HackerOne turns hacking into legitimate, lucrative work
June 8, 2015
In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. They found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter, and 95 other companies’ systems.
They called their list the Hack 100.
When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police.
Now Michiel Prins and Jobert Abma are among the four cofounders of a San Francisco tech startup that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them. They hope their outfit, HackerOne, can persuade other hackers to report security flaws, rather than exploit them, and connect those “white hats” with companies willing to pay a bounty for their finds.
The startup has persuaded some of the biggest names in tech — including Yahoo, Square, and Twitter — and companies you might never expect, like banks and oil businesses, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.
“Every company is going to do this,” said Bill Gurley, a partner at Benchmark, which invested $9 million in HackerOne. “To not try this is brain-dead.”