SAN FRANCISCO — In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. They found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter, and 95 other companies’ systems.
They called their list the Hack 100.
When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police.
Now Michiel Prins and Jobert Abma are among the four cofounders of a San Francisco tech startup that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them. They hope their outfit, HackerOne, can persuade other hackers to report security flaws, rather than exploit them, and connect those “white hats” with companies willing to pay a bounty for their finds.
The startup has persuaded some of the biggest names in tech — including Yahoo, Square, and Twitter — and companies you might never expect, like banks and oil businesses, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.
“Every company is going to do this,” said Bill Gurley, a partner at Benchmark, which invested $9 million in HackerOne. “To not try this is brain-dead.”
The alternative is sticking with the current perverse incentive model. Hackers who find new holes in corporate systems can, depending on their severity, expect six-figure sums to sell their discovery to criminals or governments. The vulnerabilities are stockpiled in cyberarsenals and often never fixed. Alternatively, when they pass the weaknesses to companies to get them fixed, the hackers are often ignored or threatened with jail.
“We want to make it easy and rewarding for that next group of skilled hackers to have a viable career staying in defense,” said Katie Moussouris, HackerOne’s chief policy officer, who pioneered the bounty program at Microsoft.
Prins and Abma started HackerOne with Merijn Terheggen, a Dutch entrepreneur living in Silicon Valley. The three met their fourth cofounder through the Hack 100 effort when they sent an e-mail alerting Sheryl Sandberg, Facebook’s chief operating officer, to a vulnerability in Facebook’s systems. Sandberg did not just thank them, she printed out their message, handed it to Alex Rice, Facebook’s product security guru at the time, and told him to fix it. Rice worked with them to fix the issue, paid them a $4,000 bounty, and joined them a year later.
“Every technology has vulnerabilities, and if you do not have a public process for responsible hackers to report them, you are only going to find out about them through attacks in the black market,” Rice said. “That is just unacceptable.”
It is no secret that cybercriminals are constantly scanning corporate systems for weaknesses or that government agencies are stockpiling them. Cybercriminals used one such weakness in an air-conditioning service to break in to Target’s payment systems. Such flaws are critical to government surveillance efforts and crucial ingredients in cyberweapons like Stuxnet, the computer worm developed by the United States and Israel, which used several bugs to find a way into and destroy the uranium centrifuges in an Iranian nuclear facility.
So critical are bugs to government cyberarsenals that one US government agency paid a hacker half a million dollars for a single exploit in Apple’s iOS operating system. Apple would have paid that hacker nothing to fix it. Another company may have called the police.
That is precisely the kind of perverse incentive — punishing hackers who fix bugs and rewarding those who never tell — that HackerOne wants to change.
Tech companies began rewarding hackers five years ago when Google started paying hackers $3,177.30 for bugs (31773 is hacker code for “elite”). Since then, Google has paid as much as $150,000 for a single bounty and doled out more than $4 million to hackers. Rice and Moussouris helped pioneer the bounty programs at Facebook and Microsoft.