HackerOne, the platform for running and managing security bug bounty programs, today announced that it has closed a $25 million round led by New Enterprise Associates. This figure brings the total amount raised to $34 million, more than tripling the $9 million series A round led by Benchmark in May 2014.

This additional money is going towards encouraging hackers to find exploits. Don’t be alarmed: hackers get paid when they responsibly notify companies so they can fix issues before attackers have a chance to exploit them.

Previous investor Benchmark and the following angels joined in this new round: Salesforce Chairman and CEO Marc Benioff, Yelp CEO Jeremy Stoppelman, Digital Sky Technologies Founder Yuri Milner, Dropbox cofounder and CEO Drew Houston, Zenefits COO David Sacks, Riot Games cofounder and CEO Brandon Beck, Berggruen Holdings chairman Nicolas Berggruen, Riot Games cofounder Marc Merrill, Raise founder and CEO George Bousis, as well as BeachMint founder Diego Berdakin.

As part of the series A deal, Benchmark general partner Bill Gurley joined HackerOne’s board. This time, New Enterprise Associates general partner Jon Sakoda joined the board of directors.


“Every organization needs to double down on security,” HackerOne CEO Merijn Terheggen told VentureBeat. “The HackerOne approach has the opportunity to fundamentally change the way we protect customers while rewarding the brilliant hacker community.” When asked about what the extra funds will be used for, he had some more to add.

“Companies can no longer afford to tackle security issues in isolation,” Terheggen said. “Engaging the hacker community is an incredibly effective way to find security holes first. Organizations globally are starting to embrace this approach, and the opportunity ahead is enormous. With the additional funds, our primary focus is on distribution, and this includes supporting sales and marketing efforts on a global scale, but above all else making the Internet safer for all.”

HackerOne makes money in a very simple way: the startup charges a 20 percent commission on top of each bounty paid through its service (it waives the fee for free open source software). With more than 250 customers on its platform (92 public programs, and even more invitation-only programs), it’s easy to see how lucrative the revenue stream can be.

Major tech companies that use HackerOne include Yahoo, Twitter, Adobe, Dropbox, LinkedIn, Square, Airbnb, Slack, Snapchat, Mail.ru, Qiwi, and Vimeo. Across all its clients to date, HackerOne says it has helped find nearly 10,000 security holes, paying over $3.12 million in bounties to more than 1,500 independent security researchers.

This early success has been driven entirely by word of mouth. Since its series A, HackerOne has grown from 10 employees to 50 today. Now the startup has the money to build out sales and marketing departments.

Dead Bug

“HackerOne has built an incredible platform that connects organizations with thousands of hackers worldwide to help defend enterprise and governments,” Sakoda said in a statement. “Embracing the hacker community is one of the most promising opportunities in security, and I am thrilled to be part of HackerOne’s continued growth and development.”

Bug bounty programs started at large tech companies, including Facebook, Google, and Microsoft, and they are all seeing great results. In fact, HackerOne was created by experts who scaled this new security approach at those three tech giants, with the goal of wooing the worldwide hacker community to find and disclose security holes in all public-facing software.

HackerOne is also the founding member of the Internet Bug Bounty, a program for encouraging finding and disclosing bugs in the Internet stack. Backed by Microsoft and Facebook, the hope is to secure the most important open-source software that supports the Internet.

As I’ve said time and time again, it’s always better to find and fix a bug before it becomes a PR nightmare. The cost of rewarding hackers with bounties is trivial when compared to the cost of paying for a serious security snafu.

HackerOne is bringing that system to the masses.

Get more stories like this on Twitter & Facebook