Everybody who signs up for HackerOne has to provide information. As an example, we have to collect tax information to be able to pay them. Some of our customers require background checks of these people. Similar to the U.S. DOD, we conduct these background checks all around the world to ensure the identity of people before they are even given access to certain systems. At the end of the day, most of the systems that are part of the organizations are publicly facing, which means that everybody on the Internet can already attack them.
To go back to the point that I made earlier, that if there's one person who wants to do bad, there are multiple orders of magnitudes of people who want to do good. If we give them them the same incentives as criminals have to find those vulnerabilities, we believe that even if somebody outside of HackerOne finds that vulnerability and doesn't disclose it, there are enough people to find the exact same vulnerability and report it to the vendor directly.