Marten Mickos, a veteran executive with companies from MySQL to Sun, Nokia and HP, was not particularly excited about his meeting to explore a leadership role with HackerOne, a fledgling security company. Security is hard, it’s unpleasant, it doesn’t work very well. But he perked up fast after learning about HackerOne’s crowdsourced model of finding and fixing security flaws – a model in which HackerOne plays a key matchmaking role between companies and ethical hackers in a rapidly growing marketplace of skills and needs.
After all, Mickos – who joined as CEO in November, 2015 – knows well the power of crowdsourcing, having served as chief executive of open source companies Eucalyptus and MySQL. In this conversation with IDG Chief Content Officer John Gallant, Mickos explains how the HackerOne system works and how companies get started. He talks about the company’s bug bounty platform for private and public-facing projects, and discusses how it can be expanded to tackle other big security problems in the future. Mickos also explores what attitude adjustments are required from mainstream companies in order to embrace crowdsourced security.
Exactly what does HackerOne do? Explain how it works for our audience.
HackerOne helps you find vulnerabilities in your internet-facing systems. We do it through a unique model where we have a community of researchers and hackers around the world who will hack you on your request and they will send you a report outlining what they found. You send them money as a thank you if the report was useful. If it wasn’t, you pay nothing.
It’s a phenomenon in the geek economy where you tap into the vast resources around the world to solve a problem for which you will never have sufficient staffing in your company. No matter how large you are, you can never have a security team large enough to find every conceivable vulnerability. But the hackers out there will and they are happy to help you. They are called white hat hackers because they have good intent and they will do no harm. These are good people who are eager to help and in return get a payment, a bounty from the company.
Let’s talk about how you enable that. I want people to understand the tools you provide and the role that you play in the middle of that transaction between that white hat hacker and the company.
The first thing you do is you open up an email address for security at your company, say security at Twitter.com, security at Uber.com. People can send in their observations there and you deal with them. That’s the lowest level. We have a software platform that actually handles that for you. When the email comes in it doesn’t go straight into your inbox, it goes into HackerOne’s system. It gets scored, it looks at who sent it, it knows whether it’s an experienced hacker or a new one and you have a much better way as a company to assess how important it is.
+ ALSO ON NETWORK WORLD Tech Q&As: The IDG Enterprise Interview Series +
From that we build the platform out to handle all the workflow - the scoring, the reporting, the payments back to the hackers, all the analytics you may need. We integrate it with your own systems like a Jira or GitHub and other tools that you use for your software development lifecycle. It’s a Software-as-a-Service offering that automates the handling of incoming vulnerability reports and dealing with them.
How does a company go about determining the price for uncovering security vulnerabilities? Do you help them set that pricing?
Yes. We have transacted over $10 million in bounty payments so far. We have the world’s largest database of payments now so we know what the going rate is and we make recommendations to our customers so they can stay exactly on market price or go a little bit higher if they want to reward them more. In the specifics of pricing the bounty there are three main factors that influence it. Number one is the scarcity of the vulnerability. Some vulnerabilities are very common, like cross-site scripting vulnerabilities, and they pay reasonably well but not that much. Scarce ones pay much more because they are more difficult to find, like a SQL injection or remote code execution.
That’s one dimension, the scarcity of the technical type of vulnerability. The most influential parameter is the severity. You can determine whether this could have resulted in a severe breach if it hadn’t been fixed and then you pay accordingly to show that you recognize the value of the report. The third dimension is that each company sets their own ambition level. There are companies who want to stay on average prices always. We don’t want to underpay or overpay, just the average price and that’s it. We have other companies who want to be a leader here. We will always pay more than the average to show the hackers that we appreciate them and because we want the best hackers to always pay attention to us.
If I’m a hacker, how do I figure out what’s the best thing for me to be spending my time on?
We have over 70,000 hackers and security researchers signed up on our platform. If you are one of those - or if you are signing up - you go to our list of programs and you start looking at them to determine where you will start pointing your resources, where you try looking for a vulnerability or a bug. You can see the profiles of each program and determine the ones that pay the best or that respond the fastest or are the newest programs or the oldest programs. Every hacker will have their own recipe for how to find them and once you build a good reputation, you will even get invited into what are called private programs with companies who don’t invite everybody but who selectively invite specific hackers with specific skills.