HackerOne, a bug bounty and vulnerability discovery platform, specializes in helping corporates and governments keep their digital assets secure. It is powered by so-called white hat hackers who get paid for validated discoveries of weaknesses that could be exploited by bad actors. Customers include Goldman Sachs, Hyatt Hotels, Starbucks, General Motors, the U.S. Department of Defense and governments in Europe and South-East Asia.
HackerOne was founded in 2012 by two Dutch hackers who have been hacking since they were 12 years old. They got their start by knocking on the doors of companies and asking if they could try and hack them. The two promised the companies that if they failed to find a vulnerability in the network they would buy the company a dessert. “They never had to buy the cake,” says HackerOne CEO Marten Mickos, a speaker at the annual DLD conference, which took place in Munich January 18–20.
The company’s business model is based on the notion of “bug bounty.” It uses a network of freelance hackers who don’t get paid unless they manage to break into a government’s or a corporate’s network, says Mickos. The hackers are paid $1000 on average per find, with the most severe vulnerabilities yielding $100,000 for a single find. “For the hackers the pay is enormous but to the companies it is next to nothing. It is the most cost-effective way of finding flaws,” he says. While companies don’t usually like to admit vulnerabilities “the world is changing,” he says.
The company recently partnered with the U.S. Department of Defense on a challenge called “Hack the Army 2.0” There were in excess of 60 publicly accessible U.S. Army online assets that could be targeted by the hackers during the five-week challenge window. The 52 hackers, from countries including the U.S., Canada, Germany and Romania, reported a total of 146 validated vulnerabilities in all. It took just eight minutes for the startup’s hackers to hack the Air Force, says Mickos.
The U.S. Department of Homeland Security has since announced they will issue a binding order to civilian agencies telling them they must have a similar program.,” he says. “The government is saying we must have hackers help us.”
The company has raised $110 million and spent a little bit over half. It is headquartered in the U.S. and has sales and customer service operations in London and Singapore. About 70% of its business is in the U.S. and it is growing its business in Europe and Asia.