Million Dollar Bounty: HackerOne Secures Contract from the General Services Administration

The white hat hackers of HackerOne have won a $2 million bug bounty contract with the Technology Transformation Service (TTS) of the U.S. General Services Administration.

The firm, which employs ethical hackers to find security vulnerabilities in client websites before the bad guys do, has worked with the TTS for a little over a year now. The new contract extends the partnership, providing a base performance period of six months, with an additional nine option periods lasting six months each for a total of five years.

Marten Mickos, CEO of HackerOne, called the contract “a reminder of the leadership role that the U.S. federal government has taken in vulnerability disclosure.” The GSA in particular has shown a strong interest in using bug bounties – i.e., cash prizes to hackers who discover and report vulnerabilities – and is the first civilian agency to leverage these programs to improve its website security.

“Over the last year, GSA has proved to be one of the fastest government agencies in regards to resolution time,” Mickos said, “resolving vulnerabilities markedly faster than the global average for government bug bounty programs.”

The contract with the GSA comes just over a month after the company announced inking a deal with the U.S. Department of Defense to unleash its squad of white hat hackers on the public-facing websites of the Marine Corps Enterprise Network (MCEN). The Hack the Marine Corps bug bounty challenge in August was the latest iteration of the San Francisco, California-based company’s work with the DoD, having also launched similar campaigns with the Army, the Air Force, and the Defense Travel System over the past two years.

Founded in 2012, HackerOne presented Tapping Hackers to Improve Security at our developers conference, FinDEVr London, last summer. The presentation discussed how external, white hat hackers can help companies uncover cybersecurity flaws, and how they can move toward more comprehensive vulnerability disclosure programs.

Since inception, HackerOne has helped 1,000+ companies and organizations find and fix more than 76,000 cybersecurity vulnerabilities, earning white hat hackers $32 million in bug bounties.

Finovate Alumni News


  • Onfido to Help Crowdfunding Platform Indiegogo Fight Fraud.

Around the web

  • The Technology Transformation Service of the U.S. General Services Administration awards $2 million bug bounty contract to HackerOne.
  • Mortgage Cadence integrates LoanBean’s income calculation solution into its end-to-end loan origination platform.
  • Minnesota-based Glenwood State Bank ($289 million in assets) to deploy Jack Henry SilverLake core banking platform.
  • Avaloq taps former Credit Suisse executive Michael Pahlke as Chief Service Delivery Officer (CSDO).
  • founder and CEO Blake Hall earns spot on Washingtonian’s Tech Titans 2018: Washington’s Top Tech Leaders.
  • Infosys announces plans to open tech hub in Arizona and hire 1,000 Americans by 2023.
  • PromonTech integrates its POS platform, Borrower Wallet, with GSF Mortgage.
  • Forbes features Tina Hsiao is COO at WePay.
  • Fenergo doubles revenue for 2nd year & expands into new market segments.
  • ISARA partners with DigiCert and Gemalto to develop digital certificates and secure key management for connected devices.
  • Flywire partners with Allianz Global Assistance to enable families to purchase Allianz’s GradGuard Tuition Protection Plan.
  • Trustly’s Pay N Play solution to power Gaming Innovation Group fast-registration and withdrawal feature.

This post will be updated throughout the day as news and developments emerge. You can also follow all the alumni news headlines on the Finovate Twitter account.

Finovate Alumni News


  • DefenseStorm Forges Strategic Partnership with Alogent.
  • FinovateFall 2018: Be There … In Times Square.

Around the web

  • Ripple reaches milestone as its RippleNet network is now live in more than 40 countries across six continents.
  • Bambu, Exate Technology, and Market IQ are among the seven startups selected for Plug and Play ADGM’s three-month accelerator program.
  • AlphaPoint appoints Moishe Gubin to its board of directors.
  • CallVU to provide an international credit company with biometric authentication via its digital engagement platform.
  • Enveil and Payfone earn spots on the 2018 SINET 16 Innovators roster.
  • Fifth Domain features Hacker One in a look at how white hat hackers could help improve voting machine security.

This post will be updated throughout the day as news and developments emerge. You can also follow all the alumni news headlines on the Finovate Twitter account.

HackerOne to U.S. Marine Corps: We’ve Got Your Six

Who defends the defenders? When it comes to the U.S. Marine Corps and the challenge of cybersecurity, the U.S. Department of Defense goes with the white hackers of HackerOne.

“Success in cybersecurity is about harnessing human ingenuity,” HackerOne CEO Marten Mickos explained. “There is no tool, scanner, or software that detects critical security vulnerabilities faster or more completely than hackers. The Marine Corps, one of the most secure organizations in the world, is the latest government agency to benefit from diverse hacker perspectives to protect Americans on and off the battlefield.”

For its sixth bug bounty program, Hack the Marine Corps, the Defense Department has again enlisted hacker-powered cybersecurity firm, HackerOne, to improve security on the public-facing websites of the Marine Corps Enterprise Network (MCEN). The program began with a live hacking event in Las Vegas, Nevada on Sunday. This kickoff event featured nearly 100 white hat hackers who spent nine hours testing and probing the Marine Corps’ public-facing websites for security vulnerabilities. The hackers filed 75 unique valid security vulnerability reports that day, winning more than $80,000 in prize money for their efforts. The bug bounty program continues until August 26th.

HackerOne co-founder Michiel Prins during his presentation “Tapping Hackers to Improve Security” at FinDEVr London 2017.

Hack the Marine Corps is part of the Hack the Pentagon crowdsourced cybersecurity program initially launched by the Department of Defense’s Defense Digital Service (DDS) and HackerOne in 2016. The Marine Corps commitment to improving cybersecurity has grown since then to include the creation of a cyberspace career track for service members. In fact, during the Vegas event, members of the U.S. Marine Corps Cyberspace Command (MARFORCYBER) worked alongside the invited security professionals on both offensive and defensive cyber teams.

“Information security is a challenge unlike any other for our military,” DDS Director Chris Lynch said. “Our adversaries are working to exploit networks and cripple our operations without ever firing a weapon. Sometimes, the best line of defense is a skilled hacker working together with our men and women in uniform to better secure our systems.” More than 5,000 vulnerabilities have been reported in government systems since Hack the Pentagon was launched.

In addition to Hack the Pentagon and Hack the Marine Corps, bug bounty challenges have also been launched with the Army (December 2016), the Air Force (April 2017), and, this spring, the Defense Travel System.

Founded in 2012, San Francisco, California-based HackerOne participated in our developers conference, FinDEVr London, last summer. The company’s presentation, Tapping Hackers to Improve Security, underscored the role and value of bug bounty programs as part of a comprehensive strategy to develop an effective cybervulnerability disclosure program.

More than 1,000 organizations including Google, Nintendo, Lufthansa, and Starbucks have leveraged HackerOne’s white hat hackers to find and fix vulnerabilities before they are discovered by cybercriminals. HackerOne has helped companies resolve more than 76,000 vulnerabilities, resulting in the awarding of more than $32 million in bug bounties to ethical hackers.

Finovate Alumni News

Around the web

  • TechCrunch talks with HackerOne CEO Marten Mickos on bug bounties and the value of white hat hackers.
  • Cardlytics bolsters executive ranks with pair of new group presidents: Randall Beard and Shannon Johnson.
  • American Banker interviews new SoFi CEO Anthony Neto.
  • First Data goes live with Clover Mini and Clover Flex smart terminals in Germany and Austria.
  • Chetu earns Best Custom Business Software Developer Award from US Business News.
  • Ivan Nabalon, CEO and founder of Best of Show winning Electronic IDentification discusses the mainstream potential for cryptocurrencies.
  • ChartIQ teams up with Trading Central to provide technical insights and tool to traders.
  • Blockchain healthcare platform HealthCombix partners with NuCypher.

This post will be updated throughout the day as news and developments emerge. You can also follow all the alumni news headlines on the Finovate Twitter account.

Stronger Together: Fintechs, Techs, and FIs Collaborating on CyberSecurity

Image Designed by Freepik

Ready for some good news on the cybersecurity front?

Most of the time cybersecurity appears in the headlines, it is a report of a breach that just occurred or a new threat to guard against in the future. Caught between the hack that caught us unaware and the certainty that it won’t be the last, we can lose sight of the fact that there are hundreds of cybersecurity firms with thousands of security professionals that are working around the clock to make our lives online a lot safer. And many of these companies are Finovate alums specializing in service to the financial industry and its customers.

Ted Ross, founder and CEO of SpyCloud, demonstrating the company’s Best of Show-winning platform at FinovateFall 2017.

Importantly, not only are these companies working 24/7/365 to fight cybercrime, but also many of them are teaming up and partnering with financial institutions, retailers, and each other to test their technologies, make key improvements and enhancements, and ultimately get their fraud-fighting solutions to market.

With that in mind – and in line with our October focus on cybersecurity – here’s a look at the partnerships, agreements, and collaborations forged by our cybersecurity-related alums so far in 2017.



  • Mitek partners with handwriting-based biometric authentication service Asignio to deliver IDaaS solution.
  • Avoka extends strategic partnership with Mitek for digital identity verification solutions.
  • ThreatMetrix and partner to deliver ID verification for government and commercial digital services.
  • Ledger partners with Intel to boost blockchain app security.
  • BioCatch to power behavioral biometrics for Samsung SDS America. 
  • SecureKey collaborates with Intel to enable consumers to access its blockchain-based digital identity technology via traditional web browsers.
  • Zighra launches flagship continuous authentication product.
  • Kony to launch digital banking solution leveraging Daon biometrics. 
  • iSignthis to integrate its Paydentity UBO Service with Web Shield’s InvestiGate platform.
  • TASCET teams with Secured2 to launch Algo5 data security offering.


  • Latvian Bank Citadele secures mobile and online banking with VASCO’s DIGIPASS for Apps and CRONTO.
  • National Bank of Canada joins SecureKey’s digital identity network.


  • HooYu to provide ID confirmation for U.K.’s Cars-as-a-Service easyCar Club.

Multiple Best of Show winner EyeVerify demonstrating its Eyeprint ID technology at FinovateEurope 2017 with partner YapiKredi Bank.



  • Vera to provide data security services for GE.
  • BioCatch to power fraud prevention solutions for HoneyTek Systems.


  • DefenseStorm to bolster cybersecurity operations for Genesee Regional Bank ($551 million in assets).
  • Open Banking selects Ping Identity to provide the identity and access management to underpin the U.K.’s open banking framework.


  • Signifyd guarantees fraud protection for Magento Commerce Merchants.
  • Infosys Finacle partners with ToneTag to leverage sound wave technology to drive contactless authentications and transactions.



  • Jumio partners with Plynk to bring instant verification to Europe’s first money messaging app.
  • FIS and Equifax partner to offer new identity verification solution, OnlyID.
  • Biometric Signature ID partners with National Fingerprint to provide virtual ID proofing and verification services.
  • BioCatch partners with LexisNexis to leverage data and analytics for better risk management.


  • Samsung to power biometric authentication pilot for Bank of America.
  • Mexican payment processor chooses fraud fighting technology from Featurespace.


  • HooYu brings identity confirmation technology to BCRemit.



  • ID Analytics partners with Acxiom to strengthen risk assessment and combat fraud.
  • HackerOne Powering bug bounty program for Tor browser.


  • MoneYou integrates Mitek’s identity solutions for real-time digital onboarding.
  • DefenseStorm to serve as cybersecurity partner for Bank of Jackson Hole to enhance security.


  • International Air Transport Association chooses fraud prevention technology from Featurespace.
  • Signifyd brings its Guaranteed Fraud Protection solution to Authorize.Net’s U.S.-based e-commerce merchants.

Behavioral biometric innovator BehavioSec, shown here demonstrating BehavioSec on Demand at FinovateFall 2015, has won three Best of Show awards.



  • Daon adds EyePrint ID to IdentityX platform courtesy of new partnership with EyeVerify.
  • IdentityMind Global to offer’s document authentication technology to its financial services customers.
  • Jumio partners with Monzo for strong identity verification.
  • iovation to integrate its device-based authentication technology with PingFederate from Ping Identity.
  • TSYS partners with Featurespace to deliver real-time decision capabilities.


  • Leumi Card to use Feedzai’s artificial intelligence platform to fight fraud.
  • Ghana-based Premium Bank selects NetGuardians’ anti-fraud solution – FraudGuardian.



  • Cisco and IBM team up on security.
  • BehavioSec partners with Kount.
  • Trulioo partners with Mitek to add facial recognition functionality to its ID verification platform.
  • Daon to integrate IdentityX platform with Experian’s fraud and identity platform, CrossCore.


  • Australia-based forex broker Pepperstone to deploy Paydentity verification services from iSignthis.



  • Fraud prevention innovator Featurespace partners with U.K. digital family banking solution, goHenry.
  • Payment solutions provider Buckaroo chooses AML solution from Fiserv.


  • Global financial services firm chooses Mobile Verify and Mobile Fill from Mitek.


  • Braspag announces integration of e-commerce and anti-fraud technology from ACI Worldwide.

A FinDEVr favorite, HackerOne and its bug bounty and vulnerability disclosure platform leverage white hat hackers to find critical security gaps before criminals do.



  • Mastercard adds to authentication arsenal with acquisition of NuData Security.
  • Swiss financial sector infrastructure operator SIX partners with IBM Watson to build cyber-security hub.


  • Daon brings mobile biometric authentication to UnionBank.
  • Co-op Financial Services to leverage machine learning-based fraud fighting technology from Feedzai.
  • Pindrop to mitigate call center fraud for credit union service organization PSCU.


  • Saltrex to use Jumio’s Netverify Trusted-Identity-as-a-Service.
  • Featurespace to provide machine learning fraud and risk management solution to CashFlows.



  • BioCatch brings continuous online and mobile authentication to Nuance Communications’ Security Suite solution.
  • Icon Solutions joins forces with Featurespace to bring anti-fraud protection to instant payments.


  • Affinity CU becomes “trusted sign-in” partner in SecureKey Concierge.
  • First national private bank of Turkey, Yapi Kredi to deploy Eyeprint ID from EyeVerify for mobile logins.


  • Feedzai and Merchant Risk Council (MRC) team up to leverage AI and machine learning to fight fraud.
  • MoneyGram using Mobile Verify from Mitek to meet AML requirements.



  • Arxan Technologies partners with Cisco as to protect connected medical devices.
  • WISeKey and Stratumn partner to provide enterprise-grade process security software based on blockchain technologies.
  • FICO and Ethoca partner to improve card acceptance rates, fight CNP fraud, and reduce disputes.


  • ACI Worldwide to provide fraud protection for Kuwait’s Shared Electronic Banking Services Company (KNET).
  • NetGuardians brings real-time fraud protection to Nigeria’s Keystone Bank.


HackerOne Powering Bug Bounty Program for Tor Browser

Bug bounty and vulnerability disclosure platform HackerOne is powering a bug bounty program for the Tor Project, the company behind the anonymizing Tor browser.

Tor security team lead, Georg Koppen said the company selected HackerOne because, “HackerOne is well known by the security community, and we wanted to pick a trusted platform for open communication with independent experts.” This marks Tor’s first public bug bounty since it was founded in 2002. The company conducted a small, private bug bounty in 2016 but Koppen said he “knew going public would expand [its] relationships in the community and improve [its] results.” With support from the Open Technology Fund, the Tor Project said that it will pay out anywhere from $100 to $4,000, depending on the severity of the bug discovered.

HackerOne offers a platform that recruits security researchers and white hat hackers to identify security weaknesses for its clients, including Twitter, Airbnb, Uber, Yelp, and the U.S. Department of Defense. Since it was founded in 2012, HackerOne has run 852 programs, fixed 49,793 bugs, and facilitated $18.7 million in bug bounty payouts.

Michiel Prins, HackerOne Co-Founder presenting Tapping Hackers to Improve Security at FinDEVr London 2017

The San Francisco-based company has offices in London, Seattle, Los Angeles, North Carolina, and the Netherlands. HackerOne earned the Favorite FinDEVr Debut award for its presentation at FinDEVr New York this year and won the Crowd Favorite award at its FinDEVr London presentation last month. In a separate announcement today, the company announced the launch of HackerOne Response, a new product to help companies receive security vulnerability reports from the hacker community, their users, and customers.

Finovate Alumni News


  • Top Five Trends in Customer Engagement Technology.
  • Coder, Broker, Music Producer: Hellenic Bank’s Natasha Kyprianides is Inspired by Constraints.
  • HackerOne Powering Bug Bounty Program for Tor Browser.
  • Truphone Added to List of Carriers for Apple SIM.
  • LendKey Raises $13 Million in Equity and Debt Financing.

Around the web

  • PaySimple and Ping Identity named on list of top ten startups developing in Denver, Colorado
  • Citigroup expands partnership with PayPal to allow card members to use rewards points for purchases at PayPal checkout in the U.S.
  • Darwinex wins spot in South Summit Startup Competition 2017.
  • TD Ameritrade TickerTape blog spotlights social sentiments app, LikeFolio.
  • Dwolla adds multi-user feature to its Access API Dashboard.

This post will be updated throughout the day as news and developments emerge. You can also follow all the alumni news headlines on the Finovate Twitter account.

FinDEVr London: Crowd Favorites and Top Tweeters

FinDEVr London is a wrap! Big thanks to all those who attended our first developers conference in the U.K. We had a great time meeting developers and software engineers from around the world who had come to London to find out more about the technologies that are driving the latest innovations in fintech.

We would also like to thank our sponsors and partners, our AV team and volunteers, and everyone else who came out and made FinDEVr’s London debut a success. We are looking forward to coming back!

And last but not least, let’s give a tip of the hat to FinDEVr London’s Crowd Favorites. Chosen exclusively by our attending audience, four companies were selected: a Crowd Favorite and a Runner Up for both Day One and Day Two.

Day One Crowd Favorite: HackerOne 

Day One Crowd Favorite Runner Up: Trusted Key

Day Two Crowd Favorite: IdentityMind Global

Day Two Crowd Favorite Runner Up:

Thanks to our followers on Twitter, who were an active part of FinDEVr London. Whether you were able to join our live audience or followed the conference online or on your mobile phone, the #FinDEVr hashtag @FinDEVr was a great way to make your opinions heard and learn from the observations of the fintech professionals among our followers.

Again this year we awarded a pair of Twitter prizes. Taking top honors for Best Use of #FinDEVr was Jimmi Bram (@JimmiBram) of Copenhagen, Denmark, with his especially keen eye on cryptography and ID verification technologies.

Earning Runner Up was Simon Bussy (@SimonBussyAltus) of the U.K. Simon won not only for his best practices strategy of including photos with his tweets, but also for tweeting the equation all of us at FinDEVr live by: “fintech + great venue + good coffee = great morning.”

And speaking of Twitter photos and best practices, our winner for the Best #FinDEVr Photo went to Sofia Mashovets (@SofiaMashovets) of Harborx.

Sofia accompanied her Twitter photo (below) with the note: “My super power? Making the CEO and CTO take silly pics at 💪🏻they’re the best, really (these guys, not the pics).”


FinDEVr Preview: HackerOne

FinDEVr Previews highlight companies presenting new developer tools, platforms, and integrations at FinDEVr London 2017.  Get ready – FinDEVr’s London conference is just a few days away! Register today before the show starts June 12  & 13. 

Bug bounty programs are popping up all over the place, as more and more companies embrace collaborating with friendly hackers to find vulnerabilities before cyber criminals have a chance to exploit the same bugs for nefarious purposes. The presentation from HackerOne will show how external hackers can help assess and quantify your security posture.


Why it’s a must-see

Today, most fintech companies are running these bug bounty programs in private. Whether you run an active program, or if your security email address is routed to /dev/null, this session will help attendees shed blind dogma and walk away armed with an analytical approach towards building an effective vulnerability disclosure program.

Check out more previews of upcoming FinDEVr London 2017 presentations. Visit our registration page to save your spot.