Above the Crowd

HackerOne: A Superior Solution for Solving Web Vulnerabilities

May 28, 2014:

In early April, Neel Mehta of Google first publicly reported the web vulnerability that we now refer to as the Heartbleed bug. Early analysis suggested that 17% of the servers on the Internet were vulnerable, which represents about half a million unique computers. This list included some of the world’s most heavily trafficked sites including Facebook, Google, and Yahoo. On Monday May 5th, Target Corporation removed Gregg Steinhafel from his role as CEO as a result of his unsatisfactory response to a cyber security threat that compromised millions of user accounts at the retail giant. The Boston Globe suggested that “Target’s data theft leaves CEOs everywhere on the hot seat.” The Seattle Times declared “CIOs in hot seat since Target data breach.” Risks are clearly increasing, and the world is in need of an innovative solution to help address this growing problem.

Some companies have attacked this problem by offering financial rewards to researchers that help them identify vulnerabilities. It’s a very clever way to ensure that everyone’s interests are aligned – that of the company with a large web site, and that of the researcher/hacker. The problem is that running this type of program is complex, and why it might be feasible for Microsoft or Facebook to build such a program, it would be much harder for each and every company to build one on their own. Also, if these programs are run independently, you fail to develop incremental leverage from understanding the unique skill sets of each and every researcher, and the incremental company will have a harder time attracting researcher interest.

hackeroneEnter HackerOne, a shared community marketplace that brings together the Internet’s leading web sites, with a community of the Internet’s leading researchers. The result is a hyper-efficient way to help minimize your company’s exposure to vulnerabilities. It’s also a remarkably interesting marketplace company where each participant in the community is properly rewarded for their impact, and their reputation and skill set improve and evolve over time. And it is already being used by such leading worldwide web destinations like  Yahoo and Mail.Ru. HackerOne is a true win-win, researchers are rewarded for their unique skills, and companies are able to identify vulnerabilities in a way that limits repercussions for their users.

HackerOne was founded by Jobert Abma, Michiel Prins, CEO Merijn Terheggen, and Alex Rice. Alex recently was in charge of the bug bounty programs at Facebook. Today the company has announced that Katie Moussouris who ran these same programs at Microsoft, has also joined the company. Furthermore, Benchmark is thrilled to announce that we have been selected to lead the Series A investment in HackerOne, and I am excited to join their board of directors, along with John Hering, the founder of Lookout Mobile. This is a fascinating company with an innovative solution to an increasingly critical problem. Moreover, the vibrancy we see in the HackerOne community is quite similar to what we have seen with other community/marketplaces we have backed including ebay, Yelp, OpenTable, Zillow and Uber.

If you want to get your company started, and potentially avoid the fate of Gregg Steinhafel, you can follow this link to help your company get started right away.

2 Comments

  1. Jonathan Cran May 29, 2014

    Just a note that if you’re interested in this sort of thing, you check out the comprehensive bug bounty list (https://bugcrowd.com/list-of-bug-bounty-programs/) as well as sign up as a researcher @ bugcrowd!

    Reply
  2. Sinjin Lee June 3, 2014

    HackerOne seems to be creating a multiplying effect for the good. Researchers win through incentives that highlight their expertise and companies can shore up weaknesses that leave them open to attack. Reminds me of the community that Robin Hood is creating – experts are incentivized to make consistent stock picks while newbies are guided to make informed purchasing decisions.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *