HackerOne CEO Mårten Mickos takes stock of another landmark year for bug bounty platforms

On April 18, 2016, the Department of Defense marked a new direction for the US federal government, as it invited hackers to test its public-facing websites for security vulnerabilities for the first time.

It took just 13 minutes for the first vulnerability report to arrive. Six hours later, that number had grown to nearly 200.

By the end of the month-long Hack the Pentagon pilot program, the DoD said hackers had discovered 138 unique flaws across its sites, and that it would award $75,000 in total bounty payouts.

Given the success of the initial pilot, the DoD – in collaboration with bug bounty platform provider HackerOne – announced it would expand these programs to other departments. And not long after, the US government’s first permanent vulnerability disclosure policy was set in place.

Over the past two years, Hack the Pentagon programs have paid out more than $500,000 to hackers for helping to safeguard critical services and data across a range of DoD websites and applications.

And while the decision to declare open season on some of the world’s most valuable internet real estate might have sent shivers down the spines of some uninitiated Pentagon officials, it’s clear that the DoD has been quick to realize that benefits bug bounty programs can bring.

Just two weeks ago, the department unveiled plans to expand the Hack the Pentagon digital defense program, bringing bounty platforms Bugcrowd and Synack into the partnership.

Reflecting on the momentum started by HackerOne in 2016, CEO Mårten Mickos said: “With every iteration, government programs are becoming more open, more inclusive, more diverse.”

As another landmark year for bug bounties draws to a close, The Daily Swig recently sat down with Mickos, who discussed the company’s approach to hacker education, inclusivity, and changing perceptions of bug bounty programs in 2018.

As bug bounties become increasingly popular around the world, how much focus does HackerOne place on education among the hacker community, and particularly those inexperienced bug-hunters looking to improve their skills?

Mårten Mickos: Our strategy has many building blocks, and education is one of them. We look at our hacker community as a pyramid with a very broad base of 250,000 hackers and a very sharp peak [which represents] the best hackers in the world.

When we nurture and manage the hacking community, we think about how to get each of these 250,000 to ultimately become a Frans Rosen or a Mark Litchfield. And to do that we do a lot of training, education, and informative services so that they can learn.

Most of [the hackers] are self-taught, so it’s not clear that formal education will be good for them. But we will provide it and we will also help them self-learn as much as we will teach them.

We are broadening the base to get more top hackers, and to get them from the base all the way up we have to provide education.

This is a priority for us, and we are experimenting with different things. We have the Hacker101.com site with the videos, we post blog posts, we answer questions on Quora, and we work with some universities on their cybersecurity courses to enable them to train people.

And what about those who aren’t actively involved in the hacking community – do you feel HackerOne has a role to play when it comes to dispelling the myths surrounding what a hacker is or what a hacker does?

MM: I think so. This is not necessarily based on a business consideration, but we are strongly mission driven. There is nobody employed at HackerOne who doesn’t think about our mission – our mission to empower the world to build a safer internet. And we thought we had to stand up for the world ‘hacker’, we must put it in our company name, we must contact the Oxford English Dictionary when it contains a negative flavor of the definition. ‘Hacker’ is a good word.

We do these things because we are so passionate about what we do. I don’t know whether this makes business sense, but life is about more than business. So, yes, we try to be part of the societal discussion.

In the old world, you would say government is one thing and business is another thing and they shouldn’t mess with each other. I think now, as the world is shifting into a digital civilization, we need both sides to work together, so we are taking more of a societal standpoint and role.

For example, in February we were invited to testify before the US senate on bug bounties and vulnerability disclosure. We didn’t have to do that, but we felt that it was a great opportunity to get it into the official record.

Bug bounties are a new and disruptive model. It’s obvious to the hackers how it works, but it’s not obvious to society. Of course we have a business to run, but we want it to make sense far beyond the dollars we make.

Can you provide any stats relating to the current size of the HackerOne platform?

MM: When I joined in 2015, the founders said, ‘We have such a huge hacker community! We have 16,000 hackers!’ And I was like, ‘Wow that’s so amazing, what a wonderful success’. Less than three years later, we now have over 250,000 hackers – and this will keep growing.

We currently have around 1,400 customer programs running; we have helped our customers identify and fix 85,000 vulnerabilities; and we have paid out $39 million in bounties. Those are the key statistics so far in 2018.

In many other sectors, competition is largely viewed as a good thing for consumers and a driver of business innovation. Can the same be said for bug bounty platforms? What are your thoughts on competition in this space?

MM: I’ll give you a conflicted answer. When I speak as the CEO of HackerOne I will, of course, try to make sure we can serve every customer on the planet and that nobody needs anything else. That is our goal.

However, when I look at the market, I do think competition is useful. When I try to understand how [the bug bounty market] might evolve, I look for similar occurrences in the past and think, ‘Maybe this market will evolve as that other market did.’

The one thing I most often come back to is the market for Linux distros. Back in 2000 you had Red Hat, SUSE, Conectiva, Mandrake, and a few more. And then you had a long tail of tiny players.

Now, 20 years later, Red Hat is by far number one, but SUSE is still around. Canonical has emerged, and there’s Kali Linux, Debian, and many others. So I’m thinking that maybe this market will evolve similarly.

There’s place for a strong leader and there’s room for small competitors and alternatives, and this will probably be helpful for everybody.

Of course, there’s a certain benefit to having all things on one platform, because then the hacker gets their score collected in one place. But the world is never completely systematic and rational, and there are always those who, out of principle, want to do it in their own way and need an alternative.

Some security researchers have previously expressed their frustration at bug bounty programs that are ambiguous or limited in scope. What are your thoughts on this issue?

MM: I look at it from a positive angle – the fact that they are now on the platform is good news. Now we can start working with them and say, ‘Okay, let’s look at the scope, let’s look at what you have in scope and out of scope, let’s shine a light on particular areas’.

It can take time for both them and us to see what is the best recipe, but we never worry if, in the very beginning, it doesn’t immediately look attractive. We can make it attractive at any point. We can go back to the hackers and say we have changed the bounties, we have changed the scope, here is the treasure map that shows you how to navigate it and do part of the recon for them.

Having so many programs, we will always have some that aren’t in the most beautiful condition, but this is transient, and we can fix it. The most important thing is to get companies to say they are open to input from the external world – have them make that promise publicly. Once you are there, you can start fine-tuning.

In addition to the expanded ‘Hack the Pentagon’ program, a US legislative panel recently recommended that government agencies should implement vulnerability disclosure programs as a core part of their risk strategies. Have we reached a tipping point when it comes to how governments perceive bug bounties?

MM: The US federal government certainly gets it. Hack the Pentagon is a phenomenon that everyone is paying attention to. We should expect vulnerability disclosure programs to spread quickly among federal agencies. As for ‘tipping point’, I don’t think we are there. Pieces are falling into place, and we are not that far away from a tipping point. But I don’t think it has been reached yet.