HackerOne vs. Gitcoin: Finding the Best Bug Bounty Platform for Your Software Development Projects

Since the birth of computing, open source software (OSS) has contributed immense value to the tech community. The collaborative, transparent nature of open source initiatives has resulted in the development of countless applications that many of us use every day.  For example, you may have heard of the Internet?

For those that may not be familiar with OSS, it’s best defined as software with source code that developers can inspect, modify, and enhance. By sharing source code with a global development community, future iterations of software are typically improved, tested, and have a faster release date. OSS tends to fast-track the software development lifecycle (SDLC) and lower costs.

Where are these open source communities found?

In today’s development ecosystem, GitHub has emerged as one of the world’s largest and most reputable open source communities. In 2017 alone, the platform brought together 24 million people from over 200 countries. This level of collaboration is in stark contrast to proprietary software development, largely conducted by insular, corporately vetted teams.

Increasing Efficiency & Effectiveness with Open Source Development

Open source software is notoriously less profitable for creators than proprietary software, yet wildly effective for businesses. Most websites in the world run on OSS. Typically, coders working in open source have a personal interest in pushing a project or initiative forward. While profits tend to motivate proprietary software, OSS is driven by collective good. That’s not to say open source can’t make money, Linux and Red Hat certainly do. Yet, traditionally, open source projects have been less efficient in capturing the value at the application development level.

How could someone incentivize open source development to push projects forward faster?

Bug bounty programs. Companies such as HackerOne and Gitcoin have created successful arrangements that bring together hackers and developers alike through a “bounty” program. Bounties are offered to developers in exchange for their expertise in resolving bugs and disclosing security vulnerabilities.

While the end goal of these platforms is the same, there are significant differences to consider.

The Differences Between Using HackerOne vs. Gitcoin

HackerOne vs. Gitcoin

Ultimately, the difference between HackerOne and Gitcoin is that a) HackerOne is focused on big critical bugs on your repos (open source or otherwise) and b) Gitcoin is a place to bring developers to work on bugs, features, and more on your repos and build relationships in open source communities. These are very different tools.

Centralized (HackerOne) vs Decentralized (Gitcoin)

Hired platforms like HackerOne are corporations – presumably in business to capture a portion of the value created by developers or “hackers”. In contrast, Gitcoin leverages the power of blockchain to establish a truly decentralized payment system. Built using smart contracts on the Ethereum blockchain, Gitcoin manages its entire bug bounty program without an evident profit driver. This structure ensures that developers capture the majority of their contribution value, as profits are not shared with an intermediary.

HackerOne vs. Gitcoin: Open Source

HackerOne is focused on bigger, critical bugs on companies’ repos, whether they’re open source or otherwise. Gitcoin is a place to bring developers to work on bugs, features, and more. The idea with Gitcoin is that developers build relationships with repo owners and strengthen their ties to the open source community.

In-House (HackerOne) vs. Blockchain (Gitcoin)

Companies like HackerOne typically offer clients Vulnerability Disclosure Programs (VDP) and Bug Bounty Programs (BBP). These programs are staffed with software developers or “hackers” selected by the company itself. Clients typically have the option of screening participants further when deciding between a public or private program. Those on staff must go through a hiring process, prove their skills to the satisfaction of the company, and remain under continual management and oversight.

Alternatively, Gitcoin offers an entirely open source decentralized system, using tools built on the Ethereum blockchain. Workers can apply directly to Github issues you open regarding bugs, features, or more. Given it’s so easy to find a Gitcoiner – and Gitcoin doesn’t require a large application process for them to join – it’s easy to put up bug bounties of $200 – $500, instead of the huge bounties / bugs which are more common on HackerOne. This lends itself to the open source ethos — contribute to a project, make friends, and now — make a little money.

But how does Gitcoin work exactly?

In short – after installing the MetaMask as a browser extension, which facilitates access to the Ethereum blockchain, the client (issue funder):

  1. Creates a repo on GitHub;
  2. Copies the URL for their GitHub repo over to Gitcoin’s Issue Explorer;
  3. Selects the bounty they are willing to offer the developer/hacker (contributor) in crypto;
  4. Sets a specific project scope;
  5. Funds their issue and waits for a contributor to work their magic.

This entire process records to the Ethereum blockchain where the funders bounty is in “escrow” until the contributor’s work is approved. Once approved, funds are automatically released via the smart contract mechanism. While the use of these new tools may be intimidating to some, the seamless integration of GitHub, MetaMask and Gitcoin dramatically reduce the learning curve.

Gitcoin leverages a truly global talent pool by allowing anyone to partake in its platform. Potential human biases are eliminated and all contributors are provided with an equal opportunity to participate without the need for intermediaries.

Efficiency & Global Reach of HackerOne vs. Gitcoin

As mentioned, Gitcoin uses crypto (ETH) to pay its contributors when a project is complete. But why is this significant? To understand the benefits, let’s first consider fiat payment networks. It’s safe to assume that companies like HackerOne rely on fiat payment systems to compensate their contributors or “hackers.” Arguably, this limits the global reach of its programs while capturing less value for developers. Transaction fees are high and processing takes days using fiat.

By using cryptocurrency, the same transactions can be conducted at a fraction of the cost and clear within minutes. Gitcoin’s use of the Ethereum blockchain and crypto payouts is much much more efficient and captures far more value for developers.

Then there’s the global reach of cryptocurrency. Fiat transactions require the use of banks – which excludes the 1.7 billion “unbanked” people around the world. Yet, two-thirds of the unbanked have access to a mobile phone capable of sending and receiving crypto payments.

Using cryptocurrency bypasses the need for financial institutions, which allows for broader participation in the Gitcoin platform. Operation outside of the constraints of intermediaries has the potential to change lives and leverage the global talent pool.

Software Development Success with Bug Bounties on HackerOne vs. Gitcoin

Regardless of the platform, bug bounty programs have an immensely successful track record of pushing open source projects forward and delivering value to developers. The efforts of white hat and ethical hackers and open source developers have become an essential component of modern cybersecurity.

In its annual security report, HackerOne reported that $31M has been awarded to ethical hackers through its programs as of June 2018, with $11.7M awarded in 2017 alone. Gitcoin’s model to focus more broadly on bug bounties, features, and more in an open, transparent manner, help offer a different solution to hackers looking to dip their toes in the bug bounty community — or any open source project in general.

OSS and blockchain are inherently compatible. By creating an open source network that facilitates open source software development and pays out in open source money…Gitcoin is on to something.


Leave a Reply

Your email address will not be published. Required fields are marked *