HackerOne, a marketplace where companies can pay hackers to spot and fix security flaws in their software, has raised another $40 million in venture capital funding in a round led by Dragoneer Investment Group.
The technical term for what HackerOne does is offer “bug bounties.” Google, Apple, Microsoft, and even less tech-y companies like United Airlines pay out millions to amateur and professional hackers every year — it’s cheaper than the massive damages caused when an undiagnosed flaw turns into a malicious hacker’s entry point.
CEO Marten Mickos says that HackerOne is the biggest platform of its kind out there, with just about $14 million paid out in its five-year lifespan, and half of that dispersed in 2016 alone. Companies like Nintendo, Uber, Starbucks, and GM all use HackerOne to connect with HackerOne’s 100,000-strong community of hackers.
“We’re a talent agency,” jokes Mickos. “Some years from now, we’ll have a million [users].”
Bounties can range from $100 to $30,000, Mickos says, with a current average of $500. At that amount, Mickos says, there are lots of hackers using HackerOne to make a good life for themselves. HackerOne hackers have used winnings to buy houses for their mums, and cars for their sisters.
At the extreme end, there’s Mark Litchfield, an experienced security consultant who made $500,000 from HackerOne bounties in his first two years using the site. Even for people with less experience, Mickos says there’s a lot of opportunity. Even if you’re not making enough to buy a house, it’s a great way to finance a pricey vacation.
The startup isn’t yet profitable, but Mickos says that HackerOne is on strong financial footing. The company spent less in 2016 than it had anticipated, narrowing its losses thanks to changes to its backend infrastructure that automated a lot of work, making individual employees more productive.
In fact, Mickos says, HackerOne still has most of the $25 million it had raised in 2015, before he joined as CEO, in the bank. When he signed on as CEO, he says, he thought he’d have to raise more capital quickly, but HackerOne was already moving in the right direction.
Now, Mickos says, HackerOne is raising the capital not because it urgently needs the money, but because it wants to hunker down and focus on the long haul toward an eventual IPO. Mickos sold the last two companies he led, but he says HackerOne is in this for the long haul, and he wants to build something that will last for a good long time.
“My passion is to build sustainable companies,” Mickos says.
Going forward, the plan is to expand internationally into Europe and further develop the product. Of special interest to Mickos is to help educate and guide hackers, especially teenagers, as they go from novice to security expert. It’s good for HackerOne and it’s good for the world to have more security-savvy young hackers out there doing good, Mickos says.
“We have ambitious plans,” Mickos says.