
HackerOne raises $40M in their C-round of funding - vilpponen
https://www.hackerone.com/blog/The-best-security-initiative-you-can-take-in-2017
======
droopybuns
Im pulling for the H1 gang. Bug bounties are a critical security component for
any business: They are the only way to catch unknowns and known unknowns. If
your business doesnt have some form of bounty program, you are whistling past
grave yards.

Working with h1 is great because they can help you avoid running a program
that creates problems during your launch, manage submissions, handle
international payouts, etc. Cant say enough positive things about these folks.

~~~
ddworken
Just wanted to chime in and say that working with them as a hacker is also a
great experience. They put a ton of emphasis on the community with publicly
disclosed reports
([https://hackerone.com/hacktivity/popular](https://hackerone.com/hacktivity/popular)),
statistics on response efficiency (e.g.
[https://hackerone.com/uber](https://hackerone.com/uber)), and a great
support/mediation team ([https://support.hackerone.com/hc/en-
us/articles/210782803-Ho...](https://support.hackerone.com/hc/en-
us/articles/210782803-How-does-hacker-mediation-work-)). In addition, they
also have a really admirable stance on transparency and it seems like they
always share as much information as they can (e.g.
[https://www.hackerone.com/blog/fair-and-transparent-
hacker-i...](https://www.hackerone.com/blog/fair-and-transparent-hacker-
invitations)).

I've personally learned a ton from working on bug bounties through HackerOne
and am unbelievably excited to see them continue to grow.

~~~
tgsovlerkhgsel
I had the exact opposite experience. I filed a vuln report for a company that
promised guaranteed bug bounties, complete with a polished PoC. I received no
response at all. I contacted HackerOne, who pinged the company a couple times,
didn't get a response either, apologized to me and that was it.

The company remained on HackerOne and continued to promise bug bounties (and
occasionally even paid some). Meanwhile, since the company hadn't responded to
my report, I was not even able to disclose it within the platform.

I wrote it off as a learning experience and concluded that HackerOne was
clearly focused on getting companies on board while not really caring about
hackers. Business-wise, it's probably a clever practice (because getting
companies on board is hard while finding hackers is easy), but I certainly am
not very excited about them...

Edit: Said company is still on HackerOne, still offering their bug bounty,
with links in the description now pointing to 404s since they changed their
product line in the meantime. QED.

~~~
ddworken
Wow, I'm definitely really surprised to hear that just because it is in such
stark contrast to my own experience. If you don't mind me asking, how long ago
was this? From my own experience, they're continually improving (they just
added the response efficiency stats last may) and are putting a ton of effort
into growing the hacker community.

~~~
tgsovlerkhgsel
The original report was roughly a year ago. I've checked that the company is
still on their web site with 404-ing signup links roughly 30 minutes ago. I
see response efficiency stats, but I don't know how they handle still-open
reports. If they only consider reports that have received a response, a
company that resolves a couple of reports quickly while ignoring hundreds of
others will still have great stats.

Support simply told me to self-close the report because the company seemed
inactive, without removing the company from their web site.

I get that they can't force them to pay or triage all issues, but the very
least they could do would be letting researchers publish reports if ignored
for over 90 days, and remove companies that are inactive. However, HackerOne
wants to be able to show off a huge customer list, so they keep them on board,
and what the companies want is king, so they don't allow disclosure unless the
company allows it. (They also mix bug bounties managed by them with other bug
bounties, to make it seem like they have more customers than they really do.)

~~~
ddworken
Wow, very surprised to hear that. I definitely recommend taking Marten up on
his offer and sending him an email (this behavior—of the CEO reaching out to
hackers—is much more in line with my own experiences with them).

Good luck with everything!

------
vilpponen
Here's their official blog post on the announcement:
[https://www.hackerone.com/blog/The-best-security-
initiative-...](https://www.hackerone.com/blog/The-best-security-initiative-
you-can-take-in-2017)

------
martenmickos
Good overview of HackerOne in The Verge:
[http://www.theverge.com/2017/2/8/14534738/hackerone-
bounty-4...](http://www.theverge.com/2017/2/8/14534738/hackerone-
bounty-40-million-funding-us-army-vulnerabilities)

------
Magicstatic
As a researcher, I am incredibly, incredibly excited to see H1 grow and more
companies come online. I pay a good portion of my rent through bug bounties
and I have to admit the gamification and ease of working with H1 makes it
fantastic for someone like me.

