In 2011, Patrick Webster, a security researcher, notified an Australian pension fund manager of a glaring flaw in its website that allowed him to access people’s personal information. The firm, First State Superannuation, returned the favor by sending the police to his home and threatening to sue him.
The incident was a disaster—a masterclass in how not to treat vulnerability researchers. First State Super eventually backed down and thanked Webster, but not before catching considerable flak for its handling of the affair.
Now First State Super has signed on as an investor in Bugcrowd, a San Francisco-based startup that runs bug bounty programs for businesses. The new round of fundraising, led by venture capital firm Traingle Peak Partners, is worth $26 million.
“First State hadn’t at that point had a clear vulnerability disclosure policy and hadn’t built out the muscle, so to speak, of interacting with hackers on the Internet,” says Casey Ellis, Bugcrowd’s founder and, since fall, its chief technology officer. “If you haven’t done that proactively, it’s an inherently threatening process.”
To date, Bugcrowd has managed about 700 bug bounty programs for customers, including Tesla (TSLA), Square (SQ), and Mastercard (MA). The startup has raised just over $50 million in venture capital since its founding in 2012.
Dain DeGroff, Triangle Peak’s cofounder and president and newly added Bugcrowd board member, said that he expects more companies to fire up bug bounty programs in the months to come—even “non-tech companies in the middle of the country.”
“Bug bounties are so early in their penetration” of the corporate world, DeGroff told Fortune on a call. “They’re just scratching the surface.”
Ellis, for one, says he is psyched about his new set of investors—not least because at least one, First State Super, has been through the ringer once and learned from the experience. “When I look at all of the possibilities of what can go right and wrong, that’s one of the examples I point to when things go wrong,” he says, reflecting on the snafu that happened seven years ago.
But First State Super has since savvied up, he says. The firm “caught up in understanding the eccentricities and weirdness of dealing with external hackers and, at same time, it has learned from the model and they are investing in it now, which I think is incredible.”
Investors in Bugcrowd’s latest round of funding have privately valued the company at $115 million, including the new funds raised, according to data provided by Pitchbook, a site that tracks venture capital deals.
Other investors in the round include past backers Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures, and Stanford as well as new investor Hostplus, another Australian superannuation fund.
