HackerOne

{{Infobox company

| name = HackerOne Inc.

| logo = Logo of HackerOne.svg

| type = Private

| industry = Cybersecurity

| founded = {{Start date and age|2012}}

| founders = Michiel Prins, Jobert Abma, Alex Rice and Merijn Terheggen

| hq_location = San Francisco, California

| key_people = Kara Sprague (CEO)

| website = {{URL|https://hackerone.com}}

}}

HackerOne Inc. is a cybersecurity operations technology company managed by certified information system security professionals who conduct vulnerability threat assessments to identify bugs found on a website, application or server. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure.{{Cite news|url=https://www.nytimes.com/2015/06/08/technology/hackerone-connects-hackers-with-companies-and-hopes-for-a-win-win.html?_r=0|title=HackerOne connects hackers with companies and hopes for a win-win.|date=June 7, 2015|work=The New York Times|access-date=October 28, 2015}} As of December 2022, HackerOne's network had paid over $230 million in bounties.{{Cite news|url=https://www.hackerone.com/6th-annual-hacker-powered-security-report|title=6th Annual Hacker-Powered Security Report.|date=December 12, 2022|work=HackerOne|access-date=2023-02-02}} HackerOne's customers include U.S. Department of State, U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Chaturbate, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

History

In 2011, Dutch hackers Jobert Abma and Michiel Prins attempted to find security vulnerabilities in 100 prominent high-tech companies. They discovered flaws in all of the companies, including Facebook, Google, Apple, Microsoft, and Twitter. Dubbing their efforts the "Hack 100", Abma and Prins contacted the at-risk firms. While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, passed on the warning to their head of product security, Alex Rice. Rice, Abma and Prins connected, and together with Merijn Terheggen founded HackerOne in 2012. In November 2015, Terheggen stepped down from his role as CEO and was replaced by Marten Mickos.{{Cite web|url=http://fortune.com/2015/11/11/serial-ceo-marten-at-hackerone/|title=Serial CEO Marten MIckos takes the reins at HackerOne|website=Fortune|access-date=2017-03-15}}

In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs. Microsoft and Facebook funded the initiative, known as the Internet Bug Bounty project.{{Cite news|url=https://www.bloomberg.com/news/articles/2015-03-12/ethical-hackers-booming-job-market|title=The Big Business of Smashing Bugs|date=2015-03-12|work=Bloomberg.com|access-date=2017-03-15}} By June 2015, HackerOne's bug bounty platform had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties.{{Cite web|url=http://fortune.com/2015/06/24/hackerone-raises-series-b/|title=HackerOne, a computer bug bounty firm, raises $25 million in Series B|website=Fortune|access-date=2017-03-15}} In September 2015, the company launched a Vulnerability Coordination Maturity Model, which then-policy chief Katie Moussouris described as “an important effort from HackerOne to codify some reasonable minimum standards on how organizations handle incoming, unsolicited vulnerability reports.”{{Cite news|url=https://www.hackerone.com/solutions/attack-resistance-management|title=HackerOne: Close the gap on attackers|last=HackerOne|date=2022|access-date=2023-02-02|language=en}} In April 2017, the company announced 240% year-over-year customer growth in Europe, and the subsequent opening of additional European offices to serve increasing customer demand.{{Cite news|url=http://www.businesswire.com/news/home/20170410005453/en/HackerOne-Strengthens-Presence-Europe-Growing-Demand-Hacker-Powered|title=HackerOne Strengthens Presence in Europe Amid Growing Demand for Hacker-Powered Security|date=2017-04-10|work=BusinessWire|access-date=2018-07-27}}

In April 2022, HackerOne acquired PullRequest, a code-review-as-a-service platform.{{Cite web |title=HackerOne buys YC-backed PullRequest to add code review to bug-squashing platform |url=https://techcrunch.com/2022/04/28/hackerone-buys-yc-backed-pullrequest-to-add-code-review-to-bug-squashing-platform/ |access-date=2022-05-05 |website=TechCrunch |date=28 April 2022 |language=en-US}}

Funding

In May 2014, HackerOne received $9 million (USD) in Series A funding from venture capital firm Benchmark.{{Cite web|url=https://techcrunch.com/2014/05/28/hackerone-get-9m-in-series-a-funding-to-build-bug-tracking-bounty-programs/|title=HackerOne Get $9M In Series A Funding To Build Bug Tracking Bounty Programs|last=Miller|first=Ron|website=TechCrunch|date=28 May 2014 |access-date=2017-03-15}}{{Cite web|url=https://gigaom.com/2014/05/28/hackerone-lands-9-million-to-aid-in-its-bug-disclosure-program/|title=HackerOne lands $9 million to aid in its bug-disclosure program|last=Vanian|first=Jonathan|date=2014-05-28|website=gigaom.com|language=en-US|access-date=2017-03-15|archive-date=2015-12-03|archive-url=https://web.archive.org/web/20151203224046/https://gigaom.com/2014/05/28/hackerone-lands-9-million-to-aid-in-its-bug-disclosure-program/|url-status=dead}} A $25 million Series B round was led by New Enterprise Associates.{{Cite news|url=https://www.zdnet.com/article/hackerone-raises-25-million-in-vulnerability-management-push/|title=HackerOne raises $25 million in vulnerability management push|last=Osborne|first=Charlie|work=ZDNet|access-date=2017-03-15|language=en}} Angel investors include Salesforce CEO Marc Benioff, Digital Sky Technologies founder Yuri Milner, Dropbox chief executive Drew Houston and Yelp CEO Jeremy Stoppelman.{{Cite web|url=https://venturebeat.com/2015/06/24/hackerone-raises-25m-to-make-the-internet-safer-via-bug-bounty-programs/|title=HackerOne raises $25M to make the Internet safer via bug bounty programs|website=VentureBeat|date=24 June 2015 |access-date=2017-03-15}} A Series C round led by Dragoneer Investment Group netted $40 million in February 2017 for a total of $74 million in investments to date.{{Cite press release|url=http://www.businesswire.com/news/home/20170208005334/en/HackerOne-Raises-40-Million-Internet-Safer|title=HackerOne Raises $40 Million to Make the Internet Safer for Everyone|website=www.businesswire.com|date=8 February 2017 |language=en|access-date=2017-03-15}} In April 2017, European-based venture capital fund EQT Ventures invested in the $40 million Series C funding round. In 2019, the company raised $36 million in Series D funding led by Valor Equity Partners.{{Cite web|title=HackerOne just closed a new round of funding that brings its total funding to $110 million|url=https://techcrunch.com/2019/09/08/hackerone-just-closed-a-new-round-of-funding-that-brings-its-total-funding-to-110-million/|access-date=2020-08-13|website=TechCrunch|date=8 September 2019 |language=en-US}}

U.S. Department of Defense Programs

In March 2016, the U.S. Department of Defense (DoD) launched an initiative dubbed "Hack the Pentagon" using the HackerOne platform.{{Cite news|url=https://www.defense.gov/News/News-Stories/Article/Article/684616/dod-invites-vetted-specialists-to-hack-the-pentagon/|title=DoD Invites Vetted Specialists to 'Hack' the Pentagon|work=U.S. DEPARTMENT OF DEFENSE|access-date=2017-03-15|language=en-US}}{{Cite news|url=http://www.defense.gov/Newsroom/News/Article/Article/710033/hack-the-pentagon-pilot-program-opens-for-registration|title='Hack the Pentagon' Pilot Program Opens for Registration|work=U.S. DEPARTMENT OF DEFENSE|access-date=2017-03-15|language=en-US}} The 24-day program resulted in the discovery and mitigation of 138 vulnerabilities in DoD websites, with over $70,000 (USD) in bounties paid to participating researchers.{{Cite web|url=https://techcrunch.com/2016/06/17/department-of-defense-expanding-hack-the-pentagon-program/|title=Department of Defense expanding Hack the Pentagon program|last=Conger|first=Kate|website=TechCrunch|date=17 June 2016 |access-date=2017-03-15}}

In October of the same year, DoD developed a Vulnerability Disclosure Policy (VDP), the first of its kind created for the U.S. government. The policy outlines the conditions under which cybersecurity researchers may legally explore front-facing programs for security vulnerabilities. The first use of the VDP launched as part of the "Hack the Army" initiative, which was also the first time this branch of the U.S. military welcomed hackers to find and report security flaws in its systems.{{Cite news|url=https://www.zdnet.com/article/dod-hackerone-kick-off-hack-the-army-bug-bounty-challenge/|title=DoD, HackerOne kick off Hack the Army bug bounty challenge|last=Osborne|first=Charlie|work=ZDNet|access-date=2017-03-15|language=en}}{{Cite news|url=http://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2017/01/armys-first-bug-bounty-uncovers-entry-points-sensitive-dod-networks/|title=Army's first bug bounty uncovers entry point to sensitive DoD network|date=2017-01-24|work=FederalNewsRadio.com|access-date=2017-03-15|language=en-US}}

The Hack the Army initiative resulted in 118 valid vulnerability reports; 371 participants, including 25 government workers and 17 military personnel, took part. Approximately $100,000 (USD) in total was awarded to participating researchers.{{Cite news|url=http://www.executivegov.com/2017/01/hackers-found-118-valid-vulnerabilities-during-army-bug-bounty-program/|title=Hackers Found 118 Valid Vulnerabilities During Army Bug Bounty Program - Executive Gov|work=Executive Gov|access-date=2017-03-15|language=en-US}}

In May 2017, DoD extended the program to "Hack the Air Force". This program led to the discovery of 207 vulnerabilities, netting more than $130,000 (USD) in paid bounties. As at the end of 2017, DoD had learned of and fixed thousands of vulnerabilities through their vulnerability disclosure initiatives.{{Cite magazine|url=https://www.wired.com/story/hack-the-pentagon-bug-bounty-results/|title=The Pentagon Opened up to Hackers--And Fixed Thousands of Bugs|last=Newman|first=Lily Hay|date=2017-11-10|magazine=Wired|access-date=2018-07-27}}

During August 2022, Defense Digital partnered with the U.S. Air Force at the Air Force Research Laboratory, Lawrence Berkley National Laboratory and USAG Fort Hunter Liggett with live hacking marathon called "Hack the Satellite," an event where hackers were required to hijack a satellite which was launched by the NASA{{Cite news |title=Hack-A-Sat competition highlights on-orbit hacking |url=https://www.afrl.af.mil/News/Article-Display/Article/3341747/hack-a-sat-competition-highlights-on-orbit-hacking/ |archive-url=http://web.archive.org/web/20250216052117/https://www.afrl.af.mil/News/Article-Display/Article/3341747/hack-a-sat-competition-highlights-on-orbit-hacking/ |archive-date=2025-02-16 |access-date=2025-05-28 |work=WIN THE FUTURE |language=en-US}}.

Events and live hacking

In February 2017, HackerOne sponsored an invitation-only hackathon, gathering security researchers from around the world to hack e-commerce sites Airbnb and Shopify for vulnerabilities.{{Cite news|url=http://www.sfgate.com/business/article/Ethical-hackers-work-with-Airbnb-Shopify-10929609.php|title='Ethical hackers' work with Airbnb, Shopify|work=SFGate|access-date=2017-03-15}} This was the second such hackathon, with the company hosting one in Las Vegas in August 2016 during the Black Hat Security Conference.{{Citation|last=HackerOne|title=h1-702 Las Vegas Hackathon|date=2017-02-10|url=https://www.youtube.com/watch?v=LVOXjzd-M7U|access-date=2017-03-15}} In 2018, HackerOne hosted Live Hacking events in cities across the US and Asia. Asia (India) representatives won the first place with $1 million bounty cash been awarded to Mohana Rangam .{{Cite web|url=https://www.hackerone.com/live-hacking|title=Live Hacking|last=HackerOne|date=2018|website=HackerOne}} And over $1 million in bounty cash was awarded at the next events, with Oath Inc. (now called Verizon Media) paying over $400,000 in bounties during a single event in San Francisco, CA in April 2018.{{Cite web|url=https://www.oath.com/2018/04/20/we-invited-40-of-the-world-s-best-security-researchers-to-hack-o/|title=We invited 40 of the world's best security researchers to hack our products. Here's what happened|last=Nims|first=Chris|date=2018-04-20|website=Oath|access-date=2018-07-27}}

In October 2017, HackerOne hosted their first conference, called Security@ San Francisco. The 200-attendee event included speakers from DoD, General Motors and Uber and also featured talks from hackers.{{Cite web|url=https://www.hackerone.com/blog/Introducing-Security-at-San-Francisco|title=Introducing Security@ San Francisco!|date=2017-10-17|website=HackerOne|access-date=2018-07-27}}

Courses

HackerOne has an online course to help people find bugs in a security system and other cybersecurity techniques.{{cite web|url=https://www.lifehacker.com.au/2017/08/how-to-earn-money-as-a-bug-bounty-hunter/|title=How To Earn Money As A Bug Bounty Hunter|date=25 August 2017|website=lifehacker.com.au}} Each crowd-source security platform will have a different approach and a specific goal it focuses on. HackerOne primarily focuses on penetration testing services with security certifications, including ISO 27001 and FedRAMP authorization. While others in the field, like Bugcrowd, focus on attack surface management and a broad spectrum of penetration testing services for IoT, API, and even networks.{{cite web|url=https://thehackernews.com/2021/02/top-5-bug-bounty-programs-to-watch-in.html|title=Top 5 Bug Bounty Platforms to Watch in 2021|date=8 February 2021|website=thehackernews.com}}

Locations

HackerOne is headquartered in San Francisco. The company maintains a development office in Groningen, Netherlands.{{Cite web|url=https://www.foundedingroningen.com/news/hackerone-founded-in-groningen-kicking-ass-in-san-francisco|title=HackerOne: Founded in Groningen, kicking ass in San Francisco|last=Kootstra|first=Richard|date=2016-02-14|website=Founded in Groningen|access-date=2018-07-27|archive-date=2018-07-28|archive-url=https://web.archive.org/web/20180728040202/https://www.foundedingroningen.com/news/hackerone-founded-in-groningen-kicking-ass-in-san-francisco|url-status=dead}} In April 2017, the company announced the addition of offices in London, UK and Germany.