Bug Bounties & Beyond: An Interview With HackerOne's Mårten Mickos

Mårten Mickos is the CEO of the popular bug bounty platform HackerOne. He recently chatted with Vincent Liu about his nontraditional background as well as his views on transparency and the need to democratize security.

You can read highlights of the interview in this Dark Reading piece. The long-form version is below.

The Secrets to HackerOne’s Success

VL: Since HackerOne started in 2012 – and even more so after you joined as CEO in 2015 – it has enjoyed remarkable success. Did you imagine when you first joined it would continue to be so successful?

MM: I felt this was an enormous business opportunity and if done well, it could be life-changing. Customers came to us faster than I anticipated. Last year, we expanded while spending less cash than expected. So, we came out of 2016 in better shape than planned.

Before I joined, HackerOne had placed many bets. Remember that every bet will cost you money. At some point, you realize which bets are worth placing. We made major changes and streamlined the things we needed to. Then, our sales exponentially grew. It helps to reduce cash burn when you have customers paying you money! And we adjusted the pace that we paid hackers, too.

VL: Something that really stuck with me was that you expanded your team to not just people from the security industry, but people from other disciplines. What’s your philosophy behind that?

MM: This idea of inclusiveness is something I learned and practiced while working at MySQL years ago. We decided early on that our mission was to make this superior database technology available and affordable for all – people who were in the industry as well as people who were not in the industry. We wanted to give it to everybody. When I came aboard to HackerOne, I had a similar thought. Security experts over the years had created this amazing concept of vulnerability disclosure, which as you know evolved into bug bounty. But it was still being kept as a secret practice among a select few, the “elite.” Not many organizations were bothering with bug bounties. I think we are still finding new areas where there’s unnecessary complexity or seclusion, where people are holding on to things very tight. They say, “Only invited people can come. And you can only come if you speak this language, if you’ve been in the industry for 20 years, if you’re cynical.” We want to break that perception. This is largely why we’ve been so open to inviting people from other industries to join HackerOne. It’s reflective of both our platform and our culture.

Making Security for Everyone

VL: Vulnerability disclosure was something that grew organically over time. The community determined the social norms. How do you make security something that everyone can grasp, Mårten? How do you make security more inclusive?

MM: First, I sense orthodoxy in complex terminology. In the database industry, they developed complex words for everything because it was a small, tightly knit group. In the security space, it was similar. But then we thought, we need to bring the benefits of this to everybody. We needed bug bounty programs to be so easy to understand and to consume that any company could do it. And of course, it is demanding.

"You must commit to it; you must know what you are doing. There is a necessary skill level, but you don’t have to overcomplicate it. You should simplify it."

VL: There’s an analogy with the database world. In the past, anybody who touched a database was almost apprenticed into being a database administrator. At MySQL, it sounds like you made it more accessible.

MM: Yes, we democratized it. This, though, has happened throughout history. Consider when Gutenberg invented the printing press. Books were once the privilege of monks and priests. Then, Gutenberg invented the printing press and said, “Now everybody can read.” Gutenberg democratized reading and writing. We must democratize software security and make it accessible to everybody. That’s why we hired into the company people who are not from the industry. We make the words simpler and more approachable, too. We talk about hackers; we don’t say “security researchers.”

VL: Are there any other orthodoxies that could use some updating?

MM: Another would be visual appearance. We introduced pink into our color palette last year. We wanted to bring in something that would be unusual and maybe shocking. We’ve also decided at HackerOne not to be cynical. We don’t talk about how security is a problem. People know that the sky is falling. But instead of dwelling on that, let’s look at the constructive things we can do.

VL: It’s like the monks and the priests who live in the cloisters. They share the knowledge, and they’ve done amazing things. As time has progressed, it becomes more available to the general population.

MM: You can say to those in the monastery that just because they created the alphabets and writing doesn’t mean they should own every book. There’s pride in knowing you created something. You see this mindset in how we market ourselves. We go to non-industry events. It’s a long-term strategy. The biggest opportunity is the under-served. We are not selling shoes to those who have shoes. Instead, we are selling shoes to those who run around barefoot and that happens to be 99.9% of the world. The founders genuinely want to empower the world to build a safer internet. Think of it as a sports league. Every kid may play soccer or basketball after school, but only a few become superstar athletes. Similarly, everybody should be allowed to try out hacking when they’re young. Some will become experts and later they will become mentors. Hackers are intelligent and curious people.

"It’s a case where society builds people up rather than breaking people, which it can and often does."

VL: It seems to be about giving smart, creative people this desperately needed outlet.

MM: Years ago, people grew up on a farm with siblings. Now, people live in cities. Second, many kids don’t have many or any siblings. They are alone with a smartphone and a laptop. You must channel that energy into modern society. Software is the farming of modern society. We contribute to a society that doesn’t understand how to deal with teenage hackers. I believe that we have more ethical hackers than malicious hackers in the world. Sure, many of them are young so they are learning the difference between right and wrong. But, that’s how they develop a moral compass.

How Bug Bounty is Changing the Industry

VL: How do you envision the impact of bug bounty on the entire security landscape?

MM: Let’s say you get hacked. Then, the government presses charges against the hackers, and you start a bug bounty program to make sure you know about vulnerabilities before they’re exploited. Alternatively, you can start the bug bounty program and save yourself from any pain and humiliation in the first place. There is no perfect solution, though. We can never reach 100 percent perfection, but bug bounty programs are the most powerful way of preventing cybercrime. When you look at the market, bug bounty programs are driven by those who grew up in the digital world. Everybody’s organization is powered on software. Therefore, everybody will eventually need a program like this. It doesn’t mean it’s a Google-sized operation. We enable you to come on board with a small program because open the opportunity for disclosure to everybody is intrinsic to our thinking and strategy.

VL: What are some of the drivers that you see in non-technical organizations?

MM: First, there are a lot of risks. People see that these companies lose value and executives get fired if they are breached. Second, there are stories of success. When you look at companies you admire, they run bug bounty programs. The third is the societal endorsement. You have the FTC and the DOJ and other federal organizations who say you should run a bug bounty or vulnerability disclosure program. There’s a signal from those in charge that if you do this, you are in better shape. Consider the fact, too, that you pay for the results. As a customer, you know that the cost will rise only real vulnerabilities are found.

VL: Do you think there will ever be a backlash against a bug bounty? What about from malicious hackers?

MM: There will certainly be. And I don’t think you can build something of significance without backlash. If you have no detractors, you are not making an impact. We will have situations where a malicious hacker will do something. As a vendor, we must be careful how we handle such issues. We need to keep our database secure. We follow up with our hackers and take disciplinary action if they are meandering from the rules.

An Outsider’s Perspective

VL: I usually speak with Chief Information Security Officers or Chief Security Officers. You are the first CEO who hasn’t come from that background. It’s this alternative perspective that is useful for everybody who reads the column. Comparing traditional software product organizations with a security platform with engineers and hackers, what are some of the more interesting differences?

MM: When I joined MySQL, I didn’t know open source. So, I learned open source. When I joined Eucalyptus, I knew open source, but I didn’t know cloud infrastructure. When I came into HackerOne I knew software from all sides, but I didn’t know security. What is unique about being successful in security is that you must be so detail-oriented and paranoid. But to build something new, you must believe in opportunities more than downsides.

VL: Any other qualities that you have noticed in the security community that stand out? How would you predict that the community will evolve?

MM: I would say endless curiosity. But curiosity leads to opportunity. The security community will eventually stop being segmented. Security is for everybody. At HackerOne, we say if security remains for a few, it will never flourish. Security can only happen if it is on everybody’s agenda.

"You don’t have to be in security, but security needs to be in you."

VL: How about the differences between managing a traditional IT company and a security firm?

MM: Paranoia is the key differentiator. But HackerOne is not an incredibly paranoid environment. We stand for inclusion, collaboration, and power. And that is a more prominent presence than paranoia. We default to disclosure. Many times, we share things that another company would keep in the C-suite. But that’s my background. Growing up in Scandinavia, which is ostensibly the most open society and working in open source for 15 years, it made me comfortable with transparency. And I believe transparency is the only way for society to thrive.

VL: It’s the academic nature of sharing information that allows progress. It’s the collected contributions of the entire community that have gotten us here.

MM: In security, there is a tight link with the academic world. Some companies publish papers that are of high academic quality. To me, it’s reassuring that this is an industry that takes the knowledge base so seriously that it blurs with academia.

VL: In the future, do you think more security companies will adopt this model of transparency?

MM: I think they will, because of this notion of asking for help will make them stronger. But collaboration is two ways. I give this to the world and therefore the world will have a higher propensity to help me. It’s not a barter system. You need the conviction that you should share without any immediate requirement for reciprocity.

VL: Right. Another thing I wanted to mention – because it’s not something many people in this industry have – is that you earned a master’s degree in technical physics. So what’s more difficult, physics or managing hackers?

MM: Surprisingly, physics! Managing people you can learn. Now with physics, you need to be born with that brain.

Advice for Leaders – Inside and Outside of Security

VL: What lessons from your past leadership roles have helped you succeed in HackerOne, where there is this open and sometimes paranoid environment?

MM: A leader needs to bring to the organization a certain level of confidence and stability in the face of fluctuating realities. A leader must lend confidence and balance to the situation. In security, there’s so many possible threats. You must bring calmness to people to deal with these horror scenarios without being horrified. It’s not unlike when you’re a surgeon and you encounter terrible situations.

VL: Right, like when someone breaks their leg, you can’t be scared or overwhelmed in that moment.

MM: Leadership must provide that environment of stability, of confidence, of acceptance. People will know that even when they make a mistake, they are still accepted, no matter what.

VL: If you could talk to non-security leaders – at startups or other companies – or if you could talk to yourself years ago, what advice would you give? What resources would you recommend?

MM: As far as resources, I’d choose Ryan McGeehan’s blog. He’s a security expert with clear ideas. As far as challenges, security is so important that you can’t delegate it to one person. Many times, especially at tech companies, it’s better to ensure everybody takes responsibility for security. I would also tell former Mårten to make sure there is security in everything. We often sacrificed security for ease of use. Ease of use is important, but security is more so. Then, there is the problem every CEO faces, which is that of priorities. I sympathize with startup CEOs who can’t invest time on all areas. And they can’t afford to hire a CISO or security team. To them, I say start small. Embed a little bit of security in everything you do.