Until recently, the phrase “bug bounty” only popped up in tech and security circles. Now, it’s becoming an everyday term as companies like Starbucks and GM, and even the U.S. Army, are making bug bounty programs part of their operations.
The phrase refers to rewards (the bounties) paid to hackers who warn companies about flaws in their computer systems the (bugs). It’s long been a popular concept at places like Google, but most non-tech firms opposed it, partly out of fear that a cash-for-hacking program would lead to trouble.
The recent change in attitude is coming as more corporate executives realize many hackers are not malicious, and are instead a valuable early warning system for compromised computer code.
Marten Mickos, the CEO of a startup called HackerOne, knows this better than anyone. The firm works with a large network of hackers, who, amongst them, have discovered over 38,000 vulnerabilities and received more than $14 million in prize money from HackerOne clients, including the likes of Uber and Starbucks.
HackerOne’s client list is growing quickly. As part of a plan to meet demand, the company on Wednesday announced a $40 million Series C funding round, led by Dragoneer Investment Group, a firm that has also invested in startups like Airbnb and Atlassian (TEAM).
“Bug bounty are now an essential part of the software life cycle,” Mickos told Coins2Day in a phone interview. “You have to be software-powered to benefit—but is anyone not software-powered these days?”
Get Data Sheet, Coins2Day ’s technology newsletter.
He also explained that the bug bounty support that HackerOne provides varies from company to company. While tech-intensive firms like Uber want to interact directly with the hackers who find vulnerabilities, retail firms are more likely to ask HackerOne to act as an intermediary.
HackerOne also acts as a market-maker of sorts, helping to decide what a particular tip is worth: The average is around $500, but one recent payout came to as much as $30,000.
In the eyes of Mickos, any of these amounts far outweigh the alternative: of ignoring hackers’ help to then discover that someone else found the vulnerability and decided to exploit it for criminal ends.
The HackerOne announcement comes as other developments have increasingly raised the profile and popularity of bug bounties. These include Google’s recent revelation that it boosted its bug bounty outlays to $3 million last year, and Apple’s decision to finally adopt a bug bounty program of its own in 2016.