The bug bounty platform believes it will draw 10 times more hackers than it does now and quadruple the number of bugs found and fixed, all in the next three years.

Bug bounty platform HackerOne announced this week that it hit $20 million in payouts, but it’s not stopping there.

HackerOne CEO Marten Mickos said in a blog post this week that he wants to quintuple payments, quadruple the number of bugs found, and increase its workforce by a factor of 10—all by 2020.

It’s an ambitious goal, but Mickos believes his platform, and bug bounties in general, are the future of cybersecurity. They’re cheaper to pay than QA teams, more effective than internal testing, and could save organizations an estimated $10 billion a year.

Take the US Department of Defense (DoD) as an example. It contracted with HackerOne, whose members found bugs amounting to $300,000 in payout. Former Secretary of Defense Ash Carter said that if the DoD had gone about finding those vulnerabilities in a normal way it would have cost more than $1 million.

Hacker-powered security: Is it the future?

Mickos believes that cybersecurity is in a lousy state right now, and that employing skilled, ethical hackers to find flaws is the best possible solution. “Vulnerabilities that go unnoticed by scanners and other expensive security products are more quickly and more cost-effectively found by ethical hackers,” he said.

Add to that the fact that hackers aren’t getting paid unless they’re finding bugs and you have a recipe for faster discoveries, less cost upfront, and, as Micklos said, “you [end up] just one step away from a fix.”

Right now HackerOne is sitting at $20 million paid out, 100,000 hackers in the program, and 50,000 bugs found and fixed. Getting to $100 million, a million hackers, and 200,000 bug discoveries is a tough goal in three years, but it just may be doable—especially when the incentives are good for hackers as well.

A highly skilled hacker living in India, where a number of HackerOne’s hackers reside, can make 18 times the salary of the average software engineer, according to Mickos’ blog post. That’s an attractive proposition for anyone living anywhere.