companies that hire ethical hackers

Introduction：

1、Why Companies Pay Hackers Big Bucks to Break Their Networks

2、Why hackers are increasingly targeting video game companies

Why Companies Pay Hackers Big Bucks to Break Their Networks ♂

　　(TNS) — In the past 18 months, video game developer Epic Games has paid more than $3 million to hundreds of hackers online. The company says it’s done so happily.

　　Epic, which is headquartered in Cary and best known for creating the popular game Fortnite, offers tech-savvy individuals money to expose vulnerabilities within its operating systems. The company opened this incentive, called a bug bounty, to invited hackers in 2017. It expanded the program to the public in October 2021 and has since awarded a total of $3.16 million to more than 550 people.

　　According to the platform HackerOne, which hosts, hackers have uncovered 1,240 valid issues at the company. These discoveries fetched $500 on average, though some earned hackers as much as $50,000.

　　“By working with this community of talented researchers, we are able to strengthen the security of our products and services,” Epic Games spokesperson Emily Bass wrote in an email. “This program includes work across the Epic ecosystem, including Fortnite.”

　　Cybersecurity experts say more businesses have begun embracing bug bounty programs to broaden their virtual security at a lower price. Like Epic, Raleigh’s fast-growing software firm Pendo launched its own bounty program two years ago, and well-known national companies like Starbucks, Uber, Yahoo, Slack, Paypal and Spotify to a degree, dangling money to hackers who often work anonymously. Even the U.S. Department of Defense , the first in the history of the federal government, in 2021 after reporting initial success.

　　Hackers who chase these bounties aren’t the nefarious agents behind data breaches or malware attacks. Bug bounty programs instead attract thousands of so-called “white hat” hackers, ethical operators who infiltrate systems with the goal of alerting, not disrupting.

　　“It’s very difficult to describe what I actually do,” said Deral Heiland, a white hat hacker who works as a principal security researcher at the cybersecurity firm Rapid7. “I break into things and get paid to do it.”

　　Some companies will prepay hackers to attempt system breaches, which is known as a pentesting (short for penetration testing.) But bug bounties are more of an open call.

　　“Any time we design and release new software, we use tools to test and address security vulnerabilities at each step of the process,” Pendo spokesperson Laura Baverman said in an email. “But it’s also really helpful to engage with the security research community once that code is live — our bounty program has hundreds of researchers continuously looking at websites all over the world and identifying issues.”

　　‘It was controversial when it first came out’

　　Netscape is credited with creating, but only within the past five years or so have the incentives become common. As businesses move more services online, and bad actors grow more sophisticated, executives have seen the value of having more eyes on their software.

　　“It was controversial when it first came out,” said Ray Zeisz, senior director of the North Carolina State University Friday Institute for Educational Innovation. “There were people in the industry thinking, ‘Oh, my God, you’re crazy. You’re writing checks to the bad guys.’ But it’s not necessarily what’s happening.”

　　Zeisz said a few of his closest friends now make livings from white hat hacking. Some ethical hackers were once criminal hackers, including Kevin Mitnick, a prolific corporate network breacher whom in 1995.

　　For companies, bug bounties can prove more economical than hiring additional full-time cybersecurity staff. Zeisz pointed out that the millions Epic Games has paid through HackerOne is only a sliver of its multibillion-dollar annual revenue. And other major brands — including IBM and Fidelity — entice white hats with non-monetary credits that hackers seek out to bolster their cybersecurity resumes — or simply for pride.

　　Epic’s top bounty hacker

　　Without permission, hacking is a crime, so companies will typically spell out specific rules for how ethical hackers can proceed legally.

　　Epic, for example, does not permit hacking by anyone employed at the company, recently employed at the company, or who lived in the same household as a current or recent employee. It also doesn’t allow hackers living in countries that the U.S. has issued trade sanctions against, like Cuba, North Korea and Iran.

　　Formed in 2012, HackerOne is one of the most popular sites for ethical hacking. On the platform, Epic lists four award tiers — low, medium, high and critical — and examples of which discoveries might warrant each bounty amount. Bypassing the company’s payment process is deemed a critical catch that could earn up to $10,000. Crashing a server in Fortnite that the hacker is not a member of also ranks as a critical achievement.

　　One common infiltration technique is called an injection attack, Heiland explained as “sending data into a site that wasn’t intended to be sent there.” He said he once used an injection attack to gain administrator privileges of a company’s wireless management system. Companies often require ethical hackers to report vulnerabilities they uncover within a short time frame, allowing the business to fix — or patch — the issues before criminals exploit them.

　　On HackerOne, Epic Games’ works under the name “Adam” and lists their location as Paris, France. Adam predominately focuses on exposing vulnerabilities at Epic. The company last awarded Adam a bounty on April 6, the 93rd payment Epic has made to the hacker.

　　This story was produced with financial support from a coalition of partners led by Innovate Raleigh as part of an independent journalism fellowship program. The N&O maintains full editorial control of the work.

Why hackers are increasingly targeting video game companies ♂

　　Any organization can be vulnerable to cyberattack. But some have proved to be susceptible, especially over the past year as the coronavirus pandemic has wreaked havoc with traditional work environments. A report released Tuesday by cybersecurity provider BlackCloak describes how cybercriminals have been targeting the video game industry and key executives.

　　SEE: Video game career snapshot: Industry insights and jobs for IT pros (TechRepublic Premium)

　　Citing the 2020 Verizon Data Breach Investigation Report, BlackCloak noted that C-suite executives were 12 times more likely to be targeted in cyberattacks than other employees. Further, 71% of attacks against these executives were financially motivated as cybercriminals sought to earn money by selling confidential data and intellectual property or deploying ransomware.

　　Looking at 15 of the top 20 video game companies in the world, BlackCloak also found that C-suite executives were the most targeted in attacks that occurred over the past year. The firm pointed to a few reasons to explain this trend.

　　Video game companies are in the crosshairs partly because they don’t need to adhere to the same security requirements and regulatory demands as do other companies that must protect customer data. For example, a video game startup may not place as high a priority on security as would a hospital or bank.

　　Video game players themselves often reuse the same password across different sites. A hacker who obtains a user’s login credentials can then launch attacks against the video game companies. Further, many gamers like to hack the games they play to gain an advantage over their fellow gamers. Excited by the thrill of hacking, some of these gamers may take the next step and try to hack the company’s network.

　　BlackCloak also discovered a number of weaknesses in the credentials used by C-suite executives at video game companies. The passwords for 83% of the executives analyzed were found in clear text on the Dark Web. Among these, 68% of the passwords were associated with the executive’s personal email address. Further, 34% of the executives reused the same password or a slight modification of the password on multiple accounts.

　　Over the past year, several incidents have hit video game companies.

　　In April 2020, an anonymous hacker leaked the usernames and passwords of around 23 million online players of the children’s game Webkinz World, made by Canadian toy company Ganz. The hacker purportedly accessed the game’s database using an SQL injection flaw found in one of the site’s web forms.

　　In June 2020, Nintendo revealed that 300,000 customer accounts had been compromised in a cyberattack. In this incident, attackers accessed the Nintendo Network ID accounts of game players who used the same passwords on their Nintendo and Nintendo Network accounts. As a result, the attackers could have bought items at the My Nintendo store or the Nintendo eShop using virtual funds or money from a linked PayPal account.

　　In February 2021, cybercriminals launched a ransomware attack against the Polish video game company CD Projekt. The attackers boasted that they obtained the source code for the video games Cyberpunk 2077, Witcher 3, Gwent and an unreleased version of Witcher 3. After CD Projekt refused to pay the ransom, the hackers auctioned the source code and other confidential data with a reported starting price of $1 million and a buy-it-now price of $7 million.

　　To protect your organization and executives from targeted attacks, BlackCloak advises organizations to extend security to personal devices and accounts. Enterprise security tools such as VPNs, endpoint protection, firewalls and antivirus software can protect corporate assets. But organizations need to extend security to home networks, to devices used by family members on their home Wi-Fi network, and to locations used by the family, including second homes.

　　Of course, trying to protect every smartphone, personal account, video game player and electronic device in an executive’s home is difficult enough under normal circumstances. As the pandemic has caused the personal and professional lives of executives to meld, applying the usual security practices without bumping into an executive’s need for privacy is even more challenging.

Related questions

Companies That Hire Ethical Hackers (Organized by Industry)

1. Tech Companies

• Google: Employs ethical hackers through teams like Project Zero to find zero-day vulnerabilities.
• Microsoft: Runs the Microsoft Security Response Center (MSRC) and bug bounty programs.
• Apple: Focuses on securing iOS/macOS ecosystems; hires penetration testers and security analysts.
• Amazon/AWS: Seeks security engineers to protect cloud infrastructure and e-commerce platforms.
• Meta (Facebook): Hires red teamers and security engineers to safeguard social platforms.

2. Cybersecurity Firms

• Palo Alto Networks: Offers roles in threat intelligence and network vulnerability research.
• CrowdStrike: Specializes in endpoint protection and incident response; hires threat hunters.
• Mandiant (formerly FireEye): Focuses on incident response and advanced threat detection.
• Check Point Software: Develops firewalls and intrusion prevention systems; hires security researchers.
• HackerOne/Bugcrowd: Platforms that employ hackers to manage bug bounty programs for clients.

3. Financial Institutions

• JPMorgan Chase: Maintains a dedicated cybersecurity team for fraud prevention and infrastructure security.
• Bank of America: Hires ethical hackers for secure banking systems and compliance.
• Goldman Sachs: Invests in cybersecurity to protect financial data and trading platforms.

4. Consulting & IT Services

• IBM: Offers cybersecurity consulting via IBM X-Force for enterprise clients.
• Deloitte: Provides risk advisory and penetration testing services.
• Accenture: Hires security specialists for global consulting projects.

5. Government & Defense Contractors

• Lockheed Martin: Seeks cybersecurity experts for defense and aerospace projects.
• Northrop Grumman: Focuses on national security and cyber warfare defense.
• Booz Allen Hamilton: Provides cybersecurity services to U.S. government agencies.

6. Healthcare

• UnitedHealth Group: Protects patient data and healthcare systems.
• Cigna: Employs security analysts to secure medical records and compliance.

7. E-commerce & Retail

• Shopify: Hires red teamers to secure e-commerce platforms.
• eBay: Focuses on fraud detection and payment system security.

8. Telecommunications

• Verizon: Runs Verizon Cybertrust for network security and incident response.
• AT&T: Protects telecom infrastructure and customer data.

9. Cloud & Infrastructure Providers

• AWS (Amazon Web Services): Secures cloud environments and offers tools like AWS Shield.
• Microsoft Azure: Hires ethical hackers to fortify cloud services.

10. Startups

• Darktrace: Uses AI for threat detection; hires security researchers.
• Snyk: Focuses on developer-first security for open-source vulnerabilities.

Key Roles for Ethical Hackers

• Penetration Tester
• Security Analyst
• Red Teamer
• Threat Intelligence Researcher
• Incident Responder

How to Get Hired

• Certifications: CEH, OSCP, CISSP, CompTIA Security+.
• Experience: Participate in bug bounty programs (e.g., HackerOne) or CTF competitions.
• Networking: Attend conferences like DEF CON or Black Hat.
• Job Platforms: LinkedIn, Indeed, Infosec Jobs, and company career pages.

Ethical hackers are critical across industries to preempt cyber threats. Tailor your skills to industry needs and leverage certifications for competitive advantage. 馃寪馃敀