From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
FoundersMichiel Prins, Jobert Abma, Alex Rice and Merijn Terheggen
HeadquartersSan Francisco, California
Key people
Mårten Mickos (CEO)

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.[1] It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind.[1] As of July 2018, HackerOne's network consisted of approximately 200,000 researchers, had resolved 72,000 vulnerabilities across over 1,000 customer programs, and had paid $31 million in bounties.[2]


In 2011, Dutch hackers Jobert Abma and Michiel Prins attempted to find security vulnerabilities in 100 prominent high-tech companies. They discovered flaws in all of the companies, including Facebook, Google, Apple, Microsoft, and Twitter. Dubbing their efforts the "Hack 100", Abma and Prins contacted the at-risk firms. While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Rice, Abma and Prins connected, and together with Merijn Terheggen founded HackerOne in 2012.[1] In November 2015, Terheggen stepped down from his role as CEO and was replaced by Marten Mickos.[3]

In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs. Microsoft and Facebook funded the initiative, known as the Internet Bug Bounty project.[4] By June 2015, HackerOne's bug bounty platform had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties.[5] In September 2015, the company launched a Vulnerability Coordination Maturity Model, which then-policy chief Katie Moussouris described as “an important effort from HackerOne to codify some reasonable minimum standards on how organizations handle incoming, unsolicited vulnerability reports.”[2] In April 2017, the company announced 240% year-over-year customer growth in Europe, and the subsequent opening of additional European offices to serve increasing customer demand.[6]


In May 2014, HackerOne received $9 million (USD) in Series A funding from venture capital firm Benchmark.[7][8] A $25 million Series B round was led by New Enterprise Associates.[9] Angel investors include Salesforce CEO Marc Benioff, Digital Sky Technologies founder Yuri Milner, Dropbox chief executive Drew Houston and Yelp CEO Jeremy Stoppelman.[5][10] A Series C round led by Dragoneer Investment Group netted $40 million in February 2017 for a total of $74 million in investments to date.[11] In April 2017, European-based venture capital fund EQT Ventures invested in the $40 million Series C funding round.[6]

U.S. Department of Defense Programs[edit]

In March 2016, the U.S. Department of Defense (DoD) launched an initiative dubbed "Hack the Pentagon" using the HackerOne platform.[12][13] The 24-day program resulted in the discovery and mitigation of 138 vulnerabilities in DoD websites, with over $70,000 (USD) in bounties paid to participating researchers.[14]

In October of the same year, DoD developed a Vulnerability Disclosure Policy (VDP), the first of its kind created for the U.S. government. The policy outlines the conditions under which cybersecurity researchers may legally explore front-facing programs for security vulnerabilities. The first use of the VDP launched as part of the "Hack the Army" initiative, which was also the first time this branch of the U.S. military welcomed hackers to find and report security flaws in its systems.[15][16]

The Hack the Army initiative resulted in 118 valid vulnerability reports; 371 participants, including 25 government workers and 17 military personnel, took part. Approximately $100,000 (USD) in total was awarded to participating researchers.[17]

In May 2017, DoD extended the program to "Hack the Air Force". This program led to the discovery of 207 vulnerabilities, netting more than $130,000 (USD) in paid bounties. As of the end of 2017, DoD has learned of and fixed thousands of vulnerabilities through their vulnerability disclosure initiatives.[18]

Events and Live Hacking[edit]

In February 2017, HackerOne sponsored an invitation-only hackathon, gathering security researchers from around the world to hack e-commerce sites Airbnb and Shopify for vulnerabilities.[19] This was the second such hackathon, with the company hosting one in Las Vegas in August 2016 during the Black Hat Security Conference.[20] Throughout 2017 and so far in 2018, HackerOne hosted seven Live Hacking events in cities across the US and Europe.[21] Over $1 million in bounty cash has been awarded at these events, with Oath Inc. (now called Verizon Media) paying over $400,000 in bounties during a single event in San Francisco, CA in April 2018.[22]

In October 2017, HackerOne hosted their first conference, called Security@ San Francisco. The 200-attendee event included speakers from DoD, General Motors and Uber and also featured talks from hackers.[23]


HackerOne is headquartered in San Francisco. The company maintains a development office in Groningen, Netherlands.[24] In April 2017, the company announced the addition of offices in the UK and Germany.[6]


  1. ^ a b c "HackerOne connects hackers with companies and hopes for a win-win". The New York Times. June 7, 2015. Retrieved October 28, 2015.
  2. ^ a b HackerOne (March 2018). "HackerOne Press Kit & FAQ" (PDF). Retrieved 2018-07-27.
  3. ^ "Serial CEO Marten MIckos takes the reins at HackerOne". Fortune. Retrieved 2017-03-15.
  4. ^ "The Big Business of Smashing Bugs". Bloomberg.com. 2015-03-12. Retrieved 2017-03-15.
  5. ^ a b "HackerOne, a computer bug bounty firm, raises $25 million in Series B". Fortune. Retrieved 2017-03-15.
  6. ^ a b c "HackerOne Strengthens Presence in Europe Amid Growing Demand for Hacker-Powered Security". BusinessWire. 2017-04-10. Retrieved 2018-07-27.
  7. ^ Miller, Ron. "HackerOne Get $9M In Series A Funding To Build Bug Tracking Bounty Programs". TechCrunch. Retrieved 2017-03-15.
  8. ^ Vanian, Jonathan (2014-05-28). "HackerOne lands $9 million to aid in its bug-disclosure program". gigaom.com. Retrieved 2017-03-15.
  9. ^ Osborne, Charlie. "HackerOne raises $25 million in vulnerability management push | ZDNet". ZDNet. Retrieved 2017-03-15.
  10. ^ "HackerOne raises $25M to make the Internet safer via bug bounty programs". VentureBeat. Retrieved 2017-03-15.
  11. ^ "HackerOne Raises $40 Million to Make the Internet Safer for Everyone". www.businesswire.com. Retrieved 2017-03-15.
  12. ^ "DoD Invites Vetted Specialists to 'Hack' the Pentagon". U.S. DEPARTMENT OF DEFENSE. Retrieved 2017-03-15.
  13. ^ "'Hack the Pentagon' Pilot Program Opens for Registration". U.S. DEPARTMENT OF DEFENSE. Retrieved 2017-03-15.
  14. ^ Conger, Kate. "Department of Defense expanding Hack the Pentagon program". TechCrunch. Retrieved 2017-03-15.
  15. ^ Osborne, Charlie. "DoD, HackerOne kick off Hack the Army bug bounty challenge | ZDNet". ZDNet. Retrieved 2017-03-15.
  16. ^ "Army's first bug bounty uncovers entry point to sensitive DoD network". FederalNewsRadio.com. 2017-01-24. Retrieved 2017-03-15.
  17. ^ "Hackers Found 118 Valid Vulnerabilities During Army Bug Bounty Program - Executive Gov". Executive Gov. Retrieved 2017-03-15.
  18. ^ Newman, Lily Hay (2017-11-10). "The Pentagon Opened up to Hackers--And Fixed Thousands of Bugs". Wired. Retrieved 2018-07-27.
  19. ^ "'Ethical hackers' work with Airbnb, Shopify". SFGate. Retrieved 2017-03-15.
  20. ^ HackerOne (2017-02-10), h1-702 Las Vegas Hackathon, retrieved 2017-03-15
  21. ^ HackerOne (2018). "Live Hacking". HackerOne.
  22. ^ Nims, Chris (2018-04-20). "We invited 40 of the world's best security researchers to hack our products. Here's what happened". Oath. Retrieved 2018-07-27.
  23. ^ "Introducing Security@ San Francisco!". HackerOne. 2017-10-17. Retrieved 2018-07-27.
  24. ^ Kootstra, Richard (2016-02-14). "HackerOne: Founded in Groningen, kicking ass in San Francisco". Founded in Groningen. Retrieved 2018-07-27.

Further reading[edit]

External links[edit]