HackerOne

Last updated
HackerOne Inc.
Company typePrivate
Industry Cybersecurity
Founded2012;12 years ago (2012)
FoundersMichiel Prins, Jobert Abma, Alex Rice and Merijn Terheggen
Headquarters San Francisco, California
Key people
 Kara Sprague (CEO)
Website hackerone.com

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. [1] It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. [2] As of December 2022, HackerOne's network had paid over $230 million in bounties. [3] HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

Contents

History

In 2011, Dutch hackers Jobert Abma and Michiel Prins attempted to find security vulnerabilities in 100 prominent high-tech companies. They discovered flaws in all of the companies, including Facebook, Google, Apple, Microsoft, and Twitter. Dubbing their efforts the "Hack 100", Abma and Prins contacted the at-risk firms. While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, passed on the warning to their head of product security, Alex Rice. Rice, Abma and Prins connected, and together with Merijn Terheggen founded HackerOne in 2012. [2] In November 2015, Terheggen stepped down from his role as CEO and was replaced by Marten Mickos. [4] In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs. Microsoft and Facebook funded the initiative, known as the Internet Bug Bounty project. [5] By June 2015, HackerOne's bug bounty platform had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. [6] In September 2015, the company launched a Vulnerability Coordination Maturity Model, which then-policy chief Katie Moussouris described as “an important effort from HackerOne to codify some reasonable minimum standards on how organizations handle incoming, unsolicited vulnerability reports.” [1] In April 2017, the company announced 240% year-over-year customer growth in Europe, and the subsequent opening of additional European offices to serve increasing customer demand. [7]

In April 2022, HackerOne acquired PullRequest, a code-review-as-a-service platform. [8]

Funding

In May 2014, HackerOne received $9 million (USD) in Series A funding from venture capital firm Benchmark. [9] [10] A $25 million Series B round was led by New Enterprise Associates. [11] Angel investors include Salesforce CEO Marc Benioff, Digital Sky Technologies founder Yuri Milner, Dropbox chief executive Drew Houston and Yelp CEO Jeremy Stoppelman. [6] [12] A Series C round led by Dragoneer Investment Group netted $40 million in February 2017 for a total of $74 million in investments to date. [13] In April 2017, European-based venture capital fund EQT Ventures invested in the $40 million Series C funding round. [7] In 2019, the company raised $36 million in Series D funding led by Valor Equity Partners. [14]

U.S. Department of Defense Programs

In March 2016, the U.S. Department of Defense (DoD) launched an initiative dubbed "Hack the Pentagon" using the HackerOne platform. [15] [16] The 24-day program resulted in the discovery and mitigation of 138 vulnerabilities in DoD websites, with over $70,000 (USD) in bounties paid to participating researchers. [17]

In October of the same year, DoD developed a Vulnerability Disclosure Policy (VDP), the first of its kind created for the U.S. government. The policy outlines the conditions under which cybersecurity researchers may legally explore front-facing programs for security vulnerabilities. The first use of the VDP launched as part of the "Hack the Army" initiative, which was also the first time this branch of the U.S. military welcomed hackers to find and report security flaws in its systems. [18] [19]

The Hack the Army initiative resulted in 118 valid vulnerability reports; 371 participants, including 25 government workers and 17 military personnel, took part. Approximately $100,000 (USD) in total was awarded to participating researchers. [20]

In May 2017, DoD extended the program to "Hack the Air Force". This program led to the discovery of 207 vulnerabilities, netting more than $130,000 (USD) in paid bounties. As at the end of 2017, DoD had learned of and fixed thousands of vulnerabilities through their vulnerability disclosure initiatives. [21]

Events and live hacking

In February 2017, HackerOne sponsored an invitation-only hackathon, gathering security researchers from around the world to hack e-commerce sites Airbnb and Shopify for vulnerabilities. [22] This was the second such hackathon, with the company hosting one in Las Vegas in August 2016 during the Black Hat Security Conference. [23] In 2018, HackerOne hosted Live Hacking events in cities across the US and Asia. Asia (India) representatives won the first place with $1 million bounty cash been awarded to Mohana Rangam . [24] And over $1 million in bounty cash was awarded at the next events, with Oath Inc. (now called Verizon Media) paying over $400,000 in bounties during a single event in San Francisco, CA in April 2018. [25]

In October 2017, HackerOne hosted their first conference, called Security@ San Francisco. The 200-attendee event included speakers from DoD, General Motors and Uber and also featured talks from hackers. [26]

Courses

HackerOne has an online course to help people find bugs in a security system and other cybersecurity techniques. [27] Each crowd-source security platform will have a different approach and a specific goal it focuses on. [28] HackerOne primarily focuses on penetration testing services with security certifications, including ISO 27001 and FedRAMP authorization. While others in the field, like Bugcrowd, focus on attack surface management and a broad spectrum of penetration testing services for IoT, API, and even networks. [28]

Locations

HackerOne is headquartered in San Francisco. The company maintains a development office in Groningen, Netherlands. [29] In April 2017, the company announced the addition of offices in London, UK and Germany. [7]

See also

Related Research Articles

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.

<span class="mw-page-title-main">Hackathon</span> Event in which groups of software developers work at an accelerated pace

A hackathon is an event where people engage in rapid and collaborative engineering over a relatively short period of time such as 24 or 48 hours. They are often run using agile software development practices, such as sprint-like design wherein computer programmers and others involved in software development, including graphic designers, interface designers, product managers, project managers, domain experts, and others collaborate intensively on engineering projects, such as software engineering.

<span class="mw-page-title-main">Mårten Mickos</span> Finnish businessman

Mårten Gustaf Mickos is a technology executive based in San Francisco. He is the current CEO of HackerOne, a security vulnerability coordination and bug bounty platform.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

Imperva, Inc. is an American cyber security software and services company which provides protection to enterprise data and application software. The company is headquartered in San Mateo, California.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

Wickr is an American software company based in New York City. It is known for its instant messaging application of the same name. The Wickr instant messaging apps allow users to exchange end-to-end encrypted and content-expiring messages, and are designed for iOS, Android, Mac, Windows, and Linux operating systems. Wickr was acquired by Amazon Web Services (AWS) in mid-2021. The free version of the app was discontinued in December 2023.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">Synack</span>

Synack is an American technology company based in Redwood City, California, United States. The company uses a crowdsourced network of white-hat hackers to find exploitable vulnerabilities and a SaaS platform enabled by AI and machine learning to identify these vulnerabilities. Customers include government agencies and businesses in retail, healthcare, and the manufacturing industry.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker and security researcher (born 1993)

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, The Express Tribune and TechCrunch. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. In 2021, Islamabad High court designated Rafay Baloch as an amicus curia for a case concerning social media regulations.

Between May and July 2017, American credit bureau Equifax was breached. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. Equifax discovered the breach end of July, but did not disclose it to the public until September 2017. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

<span class="mw-page-title-main">Saudi Federation for Cybersecurity, Programming and Drones</span>

The Saudi Federation For Cybersecurity, Programming and Drones (SAFCSP) is a national institution in Saudi Arabia aiming at developing professional skills in the fields of cybersecurity and programming.

Jack Cable is an American computer security researcher and software developer who currently serves as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency. He is best known for his participation in bug bounty programs, including placing first in the U.S. Department of Defense's Hack the Air Force challenge. Cable began working for the Pentagon's Defense Digital Service in the summer of 2018.

Bugcrowd is a crowdsourced security platform. It was founded in 2012, and in 2019 it was one of the largest bug bounty and vulnerability disclosure companies on the internet. Bugcrowd runs bug bounty programs and also offers a range of penetration testing services it refers to as "Penetration Testing as a Service" (PTaaS), as well as attack surface management.

Checkmarx is an enterprise application security company specializing in static application security testing (SAST) headquartered in Atlanta, Georgia in the United States.

YesWeHack is a global security company headquartered in Paris, France. It provides a crowdsourced platform for bug bounty programs where ethical hackers can report security exploits and vulnerabilities. It was founded in 2015 by Guillaume Vassault-Houlière, Manuel Dorne and Romain Lecoeuvre.

<span class="mw-page-title-main">John Jackson (hacker)</span> Security researcher

John Jackson also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

Joe Sullivan is an American Internet security expert. Having served as a federal prosecutor with the United States Department of Justice, he worked as a CSO at Facebook, Uber and Cloudflare. For his role in covering up the 2016 data breaches at Uber, he was convicted in October 2022 on federal felony charges of obstruction and misprision. In January 2023, he took on the role of CEO of Ukraine Friends, a nonprofit focused on humanitarian aid to Ukraine.

References

  1. 1 2 HackerOne (2022). "HackerOne: Close the gap on attackers" . Retrieved 2023-02-02.
  2. 1 2 "HackerOne connects hackers with companies and hopes for a win-win". The New York Times. June 7, 2015. Retrieved October 28, 2015.
  3. "6th Annual Hacker-Powered Security Report". HackerOne. December 12, 2022. Retrieved 2023-02-02.
  4. "Serial CEO Marten MIckos takes the reins at HackerOne". Fortune. Retrieved 2017-03-15.
  5. "The Big Business of Smashing Bugs". Bloomberg.com. 2015-03-12. Retrieved 2017-03-15.
  6. 1 2 "HackerOne, a computer bug bounty firm, raises $25 million in Series B". Fortune. Retrieved 2017-03-15.
  7. 1 2 3 "HackerOne Strengthens Presence in Europe Amid Growing Demand for Hacker-Powered Security". BusinessWire. 2017-04-10. Retrieved 2018-07-27.
  8. "HackerOne buys YC-backed PullRequest to add code review to bug-squashing platform". TechCrunch. 28 April 2022. Retrieved 2022-05-05.
  9. Miller, Ron (28 May 2014). "HackerOne Get $9M In Series A Funding To Build Bug Tracking Bounty Programs". TechCrunch. Retrieved 2017-03-15.
  10. Vanian, Jonathan (2014-05-28). "HackerOne lands $9 million to aid in its bug-disclosure program". gigaom.com. Archived from the original on 2015-12-03. Retrieved 2017-03-15.
  11. Osborne, Charlie. "HackerOne raises $25 million in vulnerability management push". ZDNet. Retrieved 2017-03-15.
  12. "HackerOne raises $25M to make the Internet safer via bug bounty programs". VentureBeat. 24 June 2015. Retrieved 2017-03-15.
  13. "HackerOne Raises $40 Million to Make the Internet Safer for Everyone". www.businesswire.com (Press release). 8 February 2017. Retrieved 2017-03-15.
  14. "HackerOne just closed a new round of funding that brings its total funding to $110 million". TechCrunch. 8 September 2019. Retrieved 2020-08-13.
  15. "DoD Invites Vetted Specialists to 'Hack' the Pentagon". U.S. DEPARTMENT OF DEFENSE. Retrieved 2017-03-15.
  16. "'Hack the Pentagon' Pilot Program Opens for Registration". U.S. DEPARTMENT OF DEFENSE. Retrieved 2017-03-15.
  17. Conger, Kate (17 June 2016). "Department of Defense expanding Hack the Pentagon program". TechCrunch. Retrieved 2017-03-15.
  18. Osborne, Charlie. "DoD, HackerOne kick off Hack the Army bug bounty challenge". ZDNet. Retrieved 2017-03-15.
  19. "Army's first bug bounty uncovers entry point to sensitive DoD network". FederalNewsRadio.com. 2017-01-24. Retrieved 2017-03-15.
  20. "Hackers Found 118 Valid Vulnerabilities During Army Bug Bounty Program - Executive Gov". Executive Gov. Retrieved 2017-03-15.
  21. Newman, Lily Hay (2017-11-10). "The Pentagon Opened up to Hackers--And Fixed Thousands of Bugs". Wired. Retrieved 2018-07-27.
  22. "'Ethical hackers' work with Airbnb, Shopify". SFGate. Retrieved 2017-03-15.
  23. HackerOne (2017-02-10), h1-702 Las Vegas Hackathon , retrieved 2017-03-15
  24. HackerOne (2018). "Live Hacking". HackerOne.
  25. Nims, Chris (2018-04-20). "We invited 40 of the world's best security researchers to hack our products. Here's what happened". Oath. Retrieved 2018-07-27.
  26. "Introducing Security@ San Francisco!". HackerOne. 2017-10-17. Retrieved 2018-07-27.
  27. "How To Earn Money As A Bug Bounty Hunter". lifehacker.com.au. 25 August 2017.
  28. 1 2 "Top 5 Bug Bounty Platforms to Watch in 2021". thehackernews.com. 8 February 2021.
  29. Kootstra, Richard (2016-02-14). "HackerOne: Founded in Groningen, kicking ass in San Francisco". Founded in Groningen. Archived from the original on 2018-07-28. Retrieved 2018-07-27.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.