(Adds background and comment from co-founder of HackerOne)
By Joseph Menn
SAN FRANCISCO, May 28 (Reuters) - HackerOne, a California-based security firm, said on Wednesday it had raised $9 million to expand its program to reward researchers who find software flaws.
As a movement toward paying security researchers who report vulnerabilities in technology products gains steam, executives have recently left jobs at Microsoft Corp and Facebook Inc to pursue the venture-backed business coordinating the practice.
Katie Moussouris, credited by security researchers for making Microsoft much more responsive to bug reports, said on Wednesday she had joined startup HackerOne as chief policy officer, joining Alex Rice, a former Facebook product security chief. Rice, a co-founder and chief technology officer of HackerOne, had launched Facebook’s “bug bounty” program, as such plans are sometimes called.
HackerOne said the funding was led by Benchmark, with its partners Bill Gurley and John Hering, executive chairman of smartphone safety company Lookout Inc, joining its board.
HackerOne offers companies a free system for processing flaw reports. Those companies decide whether to pay the researchers and how much, and they can pay HackerOne for advice.
Other young companies, such as Bugcrowd and Synack, likewise coordinate attempts to find flaws for pay. The practice “is definitely gaining recognition from a lot of mainstream players,” Moussouris said.
A decade ago, security researchers generally notified big software makers of problems in hopes of being publicly credited. Then intermediary services emerged that paid for the information and notified their own clients and the software vendors before the broader public.
In the past year, reports have also detailed the most lucrative side of the business, the sale of undisclosed flaws to contractors for the Pentagon and U.S. spy agencies.
The White House announced last month that it would more intensively review all new vulnerabilities and disclose most of the flaws to the software companies whose products are affected. However, Moussouris said many payments are stretched out over the period when the holes remain unpatched.
“The incentive model for some of the black-market operations is really designed to pay high prices to keep it out of the hands of vendors, so it stays undetected and unpatched for a long time,” she said.
Though operations like HackerOne do not pay as well as the National Security Agency, they make it easier for people who want to improve security, she said.
“We need to incentivize research in whatever ways we can. Otherwise we’re going to keep digging a hole,” Rice said.
HackerOne clients have paid out $750,000 to date in hundreds of bounty awards. Yahoo Inc alone has acknowledged 760 bugs.
Reporting by Joseph Menn; Editing by Leslie Adler, Lisa Shumaker and Diane Craft