Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development

New HackerOne CEO Kara Sprague to Expand Beyond Bug Bounties

Sprague Replaces Veteran CEO, Plans to Double Down on PTaaS and AI Red Teaming
New HackerOne CEO Kara Sprague to Expand Beyond Bug Bounties
Kara Sprague, incoming CEO, HackerOne (Image: HackerOne)

HackerOne has tapped F5's longtime product leader as its next chief executive to continue expanding its portfolio beyond operating vulnerability disclosure programs.

See Also: Expel: Firms Still Threatened by Old Vulnerabilities

The San Francisco-based bug bounty provider has tasked Kara Sprague with capitalizing on HackerOne's existing growth in areas such as AI red teaming and penetration testing as a service to boost the company's wallet share with large enterprises. Sprague will start as HackerOne CEO on Nov. 4 and replace Marten Mickos, who has led HackerOne since November 2015 and will move into a strategic advisory role (see: Human-Powered Security in the Era of Rapid Automation).

"Bug bounty is not the only way that a community of security researchers can provide value to enterprise organizations," Sprague told Information Security Media Group. "As we talk about web apps giving way to APIs and APIs giving way eventually to AI models, all of these have different threat vectors, so there will be a need to continuously innovate on the HackerOne platform."

Sprague comes to HackerOne after spending seven years at Seattle-based F5, where she led the vendor's $1.3 billion application security and delivery product business since December 2022 as chief product officer. F5's product business grew 1.3% in the fiscal year ended Sept. 30, 2023 (see: How Security Risks Might Halt the Use of AI in Applications).

"My work over the last seven years at F5 has really focused on transforming the product portfolio so that it is future-ready - getting ready for software, cloud and AI-based deployments," Sprague said.

The Role of Security Researchers at HackerOne

Sprague plans to grow HackerOne's security researcher community by providing more opportunities for engagement and ensuring the platform is a trusted place for researchers to apply skills and creativity. Specifically, she wants to provide more opportunities for researchers to engage with various threat surfaces and establish partnerships that enhance the technical proficiency of the researcher community.

"They bring different sets of capabilities and different talents, so the more variety you can offer to them in terms of ways to engage and identify vulnerabilities in a threat surface area creates more opportunities for a larger group and a more diverse group of security researchers to participate in that," Sprague said.

The scale and creativity of HackerOne's security researcher community has allowed the company to become a market leader in the vulnerability disclosure space, Sprague said. She plans to build on this foundation by providing more engagement opportunities and maintaining a strong balance between enterprise needs and the researcher community.

"HackerOne has awarded over $300 million in bug bounties to its security researcher community, and we've minted 35 millionaires based on bug bounties," Sprague said. "It's a great way of showing how you apply market dynamics to a problem by basically enabling security researchers to use their time and apply their skill sets to solve issues and problems that organizations around the world have."

The Role of Trust in a Bug Bounty Program

Trust is fundamental to HackerOne's business model both in terms of customer relationships as well as the security researcher community since clients rely on security researchers to uncover vulnerabilities that pose risks to their organizations.

"Ultimately, this becomes a place where sometimes, their dirty laundry is exposed," Sprague said. "In a successful bug bounty program or successful pen test program, you're likely to uncover things that create risk for the organization. They have to be able to trust the platform in order to use the platform to identify those things."

From a metrics standpoint, Sprague said, she's focused primarily on revenue growing, market share and penetration into the large enterprise. She noted the importance of profitability and driving revenue growth at an effective margin rather than just expanding at all costs.

"If CISOs don't already have in place a formalized vulnerability disclosure program, get ready for it, because if it is not something that is required today - either by your board or by regulation - it will be something that will be required in the near future," Sprague said. "It's a critical element of ensuring that your threat surface area is as low-risk as possible."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.