Startup Of The Week

Startup Of The Week: HackerOne

HackerOne CEO Marten Mickos

HackerOne, a bug bounty and vulnerability discovery platform, specializes in helping corporates and governments keep their digital assets secure. It is powered by so-called white hat hackers who get paid for validated discoveries of weaknesses that could be exploited by bad actors. Customers include Goldman Sachs, Hyatt Hotels, Starbucks, General Motors, the U.S. Department of Defense and governments in Europe and South-East Asia.

HackerOne was founded in 2012 by two Dutch hackers who have been hacking since they were 12 years old. They got their start by knocking on the doors of companies and asking if they could try and hack them. The two promised the companies that if they failed to find a vulnerability in the network they would buy the company a dessert. “They never had to buy the cake,” says HackerOne CEO Marten Mickos, a speaker at the annual DLD conference, which took place in Munich January 18–20.

The company’s business model is based on the notion of “bug bounty.” It uses a network of freelance hackers who don’t get paid unless they manage to break into a government’s or a corporate’s network, says Mickos. The hackers are paid $1000 on average per find, with the most severe vulnerabilities yielding $100,000 for a single find. “For the hackers the pay is enormous but to the companies it is next to nothing. It is the most cost-effective way of finding flaws,” he says. While companies don’t usually like to admit vulnerabilities “the world is changing,” he says.

The company recently partnered with the U.S. Department of Defense on a challenge called “Hack the Army 2.0” There were in excess of 60 publicly accessible U.S. Army online assets that could be targeted by the hackers during the five-week challenge window. The 52 hackers, from countries including the U.S., Canada, Germany and Romania, reported a total of 146 validated vulnerabilities in all. It took just eight minutes for the startup’s hackers to hack the Air Force, says Mickos.

The U.S. Department of Homeland Security has since announced they will issue a binding order to civilian agencies telling them they must have a similar program.,” he says. “The government is saying we must have hackers help us.”

The company has raised $110 million and spent a little bit over half. It is headquartered in the U.S. and has sales and customer service operations in London and Singapore. About 70% of its business is in the U.S. and it is growing its business in Europe and Asia.

About the author

Jennifer L. Schenker

Jennifer L. Schenker, an award-winning journalist, has been covering the global tech industry from Europe since 1985, working full-time, at various points in her career for the Wall Street Journal Europe, Time Magazine, International Herald Tribune, Red Herring and BusinessWeek. She is currently the editor-in-chief of The Innovator, an English-language global publication about the digital transformation of business. Jennifer was voted one of the 50 most inspiring women in technology in Europe in 2015 and 2016 and was named by Forbes Magazine in 2018 as one of the 30 women leaders disrupting tech in France. She has been a World Economic Forum Tech Pioneers judge for 20 years. She lives in Paris and has dual U.S. and French citizenship.