Moreover, at a time when experts are forecasting that 3.5 million cybersecurity jobs worldwide will be vacant by 2021 because there aren’t enough skilled workers, freelancers can ease some of the strain on internal teams.

Still, the platforms face a couple of big challenges. One is to keep expanding the pool of talented bug hunters. Another is to establish greater legal clarity about what tools and techniques ethical hackers can safely use. Popular tactics such as using injection attacks, which involve inserting code into software applications that could change the way the programs are executed, could potentially lead to prosecution under anti-hacking laws such as America’s Computer Fraud and Abuse Act (CFAA).

There have already been cases where security researchers and reporters have faced possible legal action for unearthing and reporting vulnerabilities in companies’ code. It would take only a couple of high-profile lawsuits to have a chilling effect on the industry.

Hacker uni

To address the talent challenge, the crowdsourcing platforms are publishing far more content to help hackers upgrade their skills and to attract more people to gig work. Bugcrowd just unveiled Bugcrowd University, which offers free webinars and written guides to things like Burp Suite (yes, that’s really the name), which is a graphical tool for testing web applications’ security.

The platform is also working with experienced ethical hackers to help it spot and train promising freelancers. The best recruits are curious, tenacious, and willing to adapt fast. “The technology’s evolving so quickly that it’s often hard to catch up [with it],” explains Phillip Wylie, Bugcrowd’s talent spotter in Dallas.

HackerOne is also publishing more training material and coaches independent bug hunters—who can be quirky and sometimes abrasive characters—in soft skills like how to communicate more effectively with corporate IT departments.

Legal air cover

On the legal front, the platforms are pushing for more “safe harbor” language to be inserted in contracts governing bug bounties. The aim, says Adam Bacchus of HackerOne, is to get companies to be clear that if hackers follow the rules of engagement within reason, they won’t wind up being taken to court.

Bugcrowd has partnered with Amit Elazari, a security researcher whose work has highlighted the need for safe harbor language, to launch an initiative called disclose.io to create a standardized framework for finding and reporting bugs. This would provide explicit authorization for using bug-hunting techniques that would normally be clear violations of provisions in anti-hacking statutes.

It complements a broader push in the US by groups such as the Electronic Frontier Foundation to stop companies from using laws like the CFAA to silence researchers who find serious flaws and disclose them in a responsible manner.

Casey Ellis, Bugcrowd’s founder and chairman, says some other countries, like the UK and Germany, also have strict anti-hacking laws that could be used to stymie ethical hacking.

Such laws are needed to prevent hackers of all kinds from causing havoc. The challenge ahead is to strike a sensible balance between protecting ethical hackers and shielding companies from rogue ones out to cause harm. Getting this right won’t be easy, but given the dire talent shortage in the cybersecurity world, it’s an issue that we urgently need to address.

Update (August 27): This article has been updated to show Amit Elazari's role in launching disclose.io