In 2024, we saw the adoption of AI in hacking workflows take off. In a survey of over 2,000 security researchers on the HackerOne Platform, 20% now see AI as an essential part of their work, up from 14% in 2023. Here’s what some Hackbot operators report:
- PropertyGPT: “It successfully detected 26 CVEs/attack incidents out of 37 tested and also uncovered 12 zero-day vulnerabilities, resulting in $8,256 bug bounty rewards.”
- XBOW: “While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne. Since September, 65 reports have been submitted, including 20 critical findings.”
- Shift: “The goal with Shift is simple: seamlessly leverage SOTA LLMs inside our everyday hacking tool: Caido. With true integration, I can offload the repetitive work of reformatting a request or finding a certain ID and focus on the intricate aspects of hacking that require a hacker’s brain. Shift will get us closer to frictionless use of our hacking tools and efficient implementation of attack vectors.” – Justin Gardner, Creator of SHIFT
- Ethiack: “AI is not replacing security researchers; it’s unleashing our full power. It makes us more effective in discovering and fixing vulnerabilities so we can focus on what matters most: solving challenges that require creative thinking, collaboration, and the infinite curiosity of the human mind.” – André Baptista, Co-founder of Ethiack
Every discovered and remediated vulnerability strengthens the internet, regardless of the source. We believe Hackbots are a powerful tool for the security community, accelerating vulnerability discovery and ultimately making the internet safer.
The early adopters of these Hackbots have surfaced the need for a new set of rules governing their behavior. Today, we’re excited to formally welcome Hackbots to HackerOne with some key principles in place:
- By the Rules: Hackbots must operate within the published vulnerability disclosure policies of the program they’re engaging with, along with HackerOne’s Code of Conduct and Disclosure Guidelines.
- Human-in-the-Loop: Hackbots must not operate in a fully autonomous manner—yet. We employ a “hacker-in-the-loop” model, requiring human experts to investigate, validate, and confirm all potential vulnerabilities before submitting to a Vulnerability Disclosure (VDP) or Bug Bounty Program (BBP).
- Accountable: Hackbot operators are responsible for their Hackbots and must exercise due diligence to ensure compliance with platform rules and program policies.
- Bounty Eligible: Human operators of Hackbots qualify for any applicable bug bounty rewards, just as if the vulnerabilities were discovered through traditional means.
It’s important to acknowledge that, like any powerful tool, Hackbots can be misused. That’s why requiring human oversight and adherence to established disclosure practices are essential. Our outlined principles are designed to help foster a foundational culture of responsible behavior. We look forward to partnering with the community to advance these principles as the practice of AI-accelerated hacking evolves.
We believe running a bug bounty program is one of the best ways for businesses to benefit from the AI innovation making Hackbots possible. Hackbot operators can now equally benefit from participating in bug bounty programs and demonstrating their effectiveness and AI prowess in a real-world benchmark setting.
Are Hackbots Replacing Security Researchers?
Absolutely not.
The best researchers have always relied on combining their unique ingenuity with the best automation available. Hackbots are simply the next step in this evolution. They can automate repetitive tasks, scan vast amounts of code, and identify potential vulnerabilities at a much faster pace. However, human judgment remains crucial. Hackbots lack the creativity, critical thinking, and contextual understanding needed to fully understand and exploit a vulnerability end-to-end. Modern Hackbots depend on reinforcement learning from researcher feedback as technology and threats evolve.
This is where the human researcher comes in. By working together, Hackbots and Hackers can achieve far better results. Hackbots can provide a broader initial scan, highlighting areas of potential weakness, and they don’t require coffee or sleep to maintain peak performance. The caffeine-powered human researchers can then delve deeper, analyze the findings, and exploit the vulnerabilities creatively. This collaborative approach leads to a more comprehensive understanding of a program’s security posture and, ultimately, a more secure product.
Our Last Line of Defense
Criminals are incorporating AI and Hackbots into their offensive toolkits. We need Hackbots hacking for good as well.
Security leaders run bug bounty programs because they believe in defense in depth and reject the allure of silver bullets. The thing we love the most about the researcher community is the power of its diversity. Brilliant security researchers from surprising backgrounds finding creative flaws in even the most hardened attack surfaces. The same principles will hold true with hackbots. Security leaders will soon be inundated with marketing pitches selling unhackable fantasies with AI solving all our security problems. In our humble opinion, only the foolish will bet their security on a single silver bot.
May the best hacking win!