“It’s a significant expense but one that is worth spending,” adds Jason Haddix, vice president of researcher growth at Bugcrowd. “We’ve see the ROI outweigh the spend exponentially.”
There is also a relationship building and recruitment element to hosting the world’s best security researchers for the weekend. The hackers benefit from being able to collaborate more closely, and put faces to the handles.
“These relationships last more than one day. They last a lifetime,” Haddix adds.
Atlassian on Friday said it had already made a hire – a researcher from China – as a result of their work on the program.
The Portuguese pair’s talents developed early. Baptista began programming aged 10, building websites for fun.
“At high school I enjoyed doing tricks in class, like sending messages from one person to another, controlling the laptop of the professor, doing nasty stuff like opening and closing all the CD drives in the class,” he says.
Sousa excelled academically at IT as a kid, and also enjoyed a bit of mischief, getting around his school’s block on websites like hi5.
“That sparked something and ever since I’ve been interested in security,” he says.
Both pursued their interest at degree level, and now work in security at their university. Proving themselves at events like the Atlassian Bug Bash puts them closer to entering the top few per cent of white hat hackers.
“It’s the road to being elite. It’s a big journey. I’m getting closer and closer,” Baptista says.
That raises the option of doing bug finding full-time. HackerOne says around 12 per cent of its users earn US$20,000 or more a year, while around three per cent make more than US$100,000.
Maintaining the knowledge and skills to stay at the highest level, however, requires a lot of time and focus.
“If I don’t update myself every day I get pushed back,” Baptista says.
Potentially, all of those gathered at the event could make more money on the black market, selling their discoveries for nefarious purposes. But that comes with significant risks.
“That’s the thing, it’s not worth the risk being caught doing black hat. We’re making legal money,” Sousa, who often alerts websites he enjoys to any security holes anonymously and for free, says.
When they find a vulnerability, or gain access to something significant, for the hackers the feeling is a mixture of excitement and sheer terror.
Sousa describes it as: “I’m there, I’m there, oh shit!”
“The fear when you get in – now I have to be careful because I may access some stuff that I’m not supposed to. We have to be careful," he says.
Even in a bug bounty setting "it would be diverging from the scope and usually it doesn’t but it could have legal consequences,” he says.
‘The challenge’ and the buzz of the find is the top motivator for the majority – 44 per cent according to a Bugcrowd survey – of the hackers in Sydney this weekend.
As well as the money and perks, “they want to be among the security elite and get ahead of their peers,” Haddix says.
“I’ve found some massive, really critical ones and the feeling is – you’ve got the power but you’re not going to use it for bad. We have a lot of power,” Baptista adds.
Fortunately for us, they chose to use their powers for good.
“It’s not just about the money,” Sousa says, “it’s about keeping the internet safe for everyone.”