Interview with Adam Bacchus, White Hat Hacker

Find schools


Q&A with Adam Bacchus of HackerOne

Adam Bacchus of HackerOne

Adam Bacchus is the director of program operations for HackerOne. He manages the technical service delivery team of technical program managers and security analysts and oversees vulnerability disclosure assistance, helping hackers disclose bugs to companies around the world.

Adam loves to help companies run bug bounty programs and drive various crowdsourced security initiatives to help make the Internet a little bit safer. He works directly within the friendly hacker community and is passionate about helping them succeed.

Before HackerOne, Adam led a wide variety of information security projects at Snapchat and helped run Google’s penetration testing and bug bounty programs.

[] How did you first get into computer science?

[Adam Bacchus] It's a little cheesy, but I saw the movie Hackers from 1995 when I was a kid. It's a silly movie and technically inaccurate, but I thought it was so cool. The whole concept of making computers do things that they aren't supposed to do was cool to me.

I went to the University of Minnesota and got my bachelor's in computer science. There was very little focus on security, but my first job out of school was as a consultant where I hacked different organizations. Banks, hospitals, and companies of any side would pay the company I worked for to hack them and give them a report about their security so that they could fix security bugs before criminals could find them.

While I was a consultant, I managed to find a security bug in one of Google's products, which is how I got my foot in the door for an interview at the company. This was before they had a bug bounty program so there was no monetary reward, but I met the Google security team and interviewed for a job. I thought I would never get a job at Google, but somehow I scraped my way through.

At Google, I worked on a variety of things—vulnerability management, making sure we're finding bugs in every way possible and making sure those bugs are fixed. My manager told me "security is only improved when bugs are fixed, not only found."

Running the bug bounty program meant front row triage, reading the security reports, working with security engineers, determining how much we wanted to pay for bugs, and growing the program. I also worked to see if we could catch ourselves in the act of hacking to improve detection and response so that if people are trying to hack us, we can catch them and respond appropriately.

[] How did you first get into hacking?

[Adam Bacchus] I dabbled a little in college. There were clubs and student organizations around hacking and information security, but my first hands-on experience was on the job. That being said, I was never plugged into the community at my first job—that was just a day job. That happened at Google, where I was working on their bug bounty program. I got to meet and talk with people from around the world, a very diverse group of people.

Then I went to work at Snapchat, which is when I had my first experience with HackerOne. Google had its own bug bounty program, but Snapchat employed HackerOne. After a year, I came to HackerOne, and this is where I've been the most fully invested in the hacking community.

[] Can you tell us about the crowdsourced security space?

[Adam Bacchus] A lot of people hear the word hacker and think "Oh that's scary," but there are always good guys and bad guys. What I like about the model and community of crowdsourcing is that the bad guys are going to come and attack you no matter what. They're going to exploit your vulnerabilities. So if there are white hat hackers, why would you not want to work with them?

I heard a story where there was a kid who found a bug where he could ride the train for free. He told the government about it, and instead of thanking him, they threw him in jail. That's just the wrong perspective. The way I see it is if someone was walking down the street and they tell you your front door is open, you can either go back and lock it or grab your shotgun and yell "Get off my lawn!" You want to leverage the power of crowdsourced security so that you can find and fix vulnerabilities before criminals take advantage.

[] What does your day-to-day look like?

[Adam Bacchus] I'm in charge of technical service delivery. I manage the organizations that come to HackerOne and want to try it out. My team then sits down with the customers, and we build out a program from beginning to end. We help them launch and run the program by figuring out what should be in scope and out of scope, and outlining what hackers are allowed and not allowed to do.

We also make sure we're operating an ecosystem that is treating both customers and hackers fairly. We want to maintain a positive relationship on both sides. We assign resources and figure out who would be best to work with these individuals. All customers have different types of technology, so we have to make sure that we're pairing them with hackers who have the right knowledge.

Hackers will submit reports, so we need to have the right skillset internally to report back to customers. Sometimes a hacker or a customer is upset, and we need to be technical enough to understand the issue, but we also need to have the soft skills necessary to negotiate to come to a reasonable solution. That's highlighted here. We're right in the middle between hackers and customers. We're connecting these two groups of people, so it's not just enough to say "yes, that's a bug." It's hard to find people who have both technical and communication skills.

[] What would you recommend to an engineering student who wants to get into hacking?

[Adam Bacchus] If an engineering student wanted to get into hacking, I would recommend that they have the right skills necessary to hack and find bugs. We've created a set of educational resources that teach you how to hack, called Hacker 101.

Once they know what they're doing and feel dangerous enough to get into it, they can go to the HackerOne directory and find bug bounty programs that exist. I would recommend first-timers to start with the HackerOne response program because there are a lot of different rules to learn according to each bug bounty program.

You don't have to jump right in to get money for bugs. Some VDP programs don't pay, but they promise safe harbor as long as you play by the rules. I recommend beginning with those because there's also probably a higher likelihood that you'll find a bug. The more money involved in a bug bounty program, the more eyes are on it.

You should also talk to others in the community. You can find people in the bug bounty community on Twitter, follow them, read their blogs, and learn from them. There are great resources in the community. Some will even sit down and teach you if you ask them.

[] What are the trends in security that excite you most?

[Adam Bacchus] The trend that I've noticed is that there's this negative connotation around the word “hacker.” I'd love to see it changing to more of a positive mindset. It's already starting with everyday vernacular like "lifehacks" used as a positive tool for bettering your life.

In general, crowdsourced security is becoming way more mainstream, even in just the last few years. It's cool to see more and more organizations working with hackers and not assume that they're bad people by default. A lot of people are so biased just because of the connotation. They hear the word, and there's an immediate reaction. A big turning point for me personally is when the U.S. Department of Defense worked with HackerOne. At that point, it was like "Whoah, even the U.S. government is doing it." I hope that people view this as normal.

Related Features

Artificial Intelligence Systems & Specializations: An Interview with Microsoft’s Sha Viswanathan

The ability of a computer to learn and problem solve (i.e., machine learning) is what makes AI different from any other major technological advances we’ve seen in the last century. More than simply assisting people with tasks, AI allows the technology to take the reins and improve processes without any help from humans.

Automotive Cybersecurity: Connected & Self-Driving Vehicles

This guide, intended for students and working professionals interested in entering the nascent field of automotive cybersecurity, describes some of the challenges involved in securing web-enabled vehicles, and features a growing number of university programs, companies, and people who are rising to meet those challenges.

Careers in Digital Marketing: Big Data & Social Analytics

The field of digital marketing intersects with many other tech industries and grew out of traditional theories of advertising, marketing, and sales. Just like traditional marketing, the goal is to reach your target customer base, build brand awareness, and make a meaningful, data-generating connection.

Combating Climate Change with Better Batteries

With 100 percent renewable energy as the ideal future state, startups and established players are racing to find the right mix of cheap, safe, and effective utility-scale energy storage. Learn more about some of the latest advances and new directions for combating climate change by making better batteries.

Guide to Engineering Conferences in 2021

Engineering is an exceptionally dynamic sector. It is continually changing and expanding, and experts, professionals, and academics in the field need to keep pace with all of the latest developments. Conferences provide professionals in various engineering disciplines with knowledge about cutting-edge tools, technology, and skills in the field.