“You don’t get paid for donating blood”
The Devil, somewhat unexpectedly, crops up in conversation with Mårten Mickos, and when you add the barely constrained glee with which he says “we’re building a hacker army!” it’s briefly tempting to imagine the HackerOne CEO as Bond villain: he could look the part; square-jawed, imposing, villainous Finnish accent…
As he sees it, however, if the security world is a Manichean struggle between Black Hats selling zero days to the highest bidder for nefarious purposes (or just breaking and entering for fun) and White Hats disclosing vulnerabilities for bug bounties, HackerOne’s army of White Hats is firmly on the side of the angels.
“The media loves to write about all the bad in the world. They forget that there’s a lot of good in the world. If a bad player is ready to pay a million for a zero day; to secretly sell it to some terrible government, we don’t need to offer anything near that figure to get that same vulnerability. There are many good people out there who would much rather sell it for less, but see the issue resolved,” he says.
He leans forward in the company’s London offices, wiggling his fingers in the air to emulate a malevolent spirit: “Somebody like the Devil will be there going: ‘Don’t you want the million? Don’t you want a million?’ Many people will say: ‘No! I don’t want to live with that! If we get £200,000 from HackerOne that will make me happy’.
“That’s why I believe that over time we will obliterate that business,” he says, sitting back happily, “not yet, but we will do it, because if you play this game by ‘what’s the ratio of goodness to badness’, we win, because for everyone who chooses that million and sells the zero day, there will be a growing number who will report it to us.”
Agree or disagree on the vagaries of human nature, or the appeal of slightly soiled cash and one thing is beyond contesting: more and more companies are seeing the value in crowd sourcing components of their security via bug bounty programmes.
HackerOne is attracting fresh security researcher blood from all over the globe as the buzz builds (India, the US, Russia, Pakistan and the UK dominate HackerOne’s freelance security researcher base, but the company has contributors as far afield as Algeria, Ecuador and Kenya) and its contributing “army”, as a result, now stands at well over 300,000 hackers around the world, with average of 600 signing up daily.
Mickos, a self-described “serial CEO” who has led nine startups – including MySQL AB; during his time the second-largest open source company in the world – thinks the company’s roster of 1,500 customers (which includes the Pentagon, Microsoft, Goldman Sachs, IBM, Toyota and many more) represents just the tip of a lucrative iceberg.
“We are constantly thinking, as a company, ‘what can you do if you have the world’s largest, strongest army of hackers? What are all the things you can do with their help?” That’s why we have rolled out a crowd-sourced pen testing offering, and we have other services lined up that we will launch; we’ll have a whole battery of services that are that customers can choose from, and then we’ll just keep growing like crazy.”
As for those comments about the zero day market, while most of HackerOne’s programmes are still “app sec”, or vulnerabilities specific to the application of that company rather than “generic” zero day exploits, the industry is evolving fast and he sees broader bounty programmes opening up as results get recognised.
“The model will evolve. The practice of reporting unauthorised actions; of what and how you disclose and how you report will all evolve… There is so much potential”
Rewind: What is HackerOne?
HackerOne, to those unfamiliar with the company, is a venture capital-backed startup founded in 2015 that provides crowd-sourced security for software (and increasingly hardware) companies. It acts as a middleman between companies wanting an application, a website or a chipset testing for security weaknesses, and a pool of freelance hackers, to whom it has now paid out [pdf] over $42 million in bounties.
As Mickos puts it: “The capacity of the human being to produce problems is truly unlimited. It’s only when humans stop making software that we won’t have vulnerabilities… HackerOne is a sort of ‘software neighbourhood watch'”.
At its lowest level the company’s platform is self-vetting: security researchers sign up to participate with minimal fuss or screening. Companies can then choose whether to make their bounty programme open to all, or just a select coterie of the company’s cherry-picked ‘elite’ hackers. Participants who find vulnerabilities, file a bug report and, all things being equal, get paid for doing so, with bounties ranging from pocket money, to significantly more. (The company boasted its first millionaire hacker this year.)
“It’s like the Scouts,” the HackerOne CEO says. “You earn your badges and make it up the ranks once you have proved yourself. Some companies might say ‘here’s the scope and we want just 30 of your best hackers to participate’. Others want us to help deliver the scope and everyone to take part. We are incredibly flexible in how we work.”
HackerOne CEO: “It is Completely Voluntary. Don’t Like the Pay? Nobody Forced You to Participate…”
One gripe commonly heard in the security researcher world is that the pay is negligible, or when a submission is finally made the company or its clients say the bug has already been reported. Mickos shrugs off the charge: “It’s the rules of large numbers. If you look at the actual facts, we have helped our customers find and fix over 100,000 vulnerabilities so far. How many instances of of that nature [complaints] have we had? Like a thousand maybe. So as a percentage. It’s nothing!”
“This is a stochastic model. It’s not about the individual. Of course everything is produced by an individual, but the power of this model is in the volume. And it is completely voluntary. If you don’t like the pay then don’t hack! If you can’t stand the response of your report being a duplicate, then don’t file any reports. Nobody forced you to do that.” He softens his tone: “Great hackers are impatient. And the more upset they get the more it is a sign of them having good intent. They’re idealists.”
The Invisible Hand
Another criticism: that the rise in bug bounty programmes incentivises the offensive side of the cybersecurity world at the expense of the longer term defensive side, shifting focus away from the need to bake security into software earlier in its cycle and focussing security researcher attention too much on the potential pot of gold at the end of a big bug rainbow.
Mickos again, shrugs: “There’s always naysayers and sure, the model isn’t perfect. But we have an invisible hand at work, the pricing is competitive; it’s a self-regulating system. Prices will settle at what the market can bear and what makes sense and [companies decide on where they need to focus accordingly].”
HackerOne, critics or otherwise, is growing fast. A team of 120 last summer has doubled to 240 now. As Mickos puts it: “We’re trying to grow the business as quickly as humanly possible.” The company has raised $74 million from investors thus fair and, the CEO tells Computer Business Review, still has a substantial chunk of that left, although it plans to go back to the markets to fund further expansion.
“We are well-funded and can keep going for a long time. But we also believe that this is a market where capital injection will allow us to grow even faster at some point. We will bring in the next round of funding at some point and we will build this into the most magnificent company with people who are committed to the mission.”
With a new office in Singapore, he won’t say precisely where the next physical footprint for HackerOne might be: “It could be South America, Europe, Asia; it will be somewhere with a good engineering and security footprint.”
Herding Cats (and Hackers)
How did this Finnish engineer, who moved to San Francisco in 2003, wind up in charge of this startup? And how did he feel when first approached, as he has little background in security. Mickos admits he was initially hesitant: “I got a call from one of the investors who told me ‘Mårten, I have the most phenomenal startup for you to run’ and he said it is in the cybersecurity space.'”
“I said ‘no! cybersecurity is full of cynical, pessimistic people who are just looking for problems’. That was my initial, emotional reaction. But I agreed to meet the founders and I realised that it is based on such a positive way of addressing security: one in which bad news is good news, and I had some attribute that made me a good fit. At My SQL, for example, I’d learned to operate in a community of voluntary, open source contributors; a model where you can’t force anyone to do anything.”
Culturally he admits, there remains a lot of work to do: “Hackers traditionally haven’t trusted the companies. They think they’ll get sued. The companies haven’t trusted the hackers: they think they’ll do something bad. So we have figured out a way to connect this community of people who are super intelligent individuals who may use more colourful language than you’d expect in the corporate world. and professional organisations who are traditionally risk-averse.”
“But people don’t like to hear about their weaknesses still. It takes confidence in a company to admit an issue and be open to receiving feedback. There’s a big mental shift that needs to happen still, but we see it changing…”
As it happens, HackerOne aims to be there to both facilitate it and capitalise on it: “We have 1,500 programmes running our platform. How many companies make software? 100,000? 500,000? That’s the order of magnitude of the market. Bug bounties are becoming an essential part of the software development lifecycle. The market for us is 100,000 customers, 200,000, 300,000 customers. It’s the tip of the iceberg.”
The US, he acknowledges, is ahead of the UK when it comes to market maturity, particularly the federal government, where competitive events like “Hack the Pentagon” are now a staple of the security calendar.
With the NCSC beginning to roll out programmes in the UK, Computer Business Review puts it to the HackerOne CEO that certainly the government side these remain tightly circumscribed, and don’t actually pay out a bounty.
He’s quick to respond: “Saying ‘I hacked the UK government’ is a pretty cool thing to say. That is the reward. In society we have many functions where you don’t get paid for your good deeds. You don’t get paid for donating blood. You don’t get paid for your contributions in open source. But there’s a great community of people who want to help the good guys and while, yeah you’re right, over time every hacker should be paid money for what they do, this market is just getting started. And as a job, working with brilliant people, making the internet safer? I love it!”