HackerOne's Mårten Mickos
Hacker-Powered Security
Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.
Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.
HackerOne's Role
In layman's terms, HackerOne brings the hacker community to an organization to hack into their code in search of vulnerabilities. As Mickos said, "Sometimes we joke that if you are going to be hacked anyway, it's better to get hacked by someone you can trust." HackerOne has built a platform for secure intelligence report sharing and payment, along with a reputation system for hackers.
When an organization announces a bug bounty program through HackerOne, the hacker community starts looking at the organization's code and filing their reports. The platform enables the bug bounty program's organizer to vet these vulnerabilities. The hacker who filed the report gets rewarded.
"HackerOne serves as the portal connecting organizations with the largest community of over 200,000 registered ethical hackers and connecting hackers with more active programs than any other platform," said Mickos.
HackerOne's approach is simple but effective. It acts only as a mediator, without getting involved with the code itself. "HackerOne does not review customer code unless our technical program manager team is instructed to do so in order to help the organization evaluate the severity and advise on a bounty payment," clarified Mickos.
Community-Driven Security
HackerOne has a massive community of more than 200,000 white-hat hackers in its network. "The hacker community is filled with smart, curious, communal, and charitable human beings. Over 90% of hackers are under the age of 35, 58% are self-taught, and 44% are IT professionals. They come from over 90 countries including the US, India, UK, etc.," said Mickos.
Hackers are rewarded based on the vulnerabilities they find. HackerOne works with each customer to carefully outline a bounty structure based on the bug's severity and its impact on the organization. Hackers are rewarded based on the assessment of each valid bug reported.
"A total of 116 bug reports over $10,000 were paid out in the past year with the amount paid for critical issues rising to over $2,000 on average and organizations offering as much as $250,000," said Mickos.
Customers determine bounties based on the severity and potential effect on the organization. Most organizations pay bounties through the HackerOne platform. HackerOne requires tax forms from every hacker in order for them to get paid.
To date, HackerOne has paid more than $31 million in bounties. "Unlike Apple, that takes a 30% cut from developers when they publish their paid app on the App Store, HackerOne doesn't take any cut from hackers. Hackers will always receive 100% of the bounties they earn," said Mickos.
But money is not the only motivating factor behind the HackerOne community. "The biggest takeaway of the 2018 Hacker Report was that the ethical hacking community is eager to do good in the world. They are already finding vulnerabilities. Hackers are motivated by opportunities to learn, be challenged, and have fun more than [by] money. While money definitely still attracts hackers to different programs, it's not the key driver of what they do," said Mickos.
Hack the USA
HackerOne helps both the public and the private sector. "We work with them [the private sector] to find vulnerabilities in their systems. Every vulnerability we find and fix leaves fewer possibilities for criminals to break in. We are reducing the cyber risk with every step we take," he said.
In 2016, HackerOne signed a deal with the US Department of Defense (DoD) Defense Digital Service (DDS) team to hack the Pentagon. It became the first bug bounty program in the history of the federal government.
The first vulnerability report was filed within 13 minutes of the launch of the Hack the Pentagon challenge [1]. In just six hours, around 200 reports were filed, and a new report was filed every 30 minutes. During the entire project, more than 1,400 hackers participated in the hack, more than 138 legitimate vulnerabilities were found, and $75,000 was paid in bug bounty rewards.
The success of Hack the Pentagon led to more projects – Hack the Army [2] and Hack the Air Force. In total, the federal government awarded more than $300,000 in rewards. Looking at the massive defense budget, this number might look small, but it's not.
"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," said former Secretary of Defense Ash Carter regarding HackerOne's Hack the Pentagon.
HackerOne and the DoD just kicked off the sixth bug bounty challenge for the US government. At the kickoff event in Las Vegas, Hack the Marine Corps paid out over $80,000 to ethical hackers who surfaced 75 unique valid vulnerabilities in public-facing digital assets.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.