HackerOne's Mårten Mickos
Hacker-Powered Security
Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.
Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.
HackerOne's Role
In layman's terms, HackerOne brings the hacker community to an organization to hack into their code in search of vulnerabilities. As Mickos said, "Sometimes we joke that if you are going to be hacked anyway, it's better to get hacked by someone you can trust." HackerOne has built a platform for secure intelligence report sharing and payment, along with a reputation system for hackers.
When an organization announces a bug bounty program through HackerOne, the hacker community starts looking at the organization's code and filing their reports. The platform enables the bug bounty program's organizer to vet these vulnerabilities. The hacker who filed the report gets rewarded.
"HackerOne serves as the portal connecting organizations with the largest community of over 200,000 registered ethical hackers and connecting hackers with more active programs than any other platform," said Mickos.
HackerOne's approach is simple but effective. It acts only as a mediator, without getting involved with the code itself. "HackerOne does not review customer code unless our technical program manager team is instructed to do so in order to help the organization evaluate the severity and advise on a bounty payment," clarified Mickos.
Community-Driven Security
HackerOne has a massive community of more than 200,000 white-hat hackers in its network. "The hacker community is filled with smart, curious, communal, and charitable human beings. Over 90% of hackers are under the age of 35, 58% are self-taught, and 44% are IT professionals. They come from over 90 countries including the US, India, UK, etc.," said Mickos.
Hackers are rewarded based on the vulnerabilities they find. HackerOne works with each customer to carefully outline a bounty structure based on the bug's severity and its impact on the organization. Hackers are rewarded based on the assessment of each valid bug reported.
"A total of 116 bug reports over $10,000 were paid out in the past year with the amount paid for critical issues rising to over $2,000 on average and organizations offering as much as $250,000," said Mickos.
Customers determine bounties based on the severity and potential effect on the organization. Most organizations pay bounties through the HackerOne platform. HackerOne requires tax forms from every hacker in order for them to get paid.
To date, HackerOne has paid more than $31 million in bounties. "Unlike Apple, that takes a 30% cut from developers when they publish their paid app on the App Store, HackerOne doesn't take any cut from hackers. Hackers will always receive 100% of the bounties they earn," said Mickos.
But money is not the only motivating factor behind the HackerOne community. "The biggest takeaway of the 2018 Hacker Report was that the ethical hacking community is eager to do good in the world. They are already finding vulnerabilities. Hackers are motivated by opportunities to learn, be challenged, and have fun more than [by] money. While money definitely still attracts hackers to different programs, it's not the key driver of what they do," said Mickos.
Hack the USA
HackerOne helps both the public and the private sector. "We work with them [the private sector] to find vulnerabilities in their systems. Every vulnerability we find and fix leaves fewer possibilities for criminals to break in. We are reducing the cyber risk with every step we take," he said.
In 2016, HackerOne signed a deal with the US Department of Defense (DoD) Defense Digital Service (DDS) team to hack the Pentagon. It became the first bug bounty program in the history of the federal government.
The first vulnerability report was filed within 13 minutes of the launch of the Hack the Pentagon challenge [1]. In just six hours, around 200 reports were filed, and a new report was filed every 30 minutes. During the entire project, more than 1,400 hackers participated in the hack, more than 138 legitimate vulnerabilities were found, and $75,000 was paid in bug bounty rewards.
The success of Hack the Pentagon led to more projects – Hack the Army [2] and Hack the Air Force. In total, the federal government awarded more than $300,000 in rewards. Looking at the massive defense budget, this number might look small, but it's not.
"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," said former Secretary of Defense Ash Carter regarding HackerOne's Hack the Pentagon.
HackerOne and the DoD just kicked off the sixth bug bounty challenge for the US government. At the kickoff event in Las Vegas, Hack the Marine Corps paid out over $80,000 to ethical hackers who surfaced 75 unique valid vulnerabilities in public-facing digital assets.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.