Bug bounty hunters and partners stress the value of acquiring an attacker’s view of the organisation’s systems.
Cyber security specialist Integrity360 has partnered with offensive security solution company and bug bounty hunter HackerOne to leverage the expertise of a 2 million-strong global ethical hacker community. Access to this community will ensure real-time vulnerability discovery and remediation to neutralise threats before they can be exploited, according to the partners.
Integrity 360 says Africa is heavily targeted by cyber criminals, especially those looking to steal and manipulate data. The company cites the IBM Security Cost of a Data Breach Report 2024, which states that the average South African data breach now costs organisations over R49 million.
It also points to an Interpol report from June 2025, which claims that cyber crime accounts for more than 30% of all reported crime in Western and Eastern Africa.
Moreover, two-thirds of African member countries say cyber-related offences accounted for a medium to high share of all crimes.
The partners say the time has come for a change in approach. An ‘always-on’ layer of human-led testing will give companies continuous visibility into emerging threats and an attacker’s view of their systems, they add.
While traditional penetration testing and red teaming remain essential, a well organised bug bounty programme takes cyber security to the next level, the companies note.
This is where bug bounty hunters make a difference. “A bug bounty hunter is an ethical hacker or security researcher who looks for vulnerabilities in organisations’ systems and reports them responsibly in exchange for financial rewards or recognition,” says Richard Ford, CTO of Integrity360.
“A bug bounty programme is a structured initiative where organisations invite ethical hackers to find and responsibly disclose vulnerabilities in their systems. Rewards (bounties) are given for valid findings, typically based on severity and impact. Depending on the client, bounty payments can range from $100 to over $20 000 for each vulnerability, depending on their severity,” Ford continues.
He says these programmes generally operate on a ‘best efforts’ basis and customers of HackerOne only pay for valid vulnerabilities found. “There is no guarantee that all exposures will be detected, and responsibility for security ultimately remains with the organisation.”
Ford provides an overview of how the interaction works in practice.
- Ethical hackers register as users with the HackerOne platform directly.
- Organisations (like those working with Integrity360) launch bug bounty or vulnerability disclosure programmes via HackerOne.
- Hackers are invited to join the programmes based on several factors, such as their experience, location and skillset.
- Hackers submit vulnerability reports to the platform, which validates the reports, scoring them for severity and likelihood of exploit.
- Payments (bounties) are approved by the end customer and are paid through the platform to the individual hacker.
- Hackers must follow strict programme policies and terms of service (eg, no data exfiltration, responsible disclosure rules).
- Customers can specify that only hackers verified by background checks can take part in their programme.
Richard Ford, CTO at Integrity360.
An attacker’s view
The companies stress the value of having an attacker’s view of the organisation.
Ford says ethical hackers approach systems in the same way a malicious attacker might, but instead of exploiting a vulnerability, they report it responsibly.
“This provides organisations with insights into how their systems could be breached.”
Integrity360 and HackerOne add that the partnership will help South African organisations uncover hidden cyber risks that automated tools miss.
Says Ford: “Automated tools are good at finding known, repeatable vulnerabilities (eg, missing patches, common misconfigurations) and AI has certainly helped to speed up the process of identifying and mitigating vulnerabilities. The human mind is far more creative and successful than automated tools when it comes to the more elusive and usually high severity vulnerabilities. Human researchers bring a wealth of real-world experience and understanding of how software works and the steps that can be made to find bugs, often creating complex threat models and deploying techniques honed from years of research. Automated tools should always be seen as an essential part of an organisation’s armoury, but so too should human researchers.”
John Addeo, VP of global channels at HackerOne, says: “Integrity360 brings deep enterprise security expertise, while our hacker community provides real-world insight that tools alone can’t deliver.”
HackerOne has a similar existing partnership with Cyber1 Solutions in SA.
