Skip to Content

Startup Offers Free ‘Bug Bounty’ Help to Open Source Projects

photography by Albert Law : www.porkbellystudio.comphotography by Albert Law :
HackerOne CEO Marten Mickos.Photograph by Albert Law

Many people don’t realize much of the Internet is built on free software. Even giant companies like Facebook, Google, and Amazon rely extensively on big libraries of code—known as “open source” software”—written by thousands of programmers, who share their work with everyone.

But no software is perfect. Like the proprietary code developed by many companies, open source software contains flaws that hackers can exploit to steal information or spread viruses. That’s why a new initiative to patch those holes is important.

On Thursday, a startup called HackerOne announced it will offer its bug bounty management services, which helps discover flaws in software, to open source projects free of charge.

If you’re unfamiliar, bug bounties work by offering altruistic hackers a reward (typically cash) to disclose software vulnerabilities they discover. The bounties are offered by a growing number of companies, from Apple to General Motors, and are effective because they let companies patch software problems before a malicious hacker can find and exploit them first.

While there is already such a program for open source projects, called The Internet Bug Bounty, the new HackerOne initiative is likely to direct more attention to these projects.

The reason is because HackerOne, which just raised a $40 million investment round in February, acts as a hub for a huge community of hackers, who use the company as a conduit to report their discoveries. Acting as an intermediary, HackerOne takes the information it gets from the hackers and presents it to those responsible for software—who in turn use HackerOne to distribute the rewards.

Get Data Sheet, Fortune’s technology newsletter.

In a blog post announcing the new initiative, HackerOne noted that many open source projects—such as Ruby, Rails, Discourse, Django, GitLab, Brave, and Sentry—are already using the company’s services. HackerOne also encouraged other open source projects, including lesser known ones, to apply to be included as well.

“Put simply, eligible open source projects will receive the powerful HackerOne Professional service for free. This will provide vulnerability submission, coordination, dupe detection, analytics, and bounty programs for your projects. It greatly simplifies how you define scope, receive vulnerability reports, manage those reports, and incentivize security researchers to help harden your project,” said the company.

Here is a screenshot that shows a sample of the dashboard HackerOne provides to its users to discuss vulnerabilities:

HackerOne screenshot

In an interview with Fortune, HackerOne CEO Marten Mickos says the company regards its new initiative, called Community Edition, as a way of giving back. Just as other companies such as Amazon Web Services (AMZN) and GitHub provide open source projects with services free of charge, Mickos says HackerOne wants to do the same on the bug bounty front.

As for rewards, Mickos says cash bounties will come from the Internet Bug Bounty but that, in his experience, that will often be unnecessary.

“Many hackers say, ‘If it’s an open source project, I’ll hack for free. A lot of that goes on. There’s so many good people out there,” he says.

Mickos also notes open source projects typically result in stronger software because they are built with more collaboration. But he hopes the new HackerOne initiative will provide a way for the projects to ask hackers for extra help in boosting their security.

“Coming from the open source world myself, I know you don’t push your solution,” Mickos says. “You show your value, and they will come to you.”