Skip to main content


Contact and assets

In the news

The 25 hottest San Francisco startups to watch in 2016

February 16th, 2016

No company is immune from a security bug, so why not pay a hacker to find your vulnerabilities before they become a costly company issue? That's the theory behind HackerOne, a marketplace for bug bounty programs. HackerOne's researchers communicate with a company's response team, which in turn pays the hackers for helping find and repair weaknesses on its website or in the software. HackerOne gets 20% of these "bounty" payments.

20 Cybersecurity Startups To Watch In 2016

February 16th, 2016

Notable Leaders/Founders: CTO & Co-Founder Alex Rice -- over ten years experience in IT security, including as a senior researcher for Websense and head of product security for Facebook; Chief Policy Officer Katie Moussouris -- best known for security strategy work at Microsoft, she was the creator of Microsoft's first bug bounty program.

There is a brighter tomorrow for White Hat hackers

February 2nd, 2016

HackerOne was founded by security leaders from Facebook, Microsoft and Google. Once you sign up, you're able to see which company rewards which people and how much they received under the Hacktivity tab. On the directory tab, you can search companies are currently offering bug bounty programs including those from Twitter, Shopify and Slack.

The art of leading without leading: GM and the delicate dance of automotive cybersecurity

January 31st, 2016

General Motors is partnering with HackerOne, a company that helps organizations of all sizes connect with security researchers around the globe. Through HackerOne, companies can go so far as to post bug bounties, giving independent hackers financial incentive to report findings through the right channels.

The Rise of White Hat Hackers and the Bug Bounty Ecosystem

January 30th, 2016

They named the new company HackerOne as a way to take back the word hacker, which they say the media has misused as a way to describe only criminals. There is an "incredibly diverse set of people who pay homage to the [Massachusetts Institute of Technology] definition of a hacker, who is someone into the intellectual challenge. It's academics, students, hobbyists and penetration professionals," Rice says.

Ethically Hacking Federal Agencies and Contractors

January 20th, 2016

Mickos is the new CEO of HackerOne, the leader in the nascent field of vulnerability coordination. He brought his experience as an entrepreneur and open source advocate to the company in November.

GM's Cybersecurity Secrets

January 12th, 2016

By using HackerOne as its preferred platform for outsiders to inform them of security vulnerabilities, GM is able to create a buffer against a larger unpredictable hacker subculture that makes executives nervous.

A Federal 'Bug Bounty' Program? HackerOne's Katie Moussouris Weighs in on the Challenges

January 12th, 2016

At HackerOne, Moussouris oversees the company's philosophy and approach to vulnerability disclosure, advises customers and lawmakers, and promotes security research that aims to help make the Internet safer for everyone. Her work includes developing initiatives such as Microsoft's bounty programs, security researcher outreach, vulnerability disclosure policies, and MSVR (Microsoft Vulnerability Research), and she served as content chair of Microsoft's BlueHat security conference. Moussouris is also a subject matter expert for the U.S. National Body of the International Standards Organization in vulnerability disclosure, secure development and vulnerability handling processes.

GM Embraces White-Hats with Public Vulnerability Disclosure Program

January 7th, 2016

The choice of HackerOne was a key part of the program strategy, Massimilla said, because of that company's existing relationship with security researchers. "We don't have a lot of experience with this sort of program," Massimilla admitted. HackerOne is hosting the program's Web portal, which handles much of the workflow of managing disclosures. "We also have e-mail addresses and other contact points where we can communicate," he added.

Browser Famed for its Security Offers to Pay Hackers for Help

January 4th, 2016

Working with HackerOne, a company that connects hackers with firms in need of security help, might prove to be equal parts practical and strategic.

The Tor Project Is Starting a Bug Bounty Program

December 28th, 2015

HackerOne is a platform for connecting researchers who discover vulnerabilities and the companies affected by them. HackerOne raised $25 million in private funding earlier this year.

Top Influential Security Thinkers

December 13th, 2015

Formerly a hacker, Linux developer and self-professed persistent disruptor, Moussouris is currently chief policy officer at HackerOne, a San Francisco-based platform provider for coordinated vulnerability response and structured bounty programs. She oversees the company's philosophy and approach to vulnerability disclosure, advises customers and researchers, and works to "help make the internet safer for everyone."

When Ethical Hacking Can't Compete

December 7th, 2015

Alex Rice, the chief technology officer of HackerOne and the founder of Facebook's product-security team, says that HackerOne's global network includes just under 2,000 paid hackers, many of whom hold full-time jobs and pursue their hacking projects on the side.

Why This Entrepreneur Travels With Lock Picks

December 3rd, 2015

HackerOne's Bug Bounty platform, which rewards hackers who help get rid of bugs, simplifies the process of vulnerability coordination. Moussouris spends about half her work time traveling from the company's headquarters in San Francisco to Washington, D.C., for policy and regulation functions -- and eventually home to Seattle.

ToyTalk, Maker of Web-Connected Hello Barbie, Launches Bug Bounty

November 30th, 2015

Facilitated by HackerOne, a startup that connects hackers with companies that need security help, the program has already caught at least 22 reported vulnerabilities. ToyTalk has thanked more than 50 hackers for sharing their insight.

50 enterprise startups to bet your career on in 2016

November 29th, 2015

HackerOne takes an unconventional approach to software security: It provides cash rewards to hackers who find security vulnerabilities in its clients' software.

#14 - Katie Moussouris on bug bounty programs

November 28th, 2015

Bug bounty programs have experienced tremendous growth in the last few years. We're joined for episode #14 by a leading expert on bug bounty programs, Katie Moussouris.

Vetting researchers builds trust in bounty programs

November 17th, 2015

"Indeed, there are many people out there who are capable of breaking security, but the more creative minds you have the more likely it is that they will be successful, and the more difficult it is for a criminal to compromise," Rice said.

Why tech firms pay hackers to hack them

November 15th, 2015

"Often security researchers are threatened with lawsuits under the Computer Fraud and Abuse Act or the Digital Millennium Copyright Act in the US, and there are similar laws around the world, but this doesn't actually benefit the company in question. It may temporarily silence researchers, but the flaw is still there," said Moussouris.

5 Companies That Came To Win This Week

November 12th, 2015

"With Mickos at the helm, the company is well positioned to go to the next level."

This ex-HP exec sold his last two companies, and now he's at it again

November 10th, 2015

"Mickos likens software to a house: Lots of software has security systems, alarms, and other stuff to detect intruders. But it's also nice to have a "neighborhood watch," like the hackers on the HackerOne platform, to help you spot trouble before it even starts."

Hewlett-Packard Cloud Manager to Head Security Startup HackerOne

November 10th, 2015

Mr. Mickos on Wednesday is being named chief executive of HackerOne, which enlists independent hackers to help find security flaws in other companies' software in exchange for bounties.

Serial CEO Marten Mickos Joins HackerOne

November 10th, 2015

"There is a frighteningly large number of companies with Internet-facing systems that are not equipped to receive vulnerability reports", Terheggen told Fortune.

HackerOne Snags Former HP Exec Marten Mickos As CEO

November 10th, 2015

HackerOne currently has around 380 customers using the platform including Twitter, Yahoo! and Adobe, and it's growing quickly with quadruple year over year customer growth. Since its inception, the platform has fixed over 14,000 bugs and paid out almost $5 million to the individuals who found them.

HackerOne Names Open-Source Veteran Marten Mickos as CEO

November 10th, 2015

The only solution to the problem of modern security is to enlist a large group of people who think in their own ways and can find bugs that no software or robot can "find, Mickos said. "Mankind is so unique in that it creates bugs that only human beings can find.

Hello, operator, I'd like to report a bug: Why one company is offering hackers directory assistance

November 8th, 2015

HackerOne, one of the leading bounty firms, is creating a system that will connect computer vulnerability hunters with companies that may not have formal disclosure policies.

If You Find a Software Bug, Don't Try to Report It to These Companies

November 4th, 2015

HackerOne Inc., a venture-backed cybersecurity company, recently scanned the websites of the Forbes Global 2000. It found that 94% did not advertise a way for so-called ethical hackers to report bugs.

Inside the economics of hacking

November 4th, 2015

"Often security researchers are threatened with lawsuits under the Computer Fraud and Abuse Act or the Digital Millennium Copyright Act in the U.S., and there are similar laws around the world," explained HackerOne chief policy officer Katie Moussouris.

Hacked Opinions: The legalities of hacking — Katie Moussouris

November 1st, 2015

Security research is vital to keeping us all stay safe online. All technology has flaws and if a friendly hacker can find a way to exploit the technology you rely on, chances are criminals can as well.

Glitches to riches: The hackers who make a killing off software flaws

October 29th, 2015

Selling information about software vulnerabilities was a quirky idea a decade ago. But today there's a global vulnerability marketplace where the world's top bug bounty hunters can reap handsome rewards.

The first rule of zero-days is no one talks about zero-days (so we'll explain)

October 19th, 2015

Katie Moussouris helped create Microsoft's security bounty programs and was pivotal in improving the company's approach to security research and vulnerability response. She believes that the ethics of full disclosure are slightly more nuanced.

Hackers Prove They Can 'Pwn' the Lives of Those Not Hyperconnected

October 14th, 2015

Within minutes, they had not only broken into Mrs. Walsh's email account, but also that of her daughter — who at some point had allowed the computer's browser to auto-fill her password. (As a courtesy, the hackers made sure to send Mrs. Walsh's daughter an email from her own account with the subject line: "Reminder: Change my password.")

Hacking for Security, and Getting Paid for It

October 14th, 2015

Newer start-ups like HackerOne and BugCrowd team up with companies in industries like tech and energy to solicit hackers to test their applications for vulnerabilities and, in many cases, pay them for their finds.

Alex Rice discusses misconceptions about hacking within companies and individual online security

October 12th, 2015

Rice works for HackerOne and spoke at Chicago Ideas week about "Cybersecurity: It's Time to Update Your Password... Again"

US startups find the helpful side of hackers

October 7th, 2015

While cyber attacks seem to be increasing in frequency, so is the need of cyber security. Not all hackers are the bad guys, some find the weak links to help companies improve. Mark Niu reports from San Francisco.

Katie Moussouris on the (groan) disclosure debate

October 7th, 2015

On this week's show we're checking in with Katie Moussouris of HackerOne to discuss the disclosure debate.

Dutch Prime Minister speaks at Federal Reserve Bank of Atlanta

October 6th, 2015

"...This led to the creation of HackerOne. The company has now located and resolved more than 12,000 security vulnerabilities on the websites of major players like Yahoo, Airbnb and Twitter. Making the internet safer as a result. It's a fantastic example of Dutch-US cooperation. One of those young Dutchmen, Michiel Prins, is taking part in this trade mission, together with some of his colleagues." Mark Rutte, Prime Minister of the Netherlands.

5 major cyber hacks and the tools that might stop them next time

October 6th, 2015

An interesting company that could have helped Ashley Madison prevent the attack: HackerOne.

How (and why) to start a bug bounty program

October 4th, 2015

You want to ensure that at the end of the day, your customers have confidence in your product, which starts with hearing about these vulnerabilities in a controlled manner.

The rise of the zero-day market

October 4th, 2015

They are looking at the security research community as the source of the problem, where actually it's the vendors who wrote the vulnerable code in the first place, and the vendors who really need to figure out a way of responding to zero-days gracefully.

Fear of lawsuits chills car hack research

October 2nd, 2015

"The enemy of security is not a security researcher who wants to report a bug," said Katie Moussouris.

Why Don't Companies Want to Hear About Their Security Problems?

October 1st, 2015

When there's a major breach, "It feels like it's this failure by the company to have not prevented it," Rice said. "But it's really quickly shifting to the point where everybody's had a breach at some point, and the real differentiator for companies is how they respond and how much confidence they build."

Rutte: meer risico mag best!

September 30th, 2015

Als voorbeeld noemde de premier de Nederlandse jonge-hondenclub HackerOne, opgericht door twee studenten die op studiereis gingen naar San Francisco. Het past perfect in een economie die alsmaar ondernemender wordt, waarin alles sneller en directer gaat en waarin 'ideeën en innovaties van vandaag morgen moeten renderen', zei Rutte.

The Hackers Of The World Want More Rewards For Fixing The Internet

September 23rd, 2015

I think the idea that the friendly hacker out there could help you rather than be malicious is something people have only begun to appreciate recently.

HackerOne launches free Vulnerability Coordination Maturity Model tool

September 21st, 2015

The work that HackerOne has put into this document is clear, concise, and it shouldn't trigger the fear and anxiety that normally accompanies a one-off vulnerability disclosure that arrives out of the blue.

What's on the China agenda today

September 21st, 2015

Bug bounty platform provider HackerOne unveils today a first-ever maturity model for companies to measure their ability to accept, and act on, findings of outside researchers who discover security flaws.

Internet Bug Bounty Helps Secure Open Source and the Internet

September 9th, 2015

Rice explained that the Internet Bug Bounty covers approximately a dozen open source projects that are critical to the functioning of the Internet, including PHP, perl, Python, Ruby, OpenSSH and others. Such projects typically don't have the resources to run their own bug bounty programs, Rice said.

ownCloud Bug Bounty Program Announced

August 30th, 2015

HackerOne is working with ownCloud to run the new program. They are known as the premiere vulnerability management and bug bounty platform business.

HackerOne Co-Founder Details the Value of Bug Bounty Programs

August 25th, 2015

You can't just buy every vulnerability that is out there; you have to start making systematic changes to ensure that bugs don't get introduced in the first place.

HackerOne pays hackers to find bugs and vulnerabilities at some of the world's biggest companies.

August 21st, 2015

No matter how many resources you pour into it, you are always going to miss something. Technology always has bugs. There will always be a problem that you miss and that is all that it takes for a criminal to take advantage of it.

Mad World: The Truth About Bug Bounties

August 12th, 2015

No one can handle security alone -- defenders need all hands on deck, and hackers are among them.

Is Your Android Phone Still Safe?

August 10th, 2015

One of the things that Android does fairly well is that it's an incredibly open and transparent platform... Through (Google's) bug bounty program and a number of other factors, they actively encourage discussion and participation on the security of the platform.

Podcast: Katie Moussouris on bug bounties and stunt hacking

July 27th, 2015

As the drumbeat of security breaches continues, what's the best way to incentivize hackers to report vulnerabilities they find to help companies solve their cybersecurity problems?

The new bounty hunters chasing the Internet's 'most wanted'

July 25th, 2015

To date, approximately 1,600 researchers on HackerOne's platform have received about $3.48 million in payouts, based on finding 10,557 bugs.

Hacked Opinions: Vulnerability disclosure - Rahul Kashyap

July 20th, 2015

There are new companies like HackerOne that pay a substantial amount to bug finders. Researchers can try to contact vendors directly, but it might not be easy to get incentive, as unfortunately the value of the exploit or bug might not be understood by most vendors.

Commerce Department: Tighter Controls Needed For Cyberweapons

July 19th, 2015

In practice, Moussouris says, bad guys aren't going to stop and ask for permission. So putting a public agency in the middle of private communication just slows down the good guys.

Avoid hiring a cybercriminal: understand motivations and thoroughly vet employees

July 16th, 2015

Making the move over to "the dark side" requires more than a nagging interest; it's a mix of desire for compensation, recognition and the pursuit of intellectual happiness, Katie Moussouris, chief policy officer at HackerOne told

You Need to Speak Up For Internet Security. Right Now.

July 15th, 2015

It is our job to collectively ensure that no regulation stops defenders.

Industry warns proposed arms export rule will thwart basic cyberdefenses

June 28th, 2015

"The buck stops at the top in terms of taking responsibility for a security incident - and taking responsibility in a breach includes conducting a thorough investigation or the scope of the incident, the failures that lead to it, and determining the steps for recovery. All software and networks contain security vulnerabilities. Breaches of this type are not uncommon among networks that have been inherited and built up on legacy systems, without adequate protection of sensitive data. The effectiveness of the response and remediation going forward will determine how well the OPM chief fares in all this. One must never waste a good crisis." - Katie Moussouris, HackerOne

HackerOne Lands $25 Million to Grow Bug Hunting Business

June 23rd, 2015

"Powered by hackers", the company explains that its platform helps customers discover security vulnerabilities on an ongoing basis, allowing them to fix issues before bad guys are able to exploit them.

Why an Arms Control Pact Has Security Experts Up in Arms

June 23rd, 2015

Moussouris says the proposed rules as they now stand "get us back to the arguments that happened during the Crypto Wars. We know you're trying to keep this tech out of the hands of people who will use it for bad," she says. "However, [you're doing it in a way] that forces us into a downgrade of security for all."

HackerOne, a computer bug bounty firm, raises $25 million

June 23rd, 2015

On Wednesday the company said that it has raised a series B round of funding worth $25 million, bringing its total funding up to $34 million to date. The round is led by New Enterprise Associates and it includes 10 other high profile angel investors.

HackerOne Raises $25 Million to Make the Internet Safer

June 23rd, 2015

New Enterprise Associates leads Series B financing with participation from existing investors including Benchmark and additional investment from Yuri Milner, Marc Benioff, Drew Houston, Jeremy Stoppelman, and others.

HackerOne Bags $25M As Security Info Sharing Mainstreams

June 23rd, 2015

HackerOne is a company in the right place at the right time. There is a growing feeling that if we share information, we are going to be far safer together as part of a herd, then by trying to go it alone.

HackerOne raises $25M to make the Internet safer via bug bounty programs

June 23rd, 2015

Major tech companies that use HackerOne include Yahoo, Twitter, Adobe, Dropbox, LinkedIn, Square, Airbnb, Slack, Snapchat,, Qiwi, and Vimeo. Across all its clients to date, HackerOne says it has helped find nearly 10,000 security holes, paying over $3.12 million in bounties to more than 1,500 independent security researchers.

LinkedIn opts for 'invitation-only' bug bounty program, pays out $65K in recent months

June 18th, 2015

LinkedIn engaged the assistance of HackerOne, a San Francisco vulnerability management and bug bounty platform provider whose customers already include Twitter, Adobe, Snapchat and Airbnb.

LinkedIn pays out $65,000 in bug bounty scheme fixing 65 bugs

June 17th, 2015

LinkedIn has paid out more than $65,000 (£41,000) in private bug bounty prizes since last October after 65 flaws were reported to the professional social network. The scheme was set up on the HackerOne platform in order to make use of the white hat hacking firm's experience in tax reporting and accounting, following reports of potential scams which could be used to expose the personal details of high-ranking executives.

OPM director resignation watch, Day Two - Breach still widening - NDAA includes cyber oversight

June 17th, 2015

Federal officials said they're not out to regulate exploits or zero days. However, if technical data submitted to a bug bounty program is needed for the development of intrusion software, it could come under export controls - assuming the bug bounty program's transactions are international, officials said. That's enough to be worrying, Katie Moussouris of HackerOne.

Ethical hacking: Are companies ready?

June 16th, 2015

People using the platform earn an average of $650 per flaw that is found, according to Alex Rice, chief technology officer at HackerOne.

Snapchat slings SMS two-factor authentication

June 14th, 2015

Users of Snapchat version 9.9 will be able to activate the Login Verification feature on Android and iOS platform. The extra security features are the latest efforts in a push to increase the platform's security chops which includes the launch of a HackerOne bug bounty.

Influencers: US plan to limit export of software vulnerabilities a bad idea

June 10th, 2015

Regarding the Wassenaar agreement, influencers are concerned the proposed rules will also have unintended consequences for technical innovation, which, according to Katie Moussouris, chief policy officer for HackerOne, "conflicts with the mission of the Commerce Department and ultimately does not serve the intended purpose of controlling surveillance software.

HackerOne Connects Hackers With Companies, and Hopes for a Win-Win

June 7th, 2015

HackerOne's co-founders are betting they can persuade the world's hackers to spend their free time solving security's problems, not causing them, and that businesses will pay them a bounty for their service.

Warnings of Hackers on Planes All Too Familiar to Airline Security Researchers

May 3rd, 2015

The popular online storage service has launched a bug bounty program with service provider HackerOne that will pay external experts to find issues with the company's applications. "In addition to hiring world-class experts, we believe it's important to get all the help we can from the security research community, too" says Dropbox security engineer Devdatta Akhawe.

Warnings of Hackers on Planes All Too Familiar to Airline Security Researchers

April 28th, 2015

"Critical infrastructure is not immune from security vulnerabilities," said Ms. Moussouris. The good news is that firms such as Boeing and Airbus are in a position to learn the lessons of companies such as Microsoft, where she worked as a senior security analyst. At a minimum, Moussouris said companies need to create a "front door" for researchers.

Opportunity Abounds for Those With Both Business, Security Skills

April 22nd, 2015

"A lot of us who once flew hacker flags are now in charge of large security organizations," said Moussouris. "We've graduated and matriculated into the ruling class of security." The result will The result will lead to a new type of security leader who is inherently business-savvy, a skillset she hopes will become widely possessed among security leaders.

Throwing Money at Bug Bounties Won't Beat Zero-Day Dark Markets

April 21st, 2015

Moussouris' study found, however, that if companies offer legitimate researchers new tools to carry on their research, as well as a certain financial stipend, then the researchers are both more effective at finding bugs and more likely to continue doing so. "You cannot outbid the dark market," she said. "Instead, you need to create more interesting incentives."

Hackers for Hire

April 20th, 2015

Alex Rice, HackerOne CTO, discusses the growing business of companies hiring hackers to find flaws in their security systems

Leveling the Vulnerability Market

April 19th, 2015

This week at RSA Conference 2015 in San Francisco, Moussouris will present new research that suggests other ways of leveling the software vulnerability marketplace, not just with price. "What this research is trying to show is that the more you can help the Defense side find the same bugs that the Offense side has found, the more you increase the overlap or what we call 'bug collisions'" - opportunities for the Defense to negate the value of the Offense's bugs.

Decrypt This: Why is Router Security So Full of Holes?

April 16th, 2015

Details of the zero-day market can be tricky however, and the answer isn't always simply to throw more money at the good guys and hope they stick to the righteous path after the check is already cashed. In her report "The Vulns of Wall Street" published on Tuesday, CPO of HackerOne Katie Moussouris explains why the problem runs deeper than just the dollar amount that's being passed around between hackers on the underground circuit.

Zero Day Weekly: Active Microsoft Zero-Day, Oracle Kills Java, D-Link Snafu, more DHS cyber-negligence

April 16th, 2015

At next week's RSA Conference, a team of researchers at MIT, Harvard, and the security firm HackerOne (Internet Bug Bounty program) will present a study on the economics of the marketplace for "zero-day" vulnerabilities in software and networks, showcasing a model for how that market behaves.

Dropbox Launches Cash for Bugs Program, Offers Long List of Bugs that Don't Qualify

April 15th, 2015

Dropbox has announced a new cash for bugs program, which it's operating on third-party bug reporting platform HackerOne. Prior to the new cash program, Dropbox, like others on HackerOne such as Adobe, only offered recognition to researchers who found and reported security bugs.

Dropbox to Pay Security Researchers for Bugs

April 15th, 2015

Dropbox's program will be run through HackerOne, a company that has a secure platform that manages security vulnerability information and handles disclosure information and rewards

Dropbox Launches Bug Hunter Bounty Programme from $216 a Flaw

April 15th, 2015

"Protecting the privacy and security of our users' information is a top priority for us at Dropbox. In addition to hiring world-class experts, we believe it's important to get all the help we can from the security research community, too," explained Devdatta Akhawe, a Dropbox security engineer. "That's why we're excited to announce that starting today, we'll be recognizing security researchers for their effort through a bug bounty programme with HackerOne."

Dropbox Launches Bug Bounty, Will Also Pay for Previously Reported Bugs

April 15th, 2015

Dropbox is the latest company to officially announce a bug bounty program set up through the HackerOne platform.

Dropbox Announces Bug Bounty Program Via HackerOne

April 15th, 2015

Dropbox announced a "bug bounty program" in partnership with HackerOne to improve the security and privacy of its applications.

Dropbox Announces Bug Bounty Program Via HackerOne

April 15th, 2015

Dropbox has partnered with HackerOne to eliminate vulnerabilities that could otherwise be overlooked.

Dropbox Launches HackerOne Bug Bounty Program

April 15th, 2015

Dropbox has launched a bug bounty program on HackerOne, joining a multitude of other companies seeking outside help to keep their software as secure as possible.

Dropbox Launches 'limitless' Bug Bounty

April 15th, 2015

Dropbox has launched a no-limit bug bounty program, back-paying US$14,875 so far for previously and newly-reported vulnerabilities. The HackerOne bounty, which supplements the company's external penetration testing efforts, is unusual in offering back payment for critical vulnerabilities that white hat hackers had already reported without expecting reward.

Dropbox Launches 'limitless' Bug Bounty Programme

April 15th, 2015

Cloud storage company Dropbox has partnered with HackerOne to launch a new bug bounty programme, which will pay-out on vulnerabilities relating to Dropbox, Carousel and Mailbox for the iOS and Android apps.

Bounty Programs Could Swat More Bugs With Better Tools

April 14th, 2015

The Internet Bug Bounty Panel, a service supported by HackerOne that provides bounties for unfunded open source development, is starting to offer rewards for new tools, as well. The panel will even retroactively provide rewards for tools that have already been built.

HackerOne Research Examines Market Dynamics of Zero Day Vulnerabilities

April 14th, 2015

HackerOne is in the business of helping organizations develop and implement bug bounty programs. The basic idea is to provide a financial reward incentive for researchers to report discovered vulnerabilities rather than selling them on the black market. It's virtually impossible-or at the very least unsustainable-for legitimate businesses to outbid the black market over the long term, though, so the question is how to balance the financial incentives with the overall risk.

How Can Defenders Gain Advantage in the 0-Day Market?

April 14th, 2015

According to MIT, Harvard, and HackerOne researchers, the answer is not throwing more money at bug hunters, but incentivize them to find the the same vulnerabilities that the offense researchers have found. In short, to increase "bug collision."

HackerOne Now Offers Bounties For New Bug Discovery Tools and Techniques

April 14th, 2015

HackerOne, a coordinated vulnerability disclosure program run by people who built bug bounty programs at Microsoft, Google, and Facebook has broadened the scope of its Internet Bug Bounty program.

Throwing Cash at Zero-Days Won't Solve the Problem: Researchers

April 14th, 2015

Governments and businesses can't curb the threat of zero-day vulnerabilities by throwing money at the problem alone, researchers from MIT and Harvard along with infosec firm HackerOne have found.

Dropbox Launches Bug Bounty Program with Rewards Starting from $216, Retroactively Pays Out Over $10K

April 14th, 2015

Dropbox today launched a bug bounty program in conjunction with HackerOne. Rewards start at a minimum of $216 and there is no maximum.

Internet Bug Bounty Plans Rewards for New Tools to Find Vulnerabilities

April 14th, 2015

"In the end, the tug of war between attackers and defenders will always exist...How we structure incentives toward making offense more expensive for attackers and giving more defenders and advantage is the question."

Don't Collect Bugs, Invest in Fly-spray says Bug Bounty Operator

April 14th, 2015

The key to giving an edge to defence is not just to find and fix as many bugs as possible, but specifically to increase bug collisions in finding the same vulnerabilities as the offensive researchers have found and get them fixed

Dropbox Launches Bug Bounty Program on HackerOne

April 14th, 2015

Dropbox has become the latest high-profile Internet firm to start a bug bounty program, hooking up with HackerOne to provide rewards to security researchers who report vulnerabilities through the program.

What Drives the Zero-Day Market?

April 14th, 2015

Defenders can certainly get bugs faster by creating incentives for individual vulnerabilities, but an important limit to recognize here is that there is a ceiling on the prices they can offer without creating perverse incentives and undesirable consequences

Internet Bug Bounty Expands to Offer Bounty for Vulnerability Discovery Tools

April 13th, 2015

Bug bounties have proven to be an effective way to incent researchers to find and report individual vulnerabilities to the defense players and as the stakes and cash have risen in the market for vulnerabilities, the opportunity to sell to both offense and defense markets has increased.

Researchers Try to Hack the Economics of Zero-Day Bugs

April 13th, 2015

There's a security truism that goes something like this: Defenders must protect all machines against all vulnerabilities, while attackers need only to find one way on to a system or network.

Internet Companies Pay Out to Those Who Find Bugs

April 8th, 2015

"There is a disturbing lack of trust and consistency relating to how people report vulnerabilities and how organisations respond to them. . . we're convinced that we must dramatically change how the world handles security research if we have any hope of advancing the state of security. We built HackerOne to empower the world to build asafer internet," Alex Rice, CTO HackerOne.

The State of Open Source Security

March 29th, 2015

"We need to build a security mind-set. This is important to every software project-- open source or not," said Moussouris.

The Big Business of Smashing Bugs

March 11th, 2015

After meeting with Rice, Martinez decided last year to outsource the program to HackerOne. "It really streamlined the whole process," he says. "We're working with folks we normally wouldn't work with because they are spread around the world.

These are the 25 hottest startups in San Francisco

March 8th, 2015

No software is perfectly secure. Before a hacker finds your company's vulnerabilities - Sony's devastating hack in December is a perfect example - you can hire a "good" hacker, someone who knows the ins and outs of computer software, to help you find and fix them. That's the thesis behind HackerOne, a marketplace for bug bounty programs.

A new breed of startups is helping hackers make millions - legally

March 3rd, 2015

"It's changed the way we think about security," says Andrew Pile, the chief technology officer at Vimeo, which recently launched a bug bounty through HackerOne. "It would have been nearly impossible for us to build this kind of program in-house from scratch.

How to Email Like Hillary Clinton

March 3rd, 2015

The big caveat is that you must know what you're doing in terms of setting it up securely, and that's a fairly difficult, non-trivial problem for most people," says Katie Moussouris, chief policy officer for San Francisco-based HackerOne, a company that works with friendly hackers to help organizations like Yahoo, Twitter, and even government agencies detect vulnerabilities in their own technology.

Google 'Pwnium' Now Offers Infinity Million Dollars In Rewards For Year-Round Bug Bounty Program

February 25th, 2015

Katie Moussouris, chief policy officer for HackerOne - an organization that offers a platform for software companies to streamline vulnerability reports and offer bug bounties - thinks Google has the right idea with its "infinity dollars" bounty pool.

Facebook Bug Bounty Submissions Climb in 2014

February 24th, 2015

HackerOne chief policy officer Katie Moussouris said it's important that vulnerability disclosure programs directly feed an organization's software development lifecycles. She also stressed the importance of strategic thinking with regard to bounty programs, for example, concentrate not only on finding and fixing one-off bugs, but also focus on eliminating classes of vulnerabilities and the development of mitigations as well.

Katie Moussouris on Starting a Bug Bounty Program

February 22nd, 2015

HackerOne's Katie Moussouris explains one of the key things that companies that want to start a bounty or vulnerability incentive program should know: There is no one size fits all.

Gronings bedrijf HackerOne biedt platform aan goedaardige hackers

February 19th, 2015

Jarno Duursma van RTV Noord sprak met Jobert Abma van het Groningse HackerOne. Abma legt uit: 'De digitale wereld verandert snel. Beveiliging die vandaag wordt bedacht is vaak morgen al gebroken. Om te voorkomen dat cybercriminelen deze beveiliging kraken, nodigen bedrijven goedwillende hackers uit. Hierdoor blijven ze continu hun beveiliging verbeteren. Deze bedrijven loven prijzen uit voor elke gevonden kwetsbaarheid.'

Bug bounties: 'Buy what you want'

February 16th, 2015

The security development lifecycle should be the source of heavy investment, and takeaways from bug bounties should be fed into the cycle in real-time -- rather than leaving vulnerabilities open until the next patch date scheduled.

Google Urges Friendly Hackers To Set Deadlines For Fixes, But How Feasible Is It?

February 16th, 2015

Criminals don't try to report technical details on how they attacked an online service, but friendly hackers do and are, unfortunately, often met with indifference or worse yet, threats of legal prosecution.

Bug Bounties: 'Buy What You Want'

February 16th, 2015

Bug bounty programs are popular, but what does a company need to do to make them a success?

Don't Build a Bounty Program; Build an Incentive Program

February 15th, 2015

The name bug bounty is actually a false categorization of what is truly just an incentive program... If you create an incentive at the right time, you will absolutely get the results you want.

Researcher Gets $5,000 for Severe Vulnerability in HackerOne

February 3rd, 2015

HackerOne, the popular security response and bug bounty platform, rewarded a researcher with with a $5,000 bounty for identifying a severe cross-site scripting (XSS) vulnerability.

Vulnerability coordination for the internet... of everything

November 18th, 2014

Being prepared means planning a meaningful and effective response to those attacks, while building partnerships with the hacker community - who often stand as sentinels before new widespread exploitation takes place. The path forward is to build a resilient computing ecosystem that is increasingly expensive to attack, and increasingly reasonable to defend.

Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws

November 4th, 2014

Katie Moussouris, policy director for HackerOne, set up a program for pre-screened hackers to attack (and improve) specific products - say a new online payments system. But just a handful of financial institutions signed up. "A lot of these organizations confuse having a clear way to report vulnerabilities to them with an open invitation to hack their systems," she says. "And those are two very different things."

Be Ready: Next Internet Bug Won't Be The Last

November 4th, 2014

Moussouris, meanwhile, brought an industry perspective to the discussion having been responsible for writing Microsoft's coordinated vulnerability disclosure policy and running that program during her seven years with the company. Her view on preparedness and resilience involves embracing security researchers and building means by which they can disclose vulnerability information to affected vendors without harm.

Security @ Scale 2014 Recap

November 4th, 2014

Katie Moussouris, now Chief Policy Officer of HackerOne, dove into the development of Microsoft's bug bounty program, which she pioneered over three years of looking at data starting in 2010 and announced in 2013.

HackerOne bug bounty program can pay bitcoin to white hat hackers with coinbase partnership

October 21st, 2014

Bug bounty hunters, or white hat hackers, around the world that use the popular platform HackerOne can now be paid in Bitcoin.

As Bug Bounties Become the Norm, Challenges Remain

September 23rd, 2014

"There is no one-size-fits-all bounty program. They're all different," Katie Moussouris, chief policy officer at HackerOne, said in her keynote speech at Virus Bulletin here Wednesday. "No bounty program is doing you any favors if it isn't feeding back into the security development lifecycle."

The Rise of the Hacker Bounty Hunter

September 23rd, 2014

HackerOne provides the infrastructure for these arrangements but stays out of the deals themselves, merely tacking on a 20 percent fee for each successful bounty. Think of it as TaskRabbit for hackers.

When It's A Good Idea To Invite An Army Of Hackers To Attack You

September 9th, 2014

HackerOne, whose executive DNA includes former managers of Microsoft's and Facebook's bug bounty programs, has over 9,000 security researchers on its site and over $9 million in venture funding from Benchmark.

Meet The Company That Helped Twitter Launch Its Bug Bounty Program

September 7th, 2014

HackerOne's platform helps companies of any size - including big ones like Twitter and Yahoo - streamline their bug reporting programs, with or without a cash reward bounty.

Twitter Taps HackerOne To Launch Its Bug Bounty Program

September 2nd, 2014

HackerOne offers a plug-and-play solution for companies that want the benefits of crowdsourced bug hunting without having to fiddle with administering the program themselves. Others that employ HackerOne include Yahoo, Square, MailChimp, Slack and Coinbase.

Your Anonymous Posts to Secret Aren't Anonymous After All

August 21st, 2014

"As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements," says Byttow. "We've had zero public incidents with respect to security and privacy. Everything has come through our bounty program."

Sisters in Security: Katie Moussouris' Leaps of Faith

August 14th, 2014

Katie Moussouris has been a hacker, a developer, and penetration tester. She is curious and passionate about making a difference in the world... Currently, Moussouris is the chief policy officer at HackerOne, where her chief role is promoting and legitimizing security research among organizations, legislators, and policy makers. A hacker explaining what hackers do and why it is important. That is a role that suits Moussouris perfectly.

Squeezing more out of log management and SIEM; beating botnets; detecting stealthy attacks.

June 29th, 2014

HackerOne was co-founded by CTO Alex Rice, formerly a security expert at Facebook, and Merijn Terheggen, formerly with the Online24 consultancy providing penetration testing and other services in the U.S and The Netherlands.

HackerOne Secures $9 Million, Appoints Katie Moussouris Chief Policy Officer

May 28th, 2014

Vulnerability disclosure platform HackerOne has secured $9 million in a Series A round of funding, and has appointed Katie Moussouris, former senior security strategist lead at Microsoft, as the company's chief policy officer.

HackerOne Bug Bounty Platform Lands Top Microsoft Security Expert

May 27th, 2014

With bug bounties being all the rage, the platforms that support them are emerging as important pieces of the security research, disclosure and reward ecosystem. One of those platforms, HackerOne, has scored a major coup in hiring Katie Moussouris, the driving force behind Microsoft's bounty program, to oversee its policy and disclosure philosophy and work with customers on the intricacies of vulnerability disclosure.

HackerOne Emerges With $9 Million to Root Out Software Bugs

May 27th, 2014

HackerOne, a startup co-founded by a former Facebook security expert, has emerged with a new approach to fighting cybercrime and improving the quality of software by fixing the bug problem.

HackerOne gets $9 million in funding to reward spotters of software flaws

May 27th, 2014

HackerOne offers companies a free system for processing flaw reports. Those companies decide whether to pay the researchers and how much, and they can pay HackerOne for advice.

Adobe launches vulnerability disclosure scheme on HackerOne

March 4th, 2014

Adobe has launched a web application vulnerability disclosure program on HackerOne in an attempt to improve the security of its products.

Internet Bug Bounty Pays for Bugs in Core Technologies

November 6th, 2013

The Internet Bug Bounty is accessible to a broad pool of security researchers and has the potential to improve security for a wide variety of technology users.

BruCon Keynote

March 9th, 2013