Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development
New HackerOne CEO Kara Sprague to Expand Beyond Bug Bounties
Sprague Replaces Veteran CEO, Plans to Double Down on PTaaS and AI Red TeamingHackerOne has tapped F5's longtime product leader as its next chief executive to continue expanding its portfolio beyond operating vulnerability disclosure programs.
See Also: 2024 Threat Landscape: Data Loss is a People Problem
The San Francisco-based bug bounty provider has tasked Kara Sprague with capitalizing on HackerOne's existing growth in areas such as AI red teaming and penetration testing as a service to boost the company's wallet share with large enterprises. Sprague will start as HackerOne CEO on Nov. 4 and replace Marten Mickos, who has led HackerOne since November 2015 and will move into a strategic advisory role (see: Human-Powered Security in the Era of Rapid Automation).
"Bug bounty is not the only way that a community of security researchers can provide value to enterprise organizations," Sprague told Information Security Media Group. "As we talk about web apps giving way to APIs and APIs giving way eventually to AI models, all of these have different threat vectors, so there will be a need to continuously innovate on the HackerOne platform."
Sprague comes to HackerOne after spending seven years at Seattle-based F5, where she led the vendor's $1.3 billion application security and delivery product business since December 2022 as chief product officer. F5's product business grew 1.3% in the fiscal year ended Sept. 30, 2023 (see: How Security Risks Might Halt the Use of AI in Applications).
"My work over the last seven years at F5 has really focused on transforming the product portfolio so that it is future-ready - getting ready for software, cloud and AI-based deployments," Sprague said.
The Role of Security Researchers at HackerOne
Sprague plans to grow HackerOne's security researcher community by providing more opportunities for engagement and ensuring the platform is a trusted place for researchers to apply skills and creativity. Specifically, she wants to provide more opportunities for researchers to engage with various threat surfaces and establish partnerships that enhance the technical proficiency of the researcher community.
"They bring different sets of capabilities and different talents, so the more variety you can offer to them in terms of ways to engage and identify vulnerabilities in a threat surface area creates more opportunities for a larger group and a more diverse group of security researchers to participate in that," Sprague said.
The scale and creativity of HackerOne's security researcher community has allowed the company to become a market leader in the vulnerability disclosure space, Sprague said. She plans to build on this foundation by providing more engagement opportunities and maintaining a strong balance between enterprise needs and the researcher community.
"HackerOne has awarded over $300 million in bug bounties to its security researcher community, and we've minted 35 millionaires based on bug bounties," Sprague said. "It's a great way of showing how you apply market dynamics to a problem by basically enabling security researchers to use their time and apply their skill sets to solve issues and problems that organizations around the world have."
The Role of Trust in a Bug Bounty Program
Trust is fundamental to HackerOne's business model both in terms of customer relationships as well as the security researcher community since clients rely on security researchers to uncover vulnerabilities that pose risks to their organizations.
"Ultimately, this becomes a place where sometimes, their dirty laundry is exposed," Sprague said. "In a successful bug bounty program or successful pen test program, you're likely to uncover things that create risk for the organization. They have to be able to trust the platform in order to use the platform to identify those things."
From a metrics standpoint, Sprague said, she's focused primarily on revenue growing, market share and penetration into the large enterprise. She noted the importance of profitability and driving revenue growth at an effective margin rather than just expanding at all costs.
"If CISOs don't already have in place a formalized vulnerability disclosure program, get ready for it, because if it is not something that is required today - either by your board or by regulation - it will be something that will be required in the near future," Sprague said. "It's a critical element of ensuring that your threat surface area is as low-risk as possible."