the first virtual asset platform to achieve multiple certifications across all platforms, including SOC2 Type 2, PCI DSS 4.0, ISO 27017 and ISO 27019 for cloud security and privacy certifications in 2023, ISO 22301 for Business Continuity Management in 2021, ISO 27701 for Privacy Information Management System in 2020, and ISO 27001 for Information Security Management Systems in 2019, as well as by conforming to the highest tier of the NIST Cybersecurity and Privacy Frameworks, and obtaining regional specific certifications like the Data Protection Trust Mark and Cyber Trust Mark in Singapore.