The Big Business of Smashing Bugs
    • Last updated October 11, 2018
    • 0 comments, 626 views, 1 like
  • Gurugram, Haryana, India - Get Directions

More from Andre Holmes

  • Five Ways of Looking at #Inception
    0 comments, 0 reviews , 0 likes
  • Biking
    0 comments, 0 reviews , 0 likes
  • Growing Craze of Adventure Among Youngsters
    0 comments, 0 reviews , 0 likes

More in Politics

  • Obama 2.0: Smarter, tougher -- but wiser?
    0 comments, 4,060 views
  • Audit: Taxpayer money used to pay for $222K renovation to official's bathroom
    1 comment, 1,990 views
  • The Interior Secretary\u2019s $222,000 Bathroom
    0 comments, 1,795 views

Related Blogs

  • The Cuban Money Crisis
    0 comments, 3 likes
  • Volkswagen getting ready to launch the Ameo in India
    1 comment, 1 like
  • New private banking frontiers: mobile apps, convenience & personalization
    1 comment, 8 likes


Social Share

The Big Business of Smashing Bugs

Posted By Andre Holmes     October 11, 2018    


NEW YORK — Mr Frans Rosén is a tech entrepreneur by day and a bug bounty hunter by night. The co-founder of Detectify, a security startup in Stockholm, spends his evenings scouring websites for vulnerabilities cybercriminals could exploit. Since he began moonlighting in 2012, he’s collected US$100,000 from companies in reward for tipping them off to flaws he unearthed. “Seventy to 80 per cent of the bugs I find are not detectable by software,” says Mr Rosén, 29, who manually combs through line after line of code.

As the pace of app rollouts, website launches, and software upgrades picks up, more companies are relying on freelancers to uncover flaws. When spotted by malicious hackers, defects can open the door to devastating zero-day attacks.

Google and Microsoft have long offered rewards to those who report serious flaws in their products. More recently they’ve been joined by a handful of startups that run bug bounty programs for other businesses. “Any company that is creating technology will have bugs,” says Mr Alex Rice, who managed Facebook’s bug bounty program before co-founding HackerOne in 2011.

The San Francisco-based startup has paid a total of US$2.2 million in rewards on behalf of clients including Twitter, Secret, a social media platform, and mobile payment company Square. It makes money by charging customers a 20 per cent commission on top of each bounty. Customers determine the size of the awards. HackerOne’s network of independent hackers spans 150 countries, according to the company. Rosén says he has HackerOne to thank for his biggest haul: US$1,600 for a flaw he unearthed in Vine.com, the video-clip platform owned by Twitter.

Yahoo! ran its own bug bounty program for years, rewarding hackers with mugs and T-shirts. In 2013 it introduced a virtual “wall of fame” and monetary awards. “We created different tiers of bounties, from US$50 to US$15,000, established case by case based on the seriousness of threat,” says Mr Ramses Martinez, Yahoo’s senior director for investigations. After meeting with Mr Rice, Mr Martinez decided last year to outsource the program to HackerOne. “It really streamlined the whole process,” he says. “We’re working with folks we normally wouldn’t work with because they are spread around the world.”

The cybersecurity market is projected to expand from US$95.6 billion in 2014 to US$155.7 billion by 2019, according to MarketsandMarkets, a consulting firm. HackerOne “is the perfect solution at the right time,” says Mr Bill Gurley, a partner at Benchmark Capital, which last year invested US$9 million in the company. HackerOne competes with a handful of other startups, including Bugcrowd, Synack, and Crowdcurity.

While its client roster is heavy with tech companies, HackerOne is also chasing customers in the health, banking, retail, and telecom industries. Mr Rice acknowledges that winning over major companies won’t be easy, despite high-profile hacks at Home Depot, Sony Pictures, and JPMorgan Chase. Letting a third party like HackerOne run your bug bounty program “is more innovative than most public companies are ready for,” he says.