“We have more hacking experts than any other company in the sector and they are diverse in their backgrounds – young and old, men and women, technical and non-technical people. This makes us better at finding vulnerabilities than the limited number of in-house experts working for client companies. And it is hard for humans to find flaws in the systems they have built; creative outsiders are more likely to find the “unknown unknowns”– vulnerabilities that no-one else has spotted.”
HackerOne’s typical hacker is a young man under 34 with expertise in computer sciences, for whom detecting online flaws is a hobby at college or a spare-time job. They have a cunning ability to think bad like a criminal hacker, says Mårten Mickos, but then do good by reporting the vulnerabilities to the owner of the system – the potential victim. They find chasing vulnerabilities thrilling and they can make a lot of money if they’re good – one of HackerOne’s bug-hunters made over half a million dollars on the HackerOne platform alone.
“I see us as a bit like the Boy Scouts, whose founder created the organisation as a way of giving idle young people something to do and contributing to society. Often our hackers are super-intelligent teenagers who don’t know how to communicate with people and may be difficult to deal with. We reach out to them, giving them a meaningful role in society and bringing out the best in them – otherwise they might get up to all sorts of mischief.”
HackerOne’s approach has proved attractive to a wide variety of companies. Those which have grown up in online businesses such as Uber and AirBnB know that constantly detecting vulnerabilities is vital to their success. Older companies which have experienced their first security breach, perhaps by a criminal, quickly turn to us because they cannot afford the cost of another breach. A third group of clients comes by recommendation, often from big manufacturing companies which tell their suppliers to protect themselves against hacking so as to make the supply chain secure.
In 2016, HackerOne helped the US Department of Defense to make its systems more secure by launching the ‘Hack the Pentagon’ challenge. This eight-week programme involved 1,410 hackers who found 138 vulnerabilities – the first within 13 minutes. It paid out USD75,000 of bounties to the hackers, ranging from about USD100 to USD15,000.
“It was a huge shock for the Pentagon to find so many flaws, having previously paid millions of dollars on security protection. So they asked us to repeat the programme for the US Army with Hack the Army, and again found very serious vulnerabilities – the first within five minutes. The Department of Defense is one of the best financed organisations in the world which can pay for anything it needs, but it found it effective to turn to hackers for help!”