For the past several years, HackerOne has been helping customers build bug bounty programs to find vulnerabilities in their software, and today it hauled in a big bounty of its own — a $40 million Series C investment led by Dragoneer Investment Group.
Existing investors NEA and Benchmark also participated, as well as a strategic investor the company chose not to disclose.
It brings the total investment to $74 million. Interestingly, CEO Mårten Mickos says the company really didn’t need the money, but there was significant investor interest and they decided to take the money, rather than wait until there was a specific need. Having a substantial amount of cash gives the company flexibility for several years, he says.
“I’ve been around the block a few times. You shouldn’t raise too much capital, and if you have raised capital, you shouldn’t use it all, but [having the money] can show how serious you are and lets you undertake new opportunities when you see them and move faster,” Mickos told TechCrunch.
HackerOne has developed a bug bounty platform, which lets customers offer money to security experts (or hackers) to comb the code and find specific vulnerabilities. It has attracted some big names to the platform including SnapChat (which filed for an IPO last week), Uber, GM and the Pentagon, to name but a few.
Every platform has bugs and companies do their best to find them before they go live, but even the most technically proficient companies need help finding them. By offering a reward, companies can access a community of experts, who compete to find the bug and earn the money.
It’s a concept that’s taken time to take hold, but $40 million suggests that investors think its time has come. “Last year we saw tremendous growth. The hacker community tripled. Sales grew even faster. The world is coming this way. The best way to find vulnerabilities in live software is to employ security experts,” Mickos enthused.
One thing they intend to do with the money is to invest in artificial intelligence and machine learning to reduce the amount of noise on the platform for customers and get as close to 100 percent signal (actionable data) as possible.
When asked about a valuation for the round, Mickos wanted no part of such a discussion. “We won’t discuss valuation until the day we go public. It’s nothing we disclose or discuss. A business, is not about valuation, it’s about serving customers and delivering amazing value,” he said.
The company has 700 customers running the platform with access to over 100,000 hackers. To date $14 million has been paid to hackers via the platform (with half that in 2016 alone).
“The average bounty paid is around $500 per report. The minimum is $100, but can be thousands or tens of thousands of dollars. The highest bounty on the platform is $50K, and the highest paid so far is $30K,” Mickos explained.