HackerOne CEO Mårten Mickos on the importance of bug bounties in an internet without parameters

A small idea often sparks something great – at least, that’s what happened in the case of HackerOne.

In the seven years since Dutch hackers Jobert Abma and Michiel Prins launched what would become the world’s biggest international bug bounty platform, much has happened.

March 2016 saw the first Hack the Pentagon program in partnership with the US Department of Defense, and earlier this year HackerOne announced its first ever million-dollar hacker.

Organizations around the world have now paid out more than $42 million in bug bounty rewards, which has attracted more than 300,000 security researchers with the mantra, ‘Together we hit harder’.

The Daily Swig caught up with HackerOne CEO Mårten Mickos at Black Hat Asia last month to discuss the ongoing task of building trust between hackers and businesses, and plans for 2019.

Are you finding increased interest from governments and businesses within Asia to launch their own bug bounty programs?

Mårten Mickos: Yes, and we think this interest will grow across the globe in every industry for the next decade.

We’ve touched less than 10% of the market – probably less than 5% – so although we are very successful, if you just look at the numbers we have only 1,500 customers at HackerOne, and there are 150,000 organizations or more that should be our customers. There’s so much ground to cover.

Now we’re learning that the central governments in nations are a good starting point, because they see the danger of not doing anything and they take action. And then tech companies, and then financial services, industrial companies, travel, accommodation, retail, several segments. This will be enormous, you know?

How do you encourage these companies and governments to take part? Are you finding that you’re reaching out to them, or are they coming to you?

MM: They come to us. Our strategy is that we know we represent a very novel model that is amazingly productive and effective, but it’s also new to our customers. They look at it and don’t really know how it’ll work, and they have some worries.

We start by serving those who come to us voluntarily and have realized on their own that this is the path to take, and then we expand. So we do educate our customers, and we engage in a discussion about what the new style of cybersecurity is like.

We had an old world where cybersecurity was parameter-based. Well, there are no parameters anymore. The old world was secrecy-based – that was the big mistake. Openness is the only way to build security.

In the old world, you gave security access only to a small group of staff with clearance… well, that was stupid. It needs to be done by everybody, and you need to invite everybody.

All these psychological shifts are happening now, and the companies, the organizations, that see that light of the new model, they’ll come to us. But until they see that, they are too afraid to really come to us.

Where did the idea for HackerOne originate?

MM: Like many, or maybe most, great companies, they start with something that the founders didn’t necessarily think was that big. Two Dutch hackers come over from San Francisco to start hacking companies. They said, “Hey can we try to hack you? If we can’t find anything, we’ll treat you to a cake”.

They never had to buy the cake.

Is it difficult building trust between yourselves, hackers, and the companies who use the platform?

MM: Well, this is our business. We are nothing but a platform, or a place where people come together who otherwise wouldn’t trust each other. Companies who sign up [to the program] agree not to go after the hackers, and hackers who sign up agree not to do anything criminal or damaging to the customers.

There’s a promise on both sides, and this is a common construct in business, where if you’re lending out money to someone you don’t know, there’s a bank in the middle that establishes trust both ways and then you know, “Okay, this bank I can trust so I can give them my money”. They can give it on to someone else, I don’t need to worry about that other person. So it’s a similar construct and its working very, very well.

Of course, you can always ask: “How did it start, who was the first one to trust somebody?”

For that you need a very brave organization and some brave hackers. But once you have that starting point, it starts growing by itself organically, and now we’ve been serving the US Department of Defense (DoD) for over three years. [Now] it’s obvious to anybody that you can trust it – if DoD trusts us, then probably you could, too. By now, if you’re rational about it then you realize it’s working, you can trust it.

You don’t have to base that assumption on just what HackerOne is doing. You can look at other vendors who are doing the same – Microsoft, Google, and Facebook are running their own giant bug bounty programs and they trust the hackers. There’s sufficient evidence all over the place if you’re just ready to see it.

What’s top of the agenda for HackerOne over the coming months?

MM: We [will] continue to expand on all the avenues we’ve expanded before: going deeper into new verticals into new geography, serving our customers more.

What’s new for this year is that we have a time-bound bug bounty program, which essentially is a hacker-powered pen test that we’re now selling. At the end of the pen test, we give you a report – similar to what you get from a traditional pen test.

Now we’re out there showing that hackers can outperform a traditional pen testing company. And, of course, many of the hackers are pen testers in their day job, but they’re a more diverse group, they’re paid by results not by the hour, and it yields better results, even by the same people.

We have set the bar relatively high. We want to make sure it’s a really high-end pen test. It’s possible to buy a cheaper pen test if you don’t care about the results, [but] we don’t engage in that low level of pen tests just for the sake of a checkbox – we do pen tests for the sake of improving your security. That’s the distinction.


RELATED Bounty hunters: How can we ensure responsible disclosure?