Hacker Community Grows to Over One Million Registered Users; Veteran CISO Phil Venables Joins Board of Directors

HackerOne, the world’s most trusted hacker-powered security platform, today announced the company surpassed 2,000 customer programs. Also today, HackerOne announced that Phil Venables, Chief Information Security Officer for Google Cloud, has joined its Board of Directors. 

In what became a year of rapid digital transformation, nearly 50% of new sales came from enterprises with over $1 billion in revenue and approximately 70% of customers today have adopted multiple HackerOne products or services to reduce risk across their rapidly evolving attack surfaces. In tandem, HackerOne adoption in Europe increased nearly 70% as Chief Information Security Officers (CISOs) prioritized agility in their risk reduction practices. As a sign of mainstream adoption of hacker-powered security, HackerOne now partners with nearly one quarter of the Fortune 100 companies in the U.S., connecting them with specialized hackers to defend mission-critical environments across web, mobile, cloud, open source, supply chain, and more attack surfaces.

Adoption Across Industries

To adapt to business risks and resource restrictions amidst the COVID-19 pandemic, 36% of CISOs accelerated their digital transformation initiatives, bringing security transformations in tow. On HackerOne, industries hardest hit by this vital adaptation are augmenting and adopting hacker-powered security at scale, including year over year growth in aviation (129%), financial services (126%), retail and ecommerce (90%), healthcare (62%), and hospitality (61%). While shipping new products and services at a faster clip, processing new forms of payment, and increasing reliance on web assets, these businesses recognized how hackers have been able to adapt to their evolving attack surfaces and zero in on emerging threats. 

“At Hyatt, our purpose is to care for people so they can be their best and our bug bounty program with HackerOne is one way we deliver on our purpose for our colleagues, guests and customers by protecting their information,” said Benjamin Vaughn, CISO of Hyatt. “HackerOne’s solution provides tremendous value to our organization because the vulnerabilities that are reported shed light on where we can strengthen security measures in our most critical assets. What comes in from the security research community is novel, demonstrating that the bugs require a creative approach, specialized skill set and true intellect to discover."

CISOs across the globe are seeing this value and doubling down on their hacker-powered security strategies, with customers adding new scope and services such as Triage to existing programs and adding additional programs to reduce risk at every stage of software development. While HackerOne Response (the company’s vulnerability disclosure program, or VDP, offering) saw substantial growth year over year, most noteworthy is the increase in adoption of hacker-powered pentests. HackerOne Pentest saw 450% year over year growth, emphasizing how security leaders are getting beyond the “check the box” approach to manage risk and improve governance. In June, HackerOne extended its Pentest offering to European organizations, which contributed to the continent’s substantial year over year growth.

Hacker Community Growth 

As hacker-powered security adoption accelerates for customers, so does the opportunity for hackers. In fact, the hacker community has now grown to over one million registered hackers, representing the community’s exponential potential. In the past year, hackers reported over 50,000 valid vulnerabilities to organizations, with a 63% increase in the number of hackers submitting valid reports in the past year alone. Many more hackers on the platform are hacking, mentoring, and growing together as part of the learning community on Hacker101 and through interactive Capture the Flag challenges.

In May of 2020, HackerOne reached the milestone of $100 million paid to hackers for vulnerability reports, and we predict hackers will earn $1 billion in bug bounties within five years. Nine hackers have earned over $1 million dollars on the platform since 2019, and one hacker passed the $2 million mark in 2020.

Welcoming Phil Venables

Also today, HackerOne announced that Phil Venables, VP of Google and Chief Information Security Officer for Google Cloud, has joined its Board of Directors.

“Speed is the best friend of good security,” said Venables. “All software has bugs. Finding and fixing them before they can be exploited is an approach that is intuitive and obvious to everyone. This is why I’m thrilled to be joining HackerOne’s board — to help make working with hackers a part of every security strategy and a vital representation of dedication to security.” 

Venables is among the most respected cybersecurity leaders in the world with over three decades of experience across cloud services, enterprise and technology risk, and business resilience. Prior to Google, Venables had a 20-year career leading Goldman Sachs’s risk and cybersecurity functions, as well as serving as a Board Director of Goldman Sachs Bank. He is part of the ​NIST Information Security & Privacy Advisory Board​ and serves on the ​Stern School of Business Volatility and Risk Institute​ and ​Tandon School of Engineering​ boards at New York University (NYU). 

The Hacker-Powered Security Landscape

Vulnerability disclosure programs (VDPs), a longstanding best practice core to HackerOne’s mission and offerings, were systematized by industry and regulatory bodies requiring or strongly recommending the implementation of a VDP as part of building an effective cybersecurity strategy. This includes the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive 20-01, the NIST SP 800-53B update, the U.S. Office of Management and Budget Memo M-20-32, and the unanimous passing of the Internet of Things Cybersecurity Improvement Act.

Beyond regulation, similar trends are clear within the world’s most valuable public companies. Based on proprietary research, HackerOne found that 18% of the Forbes Global 2000 have a known policy for vulnerability disclosure as of July 2020. That’s an improvement compared to 7% on the 2017 list and 6% of the 2016 list, but still less than one in five of the world’s most valuable public companies have a channel for third parties to report vulnerabilities if they find them. In tandem, The U.S. Department of Defense announced their latest VDP results, including 26,617 vulnerabilities found by 2,283 hackers since the launch of Hack the Pentagon in 2016, showcasing the opportunity for learning from hacker findings.

“In the past year, plagued by the pandemic, economic worries, and social unrest, ethical hacking stood out as a formidable force for good, reducing cyber risk, and building digital trust,” said HackerOne CEO Marten Mickos. “As the leader in this market category, HackerOne saw tremendous business growth as it worked with thousands of customers to make their software more secure and their security teams more successful. The best governance and risk management action a company can take is to invite friendly hackers to assess and improve their security, and, by 2025, I predict it will be the exception to not work with hackers.”

For more information about getting started with hacker-powered security programs, visit https://hackerone.com