HackerOne bug bounty platform closes new $36.4m funding round

The Series D round brings overall funding to $110.4 million.
Written by Charlie Osborne, Contributing Writer

HackerOne has announced the closure of a Series D funding round that has secured the bug bounty program a further $36.4 million in investment. 

On Sunday, the company said the cash injection will be earmarked for scaling up its international business footprint as well as for expanding the firm's enterprise market solutions, moves which will "continue to strengthen the world's largest and most diverse hacker community."

HackerOne is one of the largest bug bounty platforms online and supports over 1,500 clients which use the system to secure the services of third-party cybersecurity specialists working as bug bounty hunters. 

Users are able to submit reports on new and previously unknown vulnerabilities impacting products before they potentially end up in the hands of cybercriminals, and in return, they are given credit and financial rewards. 

As today's enterprise companies continue to pivot towards software-based offerings and now often rely on software in both front-facing and supply chain capacities, business risks associated with cyberattacks are on the rise. However, there may not be in-house cybersecurity specialists available and so bug bounty platforms can provide a way for companies to secure outside help.

See also: Apple expands bug bounty to macOS, raises bug rewards

The HackerOne client roster includes a number of well-known companies including Dropbox, Coinbase, GitHub, Google Play, PayPal, Qualcomm, and Verizon Media. In addition, the platform is used by the US Department of Defense (DoD), the European Commission, the Ministry of Defence Singapore, and Goldman Sachs.

San Francisco-based HackerOne has completed four funding rounds to date. The latest Series D has brought total investment up to $110.4 million.

Investors include Valor Equity Partners, New Enterprise Associates, Dragoneer Investment Group, Benchmark, and EQT Ventures. The announcement of the latest funding round coincides with David Obrand, a partner at Valor Equity Partners, joining the HackerOne board of directors. 

CNET: Clerk uses photographic memory to steal credit card info from 1,300 customers

"HackerOne is leading a new wave of cybersecurity companies tackling the unique challenges brought on by rapid growth and more sophisticated attack surfaces," Obrand said. "Hacker-powered security is here to stay and with its tremendous customer and hacker community, HackerOne is dominating the market."

On the heels of the announcement, the bug bounty platform also revealed some interesting statistics. Over 30,000 vulnerabilities have been reported and resolved in the past 12 months and only 24 hours, in 77 percent of cases, is required for a new bug bounty program to receive its first valid report. In total, 25 percent of bugs discovered are considered high or critical and the average bug bounty paid is $3,384. 

While some vendors employ crowd-sourced vulnerabilities through such platforms, they may also run their own independent programs. Google's Project Zero, for example, finds and reports serious bugs impacting other companies and generally maintains a strict 90-day disclosure deadline. 

TechRepublic: How to sign into your Microsoft Account website without a password

In recent news, the Google security team published a series of blog posts detailing exploits used against iOS users when they visit malicious websites. A zero-day security flaw was resolved due to Google's report but Apple disputed the implied scale of the attacks. Google's team described the attacks as "en masse" whereas the iPad and iPhone maker says that the campaign was "narrowly focused" and involved fewer than a dozen domains. 

HackerOne's top 20 public bug bounty programs

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards