2017 was a year of numerous and highly damaging data breaches, putting hundreds of millions of consumers at risk. It could however have been worse. It is natural to focus on the sorry state of security and the hundreds of millions of data records that were stolen. But 2017 was also a year of broad progress in cyber hygiene and discipline. Tens of thousands of security vulnerabilities were eliminated with the help of ethical hackers. The optimist in us points to the breaches that did NOT happen last year and to the CISOs and security teams who managed to keep cyber crime at bay.
Responsible organizations worldwide are making dedicated efforts to strengthen cyber defences by teaming up with the talented security research and hacker community to reduce risk.
The U.S. Department of Defense continued their exemplary Hack the Pentagon program in 2017, inviting hackers to hack the Army and Air Force. As a result, both are now more secure, with follow-on programs in the works for 2018. Other agencies are following suit. The General Services Administration (GSA) launched their bug bounty program in the spring, the European Commission announced a program this past fall, and the year ended with the Singapore Ministry of Defense announcing that they, too, will turn to the security researcher and hacker community to improve their already heavy investment in security.
In 2017, HackerOne experienced the biggest annual growth so far, with 1,000 customer programs on the platform and exceeding $23M in bounties awarded to the hacker community. To meet the increased demand of a business that grew faster than the overall market, we doubled our team whereas others in the space saw a need to curb their expansion. The HackerOne growth happened without us touching the investment round of early 2017, which sets us up excellently for the coming years. We are building a platform to deliver a sustainable and scalable business around our company mission — to empower the world to build a safer internet. By the end of 2020, we plan to have paid over $100 million in rewards to hackers. This is Hacker-Powered Security.
The hacker-powered security journey starts with a Vulnerability Disclosure Policy. This practice has become highly recommended and endorsed by leading digital vendors and by the FTC, NIST, DOJ and others. So important is this that in November, the U.S. deputy attorney general recommended every company to establish a vulnerability disclosure program as part of their InfoSec best practices. HackerOne is the only vendor that can serve all types of customers at any stage of their security maturity and whatever their needs.
We are seeing a trend that continues to pick up steam entering 2018. National governments around the globe are establishing recommendations and requirements for companies in important areas of cyber hygiene. In Europe, the GDPR directive sets obligations for companies to disclose data breaches to the authorities, and harsh penalties in cases of a data breach. The rules are tough, but so is the problem.
This is why the most secure organizations in the world know that they can’t go at it alone. A pooled defense is the best defense. Hackers play an essential role in security, their community acting as the immune system of the internet. They come from every corner of the globe, from every age group and from every walk of life. They are united by unlimited curiosity and they possess a will stronger than many can fathom to make the internet more secure. They do their work for the benefit of each and every one of us. We are blown away by the skills, the passion and integrity of these bug hunters. It’s an immense honor and a serious duty for HackerOne to represent the world’s largest hacker community.
In 2017 we continued to invest in the next generation of hackers and security leaders. From our Hacktivity feed to S(h)ecurity to collaborations with UC Berkeley and Code.org to the first-ever hacker-powered security conference, Security@ San Francisco. There is still more work to be done. Our aim is to put all the world’s security vulnerabilities on notice to be found by hackers and fixed by the owners of the systems.
Here’s to a great new year and Hacker-Powered Security!
— Mårten Mickos, CEO