Amongst the many companies taking advantage of the benefits of open innovation, HackerOne has leveraged a community of web hackers to create a leading cybersecurity business that helps the world’s largest companies detect and correct bugs in their respective ecosystems. HackerOne is a bug bounty platform that connects businesses with cybersecurity researchers. It started in 2012 after two Dutch hackers, Michiel Prins and Jobert Abma, made a target list of 100 high-tech companies that they wanted to try to hack. Soon, they had found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter and 95 other companies’ systems. Ultimately Sheryl Sandberg of Facebook raised this issue to Facebook’s then CIO who paid the two hackers $4,000 for their find, and HackerOne was born.
Why Open Innovation?
Prins and Abma struck gold at the right time with the advent of open innovation and the growth of Uber, 2012 was a perfect inflection point of open innovation and the gig economy to make HackerOne thrive. The open bounty program that this platform uses is a great way to allow researchers to help companies be safer, while keeping these researchers free from potential recourse from the government. As stated by former Facebook CIO Alex Rice
“If researchers find something, they don’t know if they’ll be welcomed with open arms or delivered to the FBI kicking in their door. There’s a long stream of people with good intentions being treated very poorly as a result of that work.”
HackerOne allows researchers to essentially contract out their services to large corporations while maintaining their distance and staying out of potential legal trouble. This platform opens the opportunity for researchers to do good with bugs they find and get paid by corporations as opposed to selling information to the dark web. HackerOne takes a 20% fee from the bounty corporations pay for playing the “middleman”.
How HackerOne’s bounty program works 
How to Scale
Since its founding, HackerOne has been on a tear, gaining notoriety from many Fortune 500 companies. Facebook, Uber, Google, and Coinbase are just a few of the companies that have current partnerships. Recently, General Motors has decided to extend a 2016 program that they had started with HackerOne. As part of the program, GM committed not to sue security researchers for hacking their products, provided the researchers complied with a number of stipulations, such as not disclosing the vulnerability until GM rolled out a solution. GM President Dan Ammann says
“GM plans to offer a cash payment for each “bug” found in this new Bug Bounty program. We’ll show them the products, programs and systems for which we plan to establish these Bug Bounties,” Ammann said. “Then we’ll put them in a comfortable environment — ply them with pizza and Red Bull or whatever they might need — and turn them loose.”
In their efforts to push open source cyber security forward, HackerOne has even gotten the attention of the US government. Ash Cartrer, Secretary of Defense notes
“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer.”
As competition continues to heat up in the space, HackerOne must continue to innovate. One area that may be low hanging fruit is education. Most hackers are self-taught, so it remains to be seen how formal education will impact the space. HackerOne has room to provide formal education and help young hackers self-learn as much as possible. HackerOne is currently broadening its researcher base to get more top hackers. This is a priority, and the company is experimenting with different solutions to the challenge. There is the Hacker101.com site with tutorials, blog posts, HackerOne sponsored answers on Quora, and they work with some universities on their cybersecurity courses to enable them to train people. Another space that may be ripe for HackerOne is personal computing. All computers will ultimately have a vulnerability. Can HackerOne grow its base of hackers wide enough to help patch up the vulnerabilities all of us have as common day to day users of the internet? Should that be feasible, there is a large pool of demand waiting for HackerOne to expand.
As we look further into the future one can only wonder about the sustainability of this model. The bounty program feels eerily similar to Uber’s contract model, and it begs the question of will the government ultimately step in and claim that these cybersecurity researchers are not contractors but are instead employees that have the rights to benefits? Will HackerOne need to look at bringing more expertise in house?
(Word count: 785)
 “HackerOne connects hackers with companies and hopes for a win-win.” The New York Times, June,7th 2015. https://www.nytimes.com/2015/06/08/technology/hackerone-connects-hackers-with-companies-and-hopes-for-a-win-win.html?_r=0
 “HackerOne emerges with $9 million to root out software bugs.” The Wall Street Journal, May, 28th 2014. https://blogs.wsj.com/venturecapital/2014/05/28/hackerone-emerges-with-9-million-to-root-out-software-bugs/
 Image source: HackerOne company website, https://www.hackerone.com/product/bounty, Accessed November 11th, 2018.
 “General Motors doubles down on bug bounty cybersecurity effort.” Forbes.com, August 5th, 2018. https://www.forbes.com/sites/davidsilver/2018/08/05/general-motors-doubles-down-on-bug-bounty-cybersecurity-effort/#4764496bf33e
 “Hack the Pentagon.” https://www.hackerone.com/resources/hack-the-pentagon , Accessed November 12th, 2018
 “Hacker education inclusivity and shifting perception of bug bounties.” The Daily Swig Web Security Digest, November 7th, 2018. https://portswigger.net/daily-swig/hacker-education-inclusivity-and-shifting-perceptions-of-bug-bounties