HackerOne CEO: ‘We’re building the world’s biggest security talent agency’

Marten Mickos, a veteran executive with companies from MySQL to Sun, Nokia and HP, was not particularly excited about his meeting to explore a leadership role with HackerOne, a fledgling security company. Security is hard, it's unpleasant, it doesn't work very well. But he perked up fast after learning about HackerOne's crowdsourced model of finding and fixing security flaws - a model in which HackerOne plays a key matchmaking role between companies and ethical hackers in a rapidly growing marketplace of skills and needs.

After all, Mickos - who joined as CEO in November, 2015 - knows well the power of crowdsourcing, having served as chief executive of open source companies Eucalyptus and MySQL. In this conversation with IDG Chief Content Officer John Gallant, Mickos explains how the HackerOne system works and how companies get started. He talks about the company's bug bounty platform for private and public-facing projects, and discusses how it can be expanded to tackle other big security problems in the future. Mickos also explores what attitude adjustments are required from mainstream companies in order to embrace crowdsourced security.

Exactly what does HackerOne do? Explain how it works for our audience.

HackerOne helps you find vulnerabilities in your internet-facing systems. We do it through a unique model where we have a community of researchers and hackers around the world who will hack you on your request and they will send you a report outlining what they found. You send them money as a thank you if the report was useful. If it wasn't, you pay nothing.

It's a phenomenon in the geek economy where you tap into the vast resources around the world to solve a problem for which you will never have sufficient staffing in your company. No matter how large you are, you can never have a security team large enough to find every conceivable vulnerability. But the hackers out there will and they are happy to help you. They are called white hat hackers because they have good intent and they will do no harm. These are good people who are eager to help and in return get a payment, a bounty from the company.

Let's talk about how you enable that. I want people to understand the tools you provide and the role that you play in the middle of that transaction between that white hat hacker and the company.

The first thing you do is you open up an email address for security at your company, say security at Twitter.com, security at Uber.com. People can send in their observations there and you deal with them. That's the lowest level. We have a software platform that actually handles that for you. When the email comes in it doesn't go straight into your inbox, it goes into HackerOne's system. It gets scored, it looks at who sent it, it knows whether it's an experienced hacker or a new one and you have a much better way as a company to assess how important it is.

From that we build the platform out to handle all the workflow – the scoring, the reporting, the payments back to the hackers, all the analytics you may need. We integrate it with your own systems like a Jira or GitHub and other tools that you use for your software development lifecycle. It's a Software-as-a-Service offering that automates the handling of incoming vulnerability reports and dealing with them.

How does a company go about determining the price for uncovering security vulnerabilities? Do you help them set that pricing?

Yes. We have transacted over $10 million in bounty payments so far. We have the world's largest database of payments now so we know what the going rate is and we make recommendations to our customers so they can stay exactly on market price or go a little bit higher if they want to reward them more. In the specifics of pricing the bounty there are three main factors that influence it. Number one is the scarcity of the vulnerability. Some vulnerabilities are very common, like cross-site scripting vulnerabilities, and they pay reasonably well but not that much. Scarce ones pay much more because they are more difficult to find, like a SQL injection or remote code execution.

That's one dimension, the scarcity of the technical type of vulnerability. The most influential parameter is the severity. You can determine whether this could have resulted in a severe breach if it hadn't been fixed and then you pay accordingly to show that you recognize the value of the report. The third dimension is that each company sets their own ambition level. There are companies who want to stay on average prices always. We don't want to underpay or overpay, just the average price and that's it. We have other companies who want to be a leader here. We will always pay more than the average to show the hackers that we appreciate them and because we want the best hackers to always pay attention to us.

If I'm a hacker, how do I figure out what's the best thing for me to be spending my time on?

We have over 70,000 hackers and security researchers signed up on our platform. If you are one of those – or if you are signing up – you go to our list of programs and you start looking at them to determine where you will start pointing your resources, where you try looking for a vulnerability or a bug. You can see the profiles of each program and determine the ones that pay the best or that respond the fastest or are the newest programs or the oldest programs. Every hacker will have their own recipe for how to find them and once you build a good reputation, you will even get invited into what are called private programs with companies who don't invite everybody but who selectively invite specific hackers with specific skills.

Those are still conducted through your platform, those private bounty programs?

Correct. We have over 600 programs running and roughly speaking, two-thirds of them are still private. Many of them go public after a while. Uber went public after having been on our platform for a while. Yelp is the same and we have others preparing to open up their programs to the wide public.

Typically, a company starts off private and then goes public?

Typically, but not always. General Motors started immediately with a completely public program.

Looking at the customer list on the site, a lot of those names are very familiar to anyone in the internet economy. What you don’t see is as many more typical enterprises. Is it a hurdle for your company to get the GMs of the world to understand that this is a tool that they should be using and it’s not just for the Ubers and the GitHubs and the Dropboxes of the world?

Yes, absolutely. That is the shift that’s happening in the market. We do have more traditional and conservative companies, many of them on private programs so you don’t see their names in public. But you are absolutely correct that the practice of bounty programs was invented among cloud companies and it’s now spreading to anybody who has software – and today everybody has software. Conceptually, I feel it’s similar to what happened with open source software where the first users of open source were the internet companies. Yahoo backed it at the time and Google and now it has spread into every company.

[ ALSO ON CSO: Why bug bounty hunters love the thrill of the chase ]

Even the most conservative, traditional enterprises are using open source software and building on top of it. We see a similar shift now happening in the security space although it is happening faster. I think the Hack the Pentagon program we did for the Department of Defense shows that even the most conservative, largest, strongest organization is now seeing that this is needed.

Can you go into detail on that DoD program?

It was a program they invented, named Hack the Pentagon, and they reached out to HackerOne to run the program for them because they had seen that external hackers can be extremely useful in identifying vulnerabilities. We established the program for them that lasted only a few weeks. It was technically a pilot program and they thought we would have maybe a few tens of hackers and we would find maybe a handful of vulnerabilities but it went beyond all expectations and dreams. We had 1,400 vetted, registered hackers on the program. They found 138 valid vulnerabilities. There was a total over 1,200 reports but 138 were valid bugs that needed to be fixed and the DOD has finally fixed all of them, paid bounties to the hackers and thanked them. It was just a phenomenal success. I don’t think it would have happened without the administration we now have and without the Secretary of Defense, who is very modern thinking and progressive and knows that even the world’s most powerful organization needs to review itself. You need help from the outside.

I’m glad to hear that, being under the defense umbrella of the United States.

It’s funny because they said at one point about the bug bounty programs, we get ahead of the problem and we don’t just have to play defense. I thought that was a good play with words.

What is the low and high range of bounty rewards?

There are some programs that pay absolutely nothing. They just thank you and they work well. If you pay, the minimum is typically $100 for the lowest severity, lowest impact bug. Average is $530 per bounty and the maximum that we have paid on our platform is $30,000 for a single report. But we’ve got a customer who announced that they now increased their maximum to $50,000. They haven’t paid one yet but they stated that $50,000 is their maximum.

Can you tell us what that company is?

I can. It’s an insurance company in Europe, in Finland. Interestingly, the insurance company is also a company that has seen the value of this type of security work and they ran the program for a year and to celebrate the first successful year they increased their maximum up to $50,000.

Is there a dispute mechanism? I’m a hacker and I submit something that I think is legitimate and the company says we know about it or we already fixed that or we disagree with you. Can I dispute it?

Absolutely. There can be disputes that we mediate between the two. Generally, the system is based on trust and market forces, meaning if a company doesn’t pay good bounties or is too slow then hackers will lose interest and not go there so they lose the value of it. It is in their interest to pay well and to pay on time. If there is a question, the hacker can press a mediation button or panic button and we step in and give our best recommendations to discuss with both sides. Every single time so far we’ve been able to resolve the issue to the satisfaction of both sides.

There isn’t a single hacker who isn’t impatient and at the same time, there isn’t a single company who doesn’t think that sometimes they get useless reports. We manage those expectations and we train both sides to live up to the other side’s expectations so that the needs will be met. It’s a marketplace and it functions only when supply and demand agree on something.

Given the threats and the concern about security, will we see the demand outstripping the supply? Do you feel you’ve got such a deep bench of white hat hackers and security professionals that supply and demand are roughly in sync and will stay that way for the foreseeable future?

It is a critically important question. So far we have slight over-supply on hackers but we are ramping up the demand side very fast. The thing is that it takes about two months to get a company up and running but it takes only two days to get the hacker up and running. They come on faster and therefore we have a little bit more hackers than we need but I think we’ll manage to balance it well. We won’t ever run out of hackers. We now know the very specific profile of them. The youngest who come onboard are 13, 14 years old. In a year or two they become amazing and at the age of 17, 18, 19, they can be among our best. It’s a little bit like a sports league that has the young athletic power that is so useful.

With increasing urbanization in the world, increasing internet access, good STEM education in many countries in the world, there is no practical limit to how many hackers we can find. We get them from India, Pakistan, Bangladesh, Russia, all the Russian-speaking countries, Western Europe, the U.S.A., Chile, Argentina. It’s fantastic to see them because you suddenly realize that there are all these mostly young people who have a burning desire to make the world safer and, of course, make some money at the same time. They have such great intent and instincts about this. I don’t think we’ll run out of hackers ever. Just like in open source software, we have never run out of contributors.

If you did start to have that imbalance it would be reflected in higher bounties which would pull more people in as well. Correct?

That is true. It has self-correcting mechanisms and we’ve seen the average bounty slowly go up. We don’t think it will go up anything but slowly but even when it goes slowly it has a profound impact in the world because the volume is so large. We have already, through our system customers have fixed over 30,000 vulnerabilities and bugs. We are already a major, major player in the finding and fixing of bugs.

As programs like this get bigger, as more mainstream companies come into them and rely on that community to help, do you think that it’s going to draw people out of the criminal aspects of hacking because they can make money, they can make a living doing this?

Absolutely. I believe in the goodness of human beings and although we have really dangerous criminals in the world, they are far outnumbered by the good guys, the white hat hackers and anybody who is with them. There’s an attraction similar to the Boy Scout movement when it was started by Robert Baden-Powell a long time ago. He saw young people idle and he felt that if they weren’t given an important role, they might start doing mischief.

It’s similar here in that we have a lot of young men and women who are super intelligent and are not necessarily appreciated by their nearest environment, in school and friends and neighborhoods. We give them an avenue to be useful and to put their intelligence to good use. That builds stronger citizens. I don’t think we are affecting their deep mentality. If they are criminally bent, they’ll stay criminally bent and if they’re not, they won’t. But we give them an avenue that solves a lot of their big questions about life and purpose of life. It has a societal impact and it’s hugely motivating for us working at HackerOne, waking up and knowing that a 15-year-old kid somewhere is paying his school tuition thanks to this and becoming a useful citizen in some remote city somewhere in the world. It’s really a reward.

I wanted to ask you about the security aspects of what you do because, obviously, there are a lot of people who would love to know about the vulnerabilities that people are finding and reporting through the system. How do you protect that information?

We have built our platform in a secure way so that even we ourselves do not have access to the reports being filed. Of course, when somebody files a sensitive and severe vulnerability report, that’s hot stuff, and it’s only the customer and the hacker who can see it until they then decide to open it up. We protect our website in all possible manners. We protect the database in all possible manners and, of course, we run a bug bounty program ourselves. We are, of course, a very welcome target because nothing is going to give a hacker more satisfaction than to find a vulnerability in the company that is fighting them. We have extra scrutiny from the best hackers in the world and it has worked very well and we have a very safe system to store them.

I also want to mention that ultimately, when the vulnerability has been fixed, we encourage customers to publish the report. Nearly 10 percent of all reports have been published to the whole world so as a hacker, as a security team, as a software engineer, you could learn about what’s wrong with the internet and you can build better software. It has a sort of regenerative effect on the software development lifecycle that we publish. There are customers who publish the full report with all the discussions and then others can learn from it.

I wanted to go back to this theme about mainstream companies. If I’m an established insurance company or a financial or manufacturing company, how do I get started?

The best way to get started is to contact HackerOne and get the advice on running a small, private program with a few hackers on a small attack surface. You define the scope very narrowly to get trained on a small area before you open up the scope or open up the invitations. Mentally, the company must have the confidence to admit that there are vulnerabilities and that they’re interesting in hearing about that. That’s a mental shift and not all companies have gone through it. I’ll compare it to the medical checkups human beings should do every year. We have human beings that don’t do that, who don’t want to know what’s wrong with them.

It’s similar with companies. Some companies go into denial, they’d rather bury their heads in the sand than say all software has vulnerabilities, even ours, so we’d better ask for some input. Once you have that mental shift then you just go. You need at least a couple of good security people inside your company who can be the champions of it. You can outsource nearly all the work to HackerOne or somebody else but you need to have somebody driving it. You need a CISO or a security or cybersecurity, product security person or team who will drive it internally and always with a mandate from the top. This will work best – or work only – when the CEO is saying yes, this is important to us. The deal size or the magnitude of the process doesn’t necessarily require CEO attention, but because it has quality implications in most of our successful cases it’s the CEO who said let us do this.

Is most of your business inbound now or are you actively selling? I’m trying to understand the mechanics of getting this more visible and getting more customers.

You are very right that so far it’s nearly all inbound. We do have a sales team which helps people but we don’t do much marketing yet. We have a website and we do marketing communications but that’s it. Nearly all the leads we get today are just inbound. Companies reach out to say: Hey, we’ve heard about bug bounty programs, we’ve see Hack the Pentagon, we’ve seen Uber, we’ve seen Twitter. We want to do the same. Then we engage with them and bring them on board. That said, as we see this practice getting acceptance all over society, even one of the presidential candidates is advocating for this. With that sort of acceptance, we are now expanding our marketing function to proactively reach out to those who may not have thought about it or may not know how quickly you can get good results from this.

Are you competing against other companies that are offering similar capabilities or do you feel that you’re competing more against existing bug bounty programs that companies already have?

It’s a healthy ecosystem with good competition out there so I’ll list it for you. Number one is non-consumption, meaning companies who don’t do anything like this but should so we compete against their lack of action in this field. Number two is do-it-yourself programs. Some of the largest companies run their own bug bounty programs. We respect that and we don’t really worry about it. Microsoft, Facebook and Google, they run their own programs and they are currently fine with that.

Then there is the world of vendors who help you and here in the neighborhood of Silicon Valley there are three more players in this space. There’s a company called Synack. They run a bug bounty program. They have a different methodology where it’s more secret, even closed and not driving the openness and global scale that we do. There’s a company called Cobalt.io, an innovative company in this space but small as well as it doesn’t have that many customers yet. And there’s a company called Bugcrowd that built service around bug bounty programs that they fill. Those companies we will encounter occasionally and when we win it is because we have by far the largest community of hackers and we have by far the most active marketplace. We pay four times, maybe five times more bounties than anybody else in this space.

Do you see that this would ultimately replace the individual bug bounty programs that we’re familiar with at a log of these major tech companies in particular?

Yes, I think we will be heading there because when it comes to bug bounty programs, diversity yields results, meaning a diverse group of hackers will find elusive bugs that the small group won’t find. Therefore, the one with the largest hacker community will offer a quality that others cannot offer. We will get to a point – and not too far in the distance – where people will say: I love my own bug bounty program, it’s doing well, but HackerOne has so many more hackers that if I join there I will get better exposure, better diversity among the hacking and better results. The whole concept of having the marketplace is very well justified because we are pooling the resources of every capable hacker in the world into one marketplace.

You’ve been in nine months. What surprised you the most about this since you joined?

When I was asked to take a look at the company before I even was contemplating it, I had to drag my feet to the meeting with the owner of a security company. All they talk about is pessimism and dangers and bad things that have happened and then they sell you a lot of devices that don’t really produce value. The devices produce a lot of false positives so you have a lot of stuff to work with. It’s just really negative in spades. Then when I met with the HackerOne founders, in about two seconds I just leaped up completely when I realized the business is based on crowdsourcing and the power of the human being and you pay only for results and all the wonderfully constructed aspects of the business. I came away completely sold after just one meeting.

Then when I joined the company, I did not know that hackers can be young. I thought that it takes 10 to 15 years to become the world expert and that’s true. Our really top earning hackers have been doing it for 15 to 20 years. But I was so blown away by the teenagers who in a year would learn so much that they could rise to nearly the top of the HackerOne community. They are such wonderful human beings that it’s really touching. You talk to them, you listen to them and realize we’re a different generation. They grew up in the internet. Boy, do they understand this and boy, are they good at it. That’s really fascinating that every week there’s something amazing going on there. It’s interesting to look at the founders and their stories. Two of the four founders were hackers in their teens in Holland and then built that skill from young teenagers up to now being 26-year-old co-founders of HackerOne and still very much tuned in.

Do you see opportunities for expansion beyond bug bounties? Would you do something like penetration testing or are there other areas where you can bring that kind of community capability to bear on the security problem?

Absolutely. I think it’s only a question of time. I don’t know how long the time is but it’s a question of time. We are essentially building the world’s largest security talent agency and bug bounty programs are wonderful because they have an immediate business model where most of the money goes to the hackers. We make very little off the bug bounty program compared to what the hackers make. It’s a wonderful mechanism but there are other things. We can do pen testing, we can do private programs and we can do special hackathons which we already do. Some people find full-time employment through HackerOne because they build up their profile and people see what they know. I think we will find many users for the skills of this army or fire brigade or scout troop or whatever you will call it. We hope that we can be the marketplace and the conduit for finding customers for them or finding hackers for the customers.

Marten, anything else you wanted to cover?

We didn’t discuss the technical scope; that we started with web applications and now we’re going into mobile apps, APIs, IoT, vehicles and so on. That may be a topic for another discussion but I’ll leave that as a placeholder and hook for whenever we chat next.