Bug bounty platform HackerOne raises $40 million to help companies identify vulnerabilities

HackerOne, a vulnerability identification platform that helps connect security-conscious businesses with bug hunters, has raised $40 million in a Series C round led by Dragoneer Investment Group.

Founded out of San Francisco in 2012, HackerOne helps companies identify weaknesses in their online systems through offering cash incentives to security researchers, the idea being that it’s better to have one of the good guys find a bug before the bad guys get a sniff. HackerOne monetizes by charging a 20 percent commission on top of each bounty paid through its platform.

Many well-known companies offer “bug bounty” programs through HackerOne — including Twitter, which paid out more than $300,000 in prizes between 2014 and 2016. Other companies using HackerOne include Airbnb, Uber, Yelp, Qualcomm, Nintendo, Slack, Adobe, LinkedIn, GitHub, and Yahoo. And last year, HackerOne was chosen by the U.S. Department of Defense (DoD) to run a bug bounty challenge called Hack the Pentagon, which resulted in more than 1,000 hackers identifying around 140 vulnerabilities. HackerOne subsequently won a $3 million contract from the DoD to Hack the U.S. Army.

HackerOne has now raised around $75 million in total, including a $25 million tranche less than two years ago that ushered in a slew of notable angel investors, including Salesforce CEO Marc Benioff, Dropbox CEO Drew Houston, and Zenefits COO David Sacks. The company says it will use its new funds to invest in “technology development, expand market reach, and continue to strengthen the world’s largest and most diverse hacker community,” according to a statement.

Bug bounties are big business — Google has paid out millions of dollars in awards since it first launched a program in 2010, while back in October Facebook revealed it had paid out $5 million in five years. Apple launched its first bug bounty program in August.

“Our customers typically receive their first valid security vulnerability report the same day they challenge our diverse community of hackers to examine their code,” explained HackerOne CEO Marten Mickos. “There’s no such thing as perfect software, and bug bounty programs are the most efficient and cost-effective solution for finding security vulnerabilities in live software.”

Other notable players in the bug bounty platform space include fellow San Francisco startup Bugcrowd, which has raised around $23 million in funds, to date.