HackerOne was very busy last year finding vulnerabilities in some of the most sensitive software used by the United States military. The Department of Defense selected HackerOne to run the US federal government’s first bug bounty challenge, Hack the Pentagon. Over the course of a month, hackers working with the company found 138 vulnerabilities. The challenge cost $150,000 to run and saved the DoD over $1 million, according to former defense secretary Ash Carter.

Next up the DoD also awarded HackerOne a $3 million contract to Hack the US Army. Between November 30th and December 21st, participating security researchers discovered 118 vulnerabilities, the first of which was found in just five minutes.

HackerOne is one of several startups, such as Synack and Bugcrowd, that organize bug bounties and vulnerability disclosures for companies. These bug bounties work by organizing security researchers to find vulnerabilities for HackerOne’s customers; the hackers in turn receive a cash reward from the company.

“Together we hit harder and the results speak for themselves.”

Today HackerOne announced a Series C financing round of $40 million, which was led by Dragoneer Investment Group. The company will use the funds “to invest further in technology development, expand market reach, and continue to strengthen the world’s largest and most diverse hacker community,” according to a press release. Among HackerOne’s other customers are Adobe, Yahoo, Uber, GitHub, Twitter, Slack, Nintendo, General Motors, Airbnb, and Qualcomm.

“Together we hit harder and the results speak for themselves,” HackerOne CEO Marten Mickos said in a press release. “There’s no such thing as perfect software and bug bounty programs are the most efficient and cost-effective solution for finding security vulnerabilities in live software. With support from Dragoneer we are in the best position to rapidly scale and empower the world to build a safer internet.”

The average HackerOne bug bounty award is $500

The company currently has more than 100,000 hackers registered to hunt bugs on the platform. So far, they have resolved over 37,000 security vulnerabilities for more than 700 customers. HackerOne’s payouts for hackers are also rather high. So far, the company has awarded over $13 million in bug bounties, $7 million of which was awarded in 2016, according to a press release.

A 2016 study by the Ponemon Institute found that the average consolidated total cost of a data breach is $4 million, while the average cost of a breach in the US is $7 million. Bug bounty programs such as HackerOne have their skeptics, though, with security analysts and even founders of bug bounty startups saying that these programs are by no means a silver bullet for cybersecurity issues.