HackerOne Connects Hackers With Companies, and Hopes for a Win-Win
In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. Soon, they had found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter and 95 other companies' systems.
They called their list the Hack 100.
When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police.
Now the duo, Michiel Prins and Jobert Abma, are among the four co-founders of a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them. They hope their outfit, called HackerOne, can persuade other hackers to responsibly report security flaws, rather than exploit them, and connect those "white hats" with companies willing to pay a bounty for their finds.
In the last year, the start-up has persuaded some of the biggest names in tech -- including Yahoo, Square and Twitter -- and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.
"Every company is going to do this," said Bill Gurley, a partner at Benchmark, which invested $9 million in HackerOne. "To not try this is brain-dead."
The alternative to so-called moderated bug bounty programs is sticking with the current perverse incentive model. Hackers who find new holes in corporate systems can, depending on their severity, expect six-figure sums to sell their discovery to criminals or governments, where those vulnerabilities are stockpiled in cyberarsenals and often never fixed. Alternatively, when they pass the weaknesses to companies to get them fixed, the hackers are often ignored or threatened with jail.
In essence, the people with the skills to fix the Internet's security problems have more reasons to leave the web wide open to attack.
"We want to make it easy and rewarding for that next group of skilled hackers to have a viable career staying in defense," said Katie Moussouris, HackerOne's chief policy officer, who pioneered the bounty program at Microsoft. "Right now, we're on the fence."
Mr. Prins and Mr. Abma started HackerOne with Merijn Terheggen, a Dutch entrepreneur living in Silicon Valley. The three met their fourth co-founder through the Hack 100 effort when they sent an email alerting Sheryl Sandberg, Facebook's chief operating officer, of a vulnerability in Facebook's systems. Ms. Sandberg didn't just thank them, she printed out their message, handed it to Alex Rice, Facebook's product security guru at the time, and told him to fix it. Mr. Rice invited the hackers to lunch, worked with them to fix the issue, paid them a $4,000 bounty and joined them a year later.
"Every technology has vulnerabilities, and if you don't have a public process for responsible hackers to report them, you are only going to find out about them through attacks in the black market," Mr. Rice said. "That is just unacceptable."
It is no secret that cybercriminals are constantly scanning corporate systems for weaknesses or that government agencies are stockpiling them. Cybercriminals used one such weakness in an air-conditioning service to break into Target's payment systems. Such flaws are critical to government surveillance efforts and crucial ingredients in cyberweapons like Stuxnet, the computer worm co-developed by the United States and Israel, which used several bugs to find a way into and destroy the uranium centrifuges in an Iranian nuclear facility.
So critical are bugs to government cyberarsenals that one American government agency paid a hacker half a million dollars for a single exploit in Apple's iOS operating system. Apple would have paid that hacker nothing to fix it. Another company may have called the police.
That is precisely the kind of perverse incentive -- punishing hackers who fix bugs and rewarding those who never tell -- that HackerOne wants to change.
Tech companies began rewarding hackers five years ago when Google started paying hackers $3,133.70 for bugs (31337 is hacker code for "elite"). Since then, Google has paid as much as $150,000 for a single bounty and doled out more than $4 million to hackers. Mr. Rice and Ms. Moussouris helped pioneer the bounty programs at Facebook and Microsoft.
Others are finding that simply crediting hackers or sending them swag no longer cuts it. Ramses Martinez, Yahoo's director of security, said he started Yahoo's bounty program in 2013 after two hackers criticized Yahoo for sending them T-shirts in exchange for four bugs that could have brought them thousands of dollars on the black market. Now Mr. Martinez says he considers bug bounties a "no-brainer."
"Now that enough big, well-known companies have gotten this going, a lot of the fear of these programs have been removed," he said.
But most companies still do not pay hackers for their finds, including Apple, which has reported around 100 security issues this year -- some so severe that they enabled attackers to hijack users' passwords. Of course, with a $500,000 price tag attached to one Apple exploit -- which is equivalent to the total payouts Microsoft has made to hackers to date -- Apple's bounties would have to be pretty high to match market rates.
"A lot of companies have hackers -- they just don't know it," said Mr. Terheggen, now HackerOne's chief executive. "The bad guys are on there already. The good guys don't show up unless you invite them."
Olivier Beg, an 18-year-old hacker, said he began hacking services like PayPal and Facebook out of curiosity when he was just 13. What he found -- 10 bugs in PayPal and one in Facebook -- earned him nearly $5,000. He persisted and has found bugs in 26 companies on HackerOne, and made over $40,000 in bounties.
He knows he has other options. A government broker once offered to pay $3,000 for a simple bug in Wordpress, a blogging platform, and said more severe vulnerabilities would pay much more. He refused. "You have no idea how it will be used, or who will use it," Mr. Beg said, adding that brokers require hackers to never tell anyone what they found, taking some of the fun out of the discovery.
About 1,500 hackers are on HackerOne's platform. They have fixed around 9,000 bugs and received more than $3 million in bounties. For companies that are just beginning to consider bug bounties, HackerOne offers them a community of reputable hackers and handles the back-end paperwork, including tax forms and payments.
HackerOne is not the only company in the space. It competes with the bounty programs its founders helped start at Facebook, Microsoft and Google (Chris Evans, an adviser to HackerOne, helped pioneer Google's bounty program). Some companies, like United Airlines, recently started their own bounty programs. United started offering hackers free frequent flier miles after a security researcher tweeted about vulnerabilities in the plane's in-flight Wi-Fi system and told the F.B.I. he had looked into the plane's networks while in flight.
HackerOne also competes with Bugcrowd, a similar start-up that charges companies an annual fee to manage their bounty programs. Bugcrowd works with young companies like Pinterest and institutions like Western Union.
HackerOne and its competitors may face a significant regulatory hurdle in the coming months. Officials are considering changes to the Wassenaar Arrangement, a 20-year-old export control agreement among 41 countries -- Russia, European nations and the United States, among them -- that would require researchers to get permission from governments before turning over exploits to a foreign company.
"Governments may not mind passing on low-severity issues, but critical issues may be another matter," said Kymberlee Price, Bugcrowd's senior director of security operations. "Should we really leave it to the Russian government to decide whether a researcher can report a vulnerability to Citibank?"
Correction: June 8, 2015
An earlier version of this article misstated what Google was paying hackers for identifying bugs. It was $3,133.70, a reference to 31337, the hacker code for "elite" -- not $3,177.30.