For some entrepreneurs, getting customers is a matter of marketing. For Jobert Abma and Michiel Prins, it's a matter of sniffing out security vulnerabilities and staving off cyber threats.
The two self-taught computer hackers today lead HackerOne, one of the largest white-hat hacking platforms in the world. With $74 million in venture funding from the likes of Benchmark and Dragoneer Investment Group, the San Francisco-based firm tasks 160,000 computer security experts around the world with finding bugs and cybersecurity vulnerabilities for companies like General Motors, Starbucks, Airbnb, and Twitter. It also works with government agencies, like the U.S. Department of Defense, and airlines like Lufthansa.
As hackers pull off mega breaches like they did at Equifax and meddle in elections, business has been booming, say the entrepreneurs. While they refuse to disclose revenue, Abma and Prins do claim that clients have resolved more than 61,000 vulnerabilities and paid over $24 million in bounties, of which HackerOne gets a cut.
"Everything is vulnerable," says Abma, explaining how his company is more necessary than ever. "There is a huge risk for every company."
Abma and Prins have been friends since they lived across the street from each other in Drachten, Netherlands. Born in 1990, both entrepreneurs are products of the internet age: They spent their formative years playing videos games and building websites. As teenagers, the duo hacked into the school's TV station as a senior prank. At Hanze University in Groningen, Netherlands, they found a vulnerability in software used by the university to manage student information and grades that leaked personal data. Prins and Abma told the software company, but they didn't get paid. The duo realized some companies would be willing to pay, especially if they find critical vulnerabilities in software, holes big enough that they pose a dire threat to a company's business if not patched.
By 2011, Abma and Prins had a consulting company with a few clients. But a friend, Merijin Terheggen, who was living in San Francisco, told them to visit and see if they could build a company in Silicon Valley. Abma and Prins emailed tech companies like Google and Facebook, asking to get coffee and talk security. No one bit. But one email from Alex Rice, who was the head of product security at Facebook, said if they found any security vulnerabilities, they should reach out.
After digging through Facebook Messenger, Abma and Prins found a big bug. Rice invited the duo to a rooftop barbecue at the social-media company's campus to talk about the security hole. "We walked away with a contract to do penetration testing for Facebook," says Abma.
They realized if Facebook was receptive, other Silicon Valley companies would be too. "We made a list of 100 companies we'd like to work for--Twitter, Spotify, Uber--and we hacked each one to find security vulnerabilities," says Abma.
The duo, plus their friend from college, Terheggen, and Rice, who left Facebook to join his new business partners, started to build a new company, HackerOne.
'A talent agency for hackers'
The idea behind HackerOne is simple: The internet is inherently insecure, all software contains critical security vulnerabilities, and the average cost of a data breach for a single company is $3.6 million, according to a study by the Ponemon Institute. (Mega breaches, like Equifax, cost hundreds of millions of dollars.)
HackerOne makes it easy for companies to find and pay trustworthy independent security experts. "We're like a talent agency that matches trusted hackers with specific skills with companies," says Abma.
Investors also see the logic, and opportunity, of HackerOne: The company raised a total of $74 million from the likes of Marc Benioff of Salesforce, Russian entrepreneur and tech investor Yuri Milner, Drew Houston of Dropbox, and Jeremy Stoppelman of Yelp.
Since launching in 2012, the HackerOne platform has attracted more than 1,000 companies and organizations, which it connects with its network of white-hat hackers to sniff out and report critical security vulnerabilities in exchange for a fee. Depending on the severity of the vulnerability, a hacker on the platform could get a few hundred dollars up to $10,000. (Some bounties go over $10,000, but not often.) As an intermediary between the hackers and companies, HackerOne handles payments, tax forms, background checks, and other legal documents for the companies. HackerOne takes a 20 percent cut of each bounty from the hackers and a monthly subscription fee from the companies, which can range from a few thousand dollars to tens of thousands of dollars a year.
Many hackers say they don't mind giving HackerOne a percentage of their earnings because it's hard to do business with big companies. "When you're hunting for a bug on HackerOne, you know you'll get paid," says Jack Cable, an 18-year-old high school senior, who is one of HackerOne's highest ranked hackers. "HackerOne holds companies to their word."
Crossing the line
Of course, the line between malicious hackers and ethical hackers is still razor thin--and even with its white-hat intentions, HackerOne has gotten mixed up with allegedly malicious activities.
In December 2017, Reuters reported that a 20-year-old hacker was responsible for a large data breach at Uber and the company paid the hacker $100,000 through its bug bounty program on HackerOne to delete the data he threatened to release. The hacker stole the personal information of 57 million Uber users and drivers, but Uber said the hacker deleted the data after being paid off. Uber says it used HackerOne to pay the hacker to learn his identity. The U.S. attorney for Northern California is investigating whether Uber broke data breach notification regulations, according to the New York Times.
"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who replaced Uber founder Travis Kalanick as CEO in August 2017, wrote in a blog post. He was referring to how the company handled the hack and paid the ransom through HackerOne.
While HackerOne hasn't been blamed for any wrongdoing in this case, the company's CEO, Marten Mickos, did testify before Congress to address the incident and explain how bug bounty programs work. Still, Prins and Abma--who still go after bug bounties from time to time--say they are most passionate about changing the way society and the business world sees hackers.
"When we were kids, being a hacker was illegal--you were breaking laws," says Prins. "One of HackerOne's biggest missions is to change the perception of hackers as good guys."