Hackers get a bad rap.
Sure, they break things. They expose vulnerabilities, uncover weaknesses, and find flaws in the system. And yeah, they occasionally embarrass unsuspecting info-guardians, breach networks, and steal data.
But hackers are not all bad. Far from it.
That’s the business premise of San Francisco-based cybersecurity startup HackerOne, which aims to unleash “hackers for good,” as one of the company’s co-founders put it in an interview with Fortune. The firm seeks to shift the economic incentives for security researchers away from nefarious”black hat” hacking—which might involve selling exploits on black markets or to spy agencies—toward responsible disclosure, which means telling organizations when something is wrong with their tech.
“Before, you would get an email with no background, no context with which to build a trusted relationship,”says HackerOne co-founder and CTO Alex Rice, describing the blind, non-collaborative process by which many companies learn of their software vulnerabilities. In some cases, companies might correct the issue without so much as a “thank you.” Worse, they might ignore hackers’ warnings and leave their systems open to attack. Worse yet, they might contact law enforcement and sic investigators on the researchers.
HackerOne’s solution? To help companies set up bug bounty programs: Find a flaw, report it, get paid. Its platform has attracted more than 250 customers including Twitter (TWTR), WordPress, Slack, and Snapchat, and investors have followed suit. On Wednesday the company said that it has raised a series B round of funding worth $25 million, bringing its total funding up to $34 million to date. The round is led by New Enterprise Associates and it includes 10 other high profile angel investors, including Salesforce chairman and CEO Marc Benioff, Dropbox co-founder and CEO Drew Houston, and Digital Sky Technologies founder Yuri Milner. Benchmark, which invested $9 million in a series A round of funding last year, also participated.
“The exciting thing for us is these angel investors have seen the platform work at their companies and they realize what kind of pivotal change it brings to the security of their products and users,” says HackerOne co-founder and CEO Merijn Terheggen, listing off some the company’s other customers, such as Dropbox, Yahoo (YHOO), Adobe (ADBE), Airbnb. “We see a big shift coming toward companies realizing they have to work with people outside to make everyone better.”
Rice adds: “Hackers are able to look for things that might have missed.”
He knows firsthand. When Rice headed the product security team at Facebook (FB), he helped set up its first bug bounty program in 2011. By the time he left a year later to co-found HackerOne, he had recruited a fifth of his team through the program. That’s how he met Terheggen and HackerOne’s other co-founders, Jobert Abma and Michiel Prins, too. “It was wildly successful at Facebook,” he says.
Don’t just take his word for it. So effective has that program been that Facebook COO Sheryl Sandberg sings its praises. In October, Facebook COO Sheryl Sandberg spoke to Fortune senior writer Michal Lev-Ram at Fortune’s 2014 Most Powerful Women Summit, and when asked how Facebook is protecting its users data, she said: “Probably the best thing we’ve done is we have for many years had a bounty program where we say to hackers out there: Find a bug. Find a loophole. Report it to us, and we’ll pay you and close it. And we’ve paid out millions of dollars.”
HackerOne takes a 20% cut on any bounty a company pays out for a bug disclosure. So far, its community of about 1,500 “hackers for good” has received more than $3 million total for helping fix nearly 10,000 bugs. Its staff has grown to 50 today from 10 back when it raised its series A round of funding. In the past two weeks alone, the company has brought 25 more customers onboard.
The company is not alone in its offering. Bugcrowd, another crowdsourcing bug bounty firm, operates similarly but on a subscription model. And Synack, another security company that connects hackers with companies, distinguishes itself on vetting participants through thorough background checks. HackerOne, on the other hand, lets the individuals’ records speak for themselves, building trust between companies and the community over time.
As part of the latest funding deal, New Enterprise Associates general partner Jon Sakoda will join the company’s board of directors. There he’ll accompany Terheggen, Rice, Benchmark general partner Bill Gurley (who joined after his firm invested last year), and mobile security firm Lookout founder and chairman John Hering, a Fortune “40 Under 40” alum. Previously, Sakoda had founded the instant messaging security firm IMlogic, which was acquired by Symantec ([“SYMC”).
“HackerOne is one of the first companies flipping the model around and embracing the large and growing community of ethical hackers,” Sakoda tells Fortune, detailing his interest in the company. “It’s taken a leadership position with some the most valuable targets and the most sophisticated hackers.”
After all, wouldn’t you rather have that community working alongside you, rather than against you?
