Hacker Heroes: John Deere's Bug Bounty Program Boosts Cybersecurity

Ethical hackers, also known as white hat hackers, have become a critical element of cybersecurity at many leading tech organizations in recent years.

John Deere is no different, having paid out over $1.5 million through its Bug Bounty program with HackerOne since 2022.

How does it work?

HackerOne connects data-intensive businesses—such as Deere—with cybersecurity researchers—ethical hackers. These researchers test and examine the company's systems, looking for any security vulnerabilities. For those issues they find, both big and small, they receive payment.

By working closely with HackerOne program researchers, Deere's security teams are better equipped to proactively identify system improvements and bolster information security, said Carl Kubalsky, Director and Deputy CISO (Chief Information Security Officer) at Deere.

"These hackers, often referred to as 'white hats,' are selected from a pool of the best talent available through the HackerOne platform,” he said. “We’ve had significant participation with 84 hackers currently involved and over 2,500 submissions received."

What do the hackers think?

A researcher who goes by Archangel said as a hacker, he knows the reports he submits to Deere will be taken seriously and handled promptly.

"The John Deere Bug Bounty program is world class," he said. “They aren't just interested in vulnerabilities on a handful of products, they accept and encourage findings across their entire ecosystem to ensure that their customers are safe regardless of which product(s) they are using."

Researcher Jensec said he appreciates that the Deere team responds promptly when he submits his findings.

"When I find something significant, I know my time will be properly valued,” Jensec said. “The (Deere) team … is highly technical and skilled, knows John Deere assets and attack surfaces and makes the whole experience smooth and rewarding."

Fellow researcher Rez0 agreed. "John Deere is one of my favorite programs because they respect us (the hackers) more than any other program,” he said. "They view us as an asset rather than a commodity. I love the way they value our opinion and listen to our opinion on fixes, severity, etc. You can tell John Deere cares about the security of their websites and applications with how serious they take their bug bounty program."

Roy Arguilez, a vulnerability management analyst at Deere, said the researchers help the company strengthen its security posture by addressing a wide range of potential issues. "We consider our researchers to be almost like an extension of our team," Arguilez said. "This helps build trust, drive engagement, and helps us leverage their expertise."

"You can tell John Deere cares about the security of their websites and applications with how serious they take their bug bounty program."
Rez0, white hat hacker researcher