Sign in Subscribe
9 min read

The Hall of Fame Problem: Cybersecurity Celebrates Those Who Break Things — But Has No Trophy for Those Who Build Them Right

Share
The Hall of Fame Problem: Cybersecurity Celebrates Those Who Break Things — But Has No Trophy for Those Who Build Them Right

Sunday Special | 14th June 2026

A philosophical argument for the most overlooked discipline in the digital age

There is a wall of fame in cybersecurity. It is not metaphorical — it is literal, and it belongs to the breakers.

Adobe maintains a Security Researcher Hall of Fame to recognize those who have made a significant impact on the security of its products through exceptional dedication and hacking expertise. Google has one. Microsoft has one. Facebook has one. Meta publishes an annual leaderboard of its top bug bounty researchers going back to 2011, ranked by Diamond and Platinum tiers. HackerOne publishes a global reputation system — a public score, visible to every employer and program manager in the world, that tells you exactly how good a researcher is at finding flaws in other people's work. 

Now ask yourself: where is the hall of fame for the engineer who designed the system that has never been breached? Where is the leaderboard for the security architect whose zero trust implementation stopped four intrusion attempts last quarter, none of which ever became news stories because they never succeeded? Where is the public recognition system for the developer who wrote a hundred thousand lines of code with no critical vulnerabilities, shipped on time, and went home?

It does not exist. And that absence is not a minor oversight in how the industry presents itself. It is a window into a fundamental philosophical distortion — one that is actively shaping how we educate, recruit, invest in, and think about the people responsible for keeping the digital world standing.

Part I: The Economics of Visible Achievement

In the past 12 months alone, HackerOne bug bounty programs collectively paid out $81 million — a 13% year-over-year increase. The top 10 programs accounted for $21.6 million of that total, and the top 100 all-time earners on the platform have collectively taken home $31.8 million, with individual researchers now consistently surpassing six-figure annual earnings. 

These are remarkable numbers. They represent real, measurable value — bugs found before adversaries found them, vulnerabilities disclosed before they became breaches. Bug bounty programs are genuinely useful, and the researchers who participate in them perform a genuine service.

But pay close attention to what those numbers measure: they measure discovery of failures. Every dollar in that $81 million was paid because something was wrong with a system someone else built. The entire economic model of the bug bounty ecosystem is premised on the existence of flaws. The hunter is rewarded in direct proportion to the density of errors in the engineer's work.

Now consider what happens to the engineer who writes secure code from the start. They generate no bounty payouts. They produce no CVEs. They appear on no leaderboard. Their name goes on no hall of fame page. Their work is, economically and reputationally, invisible — unless something goes wrong, at which point the visibility arrives in the worst possible form.

For every dollar spent on bug bounties, companies saved an average of $15 — an estimated $3 billion in mitigated financial losses from potential breaches. This is cited as proof of the value of ethical hacking. But it is equally proof of the cost of not building security in from the beginning. The $3 billion in "saved" losses is a measure of how much vulnerable code was shipped. A world in which engineers built secure systems by default would have no $3 billion in potential losses to save in the first place. 

The economy of visibility is structured entirely backwards.

Part II: CVE as a Currency of Reputation

The Common Vulnerabilities and Exposures system — CVE — is the most widely used reputation currency in offensive cybersecurity. Find a vulnerability significant enough to receive a CVE number, and you have a credential that follows you through your entire career. Senior job listings ask for it. Conference talks lead with it. Researchers wear their CVE counts the way academics wear publication records.

A CVE is, by definition, a record of a flaw someone else failed to prevent. It is a monument to a defensive failure — and simultaneously, a monument to the offensive researcher who found it. The person who introduced the vulnerability is nameless. The person who discovered it is immortalized.

This is not inherently wrong. Finding vulnerabilities before malicious actors do is valuable, and recognizing the people who do it makes sense as an incentive. The problem is what happens in the absence of any equivalent recognition system on the other side of the ledger.

The Cybersecurity Hall of Fame recognizes exceptional individuals who have demonstrated unparalleled achievements and made significant contributions to the industry — trailblazers whose groundbreaking achievements have left an indelible mark and played pivotal roles in shaping how we safeguard data, systems, and organizations against evolving threats. Read its honorees: they are founders of vulnerability management companies, pioneering researchers in intrusion detection, architects of frameworks for identifying weaknesses. Even the defenders enshrined in halls of fame are recognized primarily for their work in understanding how systems fail — not for building systems that do not. 

There is almost no cultural infrastructure in cybersecurity for celebrating the architecture of resilience. No equivalent of the CVE database that names the engineers who shipped zero critical vulnerabilities in a major release. No leaderboard for the teams that went a full calendar year without a material incident. No publicly indexed credential that says: this person built something that held.

Part III: What "Secure Engineering" Actually Requires — and Why It Goes Unseen

The work of building genuinely secure systems is more demanding — not less — than finding flaws in systems that others built carelessly. It simply does not produce the kind of output that can be publicly indexed and ranked.

Consider what it actually takes. A security architect designing a zero trust network for a mid-sized enterprise must simultaneously understand the threat model — who is likely to attack, with what techniques, targeting what assets — and translate that understanding into an infrastructure design that accounts for legacy equipment, cloud integrations, third-party vendor access, mobile users, regulatory constraints, operational uptime requirements, and a budget that is never sufficient. They must model the system not as it is designed to work, but as an adversary will probe it. Then they must communicate all of that, persuasively, to stakeholders who do not share their technical vocabulary, and who have competing organizational priorities.

Security architects must identify potential threats and vulnerabilities and design controls that mitigate risk within acceptable levels, using threat modeling techniques and risk management methodologies — while liaising with senior management, business stakeholders, and various IT teams. They must design systems for rapid recovery and containment of breaches, anticipating attacker tactics and incorporating resilience into security designs. 

That is a description of a role requiring deep technical mastery, sophisticated systems thinking, and advanced interpersonal and organizational skills — all simultaneously, all the time, with the additional pressure that failure is catastrophic and success is invisible. And the market compensation and cultural recognition for this role trails what a high-performing bug bounty hunter can earn in a good month.

The most resilient organizations are not the ones with the most expensive tools — they are the ones that prioritize clarity, simplicity, and the ability to quantify cyber-physical risk in terms that resonate with business leadership. But there is a persistent language barrier between the engineers who understand technical depth and the practitioners who understand organizational context — a gap that even decades of investment in the field has not closed. 

That language barrier is, in part, a prestige problem. We have built a professional culture that treats technical offensive skills as the gold standard and treats organizational, communicative, and architectural skills as supporting competencies — nice to have, but secondary. This hierarchy has consequences. The most important work in cybersecurity — designing systems that do not fail — is done by people who are systematically undervalued relative to the people whose work depends on those systems having failed.

Part IV: The Certification Paradox

Walk through the most sought-after cybersecurity certifications and observe where the cultural weight sits. The Certified Ethical Hacker. The Offensive Security Certified Professional. GPEN, GXPN, OSCP, OSWP — the constellation of offensive credentials that signal technical prowess in the art of finding and exploiting weaknesses.

These certifications produce a demonstrable, testable output: can you compromise this system? The answer is binary and observable. You either get the flag or you do not. The skills being tested — reconnaissance, exploitation, lateral movement, persistence — are inherently dramatic. They make for compelling course content and satisfying practical exercises.

Now consider what a certification in secure system design would need to test. Can you architect a system that resists a sophisticated adversary across a five-year lifecycle while remaining operationally maintainable, cost-effective, and compliant with three overlapping regulatory frameworks? Can you explain that architecture to a board of directors who have thirty minutes and no technical background? Can you negotiate with a product team to include security controls in a release schedule without causing the project to miss its deadline? Can you manage a team of analysts experiencing chronic alert fatigue while maintaining detection coverage across an expanding attack surface?

These are not testable in a four-hour practical exam. They are demonstrated over years of work that leaves no single, indexable artifact — no CVE number, no hall of fame entry, no bounty receipt. ISACA's 2025 report found that 59% of organizations list soft skills as the top skills gap in their cybersecurity teams. The profession acknowledges the problem. It has not built the recognition infrastructure to address it. 

Part V: The Trophy Problem — A Thought Experiment

Imagine if the software engineering world operated the way cybersecurity does. The most celebrated engineers would be those who discovered the most bugs in code that their colleagues wrote. The leaderboards would rank people by how many production defects they found after deployment. The prestigious credentials would certify your ability to break running systems. The hall of fame would enshrine the greatest bug finders in the history of the industry.

Now imagine what that incentive structure would do to the culture of software development. Why invest in writing clean, secure, well-tested code if the reward system is structured around finding errors rather than preventing them? Why develop the deep architectural judgment required to build systems that do not fail if the recognition flows to those who demonstrate that failures exist?

This is not a hypothetical. This is, approximately, what cybersecurity has built. And the consequences are visible everywhere: in the persistent underinvestment in secure-by-design engineering, in the chronic shortage of professionals who can build security culture inside organizations, in the systematic preference for breach response over breach prevention, in the fact that we have rich, detailed public records of every significant vulnerability ever found, and essentially no public record of the systems that have held.

Part VI: What Recognition Infrastructure Would Actually Look Like

The argument here is not that bug bounty programs should be dismantled or that CVE recognition should be abolished. Offensive security research is genuinely valuable. The argument is that the absence of equivalent recognition infrastructure on the defensive and engineering side of the profession is not neutral — it actively shapes career incentives, educational priorities, hiring decisions, and organizational investment patterns in ways that make the entire field less effective.

What would it look like to take the other side of the ledger seriously?

It would mean industry recognition programs that specifically celebrate organizations and individuals who have achieved measurable defensive outcomes: years without a material breach, quantified reductions in attack surface, successful implementation of security architectures that withstood real adversarial activity. Not just incident response — prevention.

It would mean credentialing systems that assess the skills that defense actually requires: threat modeling, security architecture review, risk communication to executive and board audiences, cross-functional security program leadership, vendor risk management, security culture building. Skills that are currently evaluated informally, if at all, in most hiring processes.

It would mean educational pipelines that treat the builder and the breaker as equally valuable archetypes — not sequentially, where you learn to break things first and then maybe learn to build them securely later, but in parallel, with equal investment in the judgment, communication, and organizational skills that resilient defense demands.

And it would mean a cultural shift in how the industry talks about itself. The breach story will always be more dramatic than the architecture that prevented one. The zero-day will always have more narrative energy than the patch cycle that kept it from mattering. But the cybersecurity profession is, at its core, in the business of prevention — and a profession that cannot find ways to celebrate its own core mission will always struggle to attract and retain the people who are best at it.

Conclusion: The Name on the Wall We Are Not Writing

Somewhere in a company you have never heard of, a security engineer just finished a six-month project to implement network segmentation across an industrial control environment. The project came in slightly over budget and slightly behind schedule. It required 200 conversations with operations teams who did not want the change, three presentations to a board that did not fully understand what they were approving, and one very difficult negotiation with a CFO who wanted to cut the scope by half.

The segmentation is now in place. An adversary who will never be publicly identified probed that network last month, found the new boundaries, and moved on to a softer target. Two million customers whose data or water or power that engineer protects will never know their name.

The top 100 all-time earners on HackerOne are listed publicly, their earnings visible, their reputations indexed and searchable by every employer in the industry. 

The engineer who just prevented the breach that never happened is not on any list. Their name is on no hall of fame. There is no CVE number attached to their work, no bounty receipt, no leaderboard ranking. Their success looks, from the outside, like nothing at all.

We have built an entire industry recognition infrastructure around the people who find the holes. It is past time to build one for the people who refuse to leave them.

Published by:

The CyberDiplomat

Member discussion