HackerOne's Mårten Mickos

Hacker-Powered Security

Article from Issue 216/2018

Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.

Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.

HackerOne's Role

In layman's terms, HackerOne brings the hacker community to an organization to hack into their code in search of vulnerabilities. As Mickos said, "Sometimes we joke that if you are going to be hacked anyway, it's better to get hacked by someone you can trust." HackerOne has built a platform for secure intelligence report sharing and payment, along with a reputation system for hackers.

When an organization announces a bug bounty program through HackerOne, the hacker community starts looking at the organization's code and filing their reports. The platform enables the bug bounty program's organizer to vet these vulnerabilities. The hacker who filed the report gets rewarded.

"HackerOne serves as the portal connecting organizations with the largest community of over 200,000 registered ethical hackers and connecting hackers with more active programs than any other platform," said Mickos.

HackerOne's approach is simple but effective. It acts only as a mediator, without getting involved with the code itself. "HackerOne does not review customer code unless our technical program manager team is instructed to do so in order to help the organization evaluate the severity and advise on a bounty payment," clarified Mickos.

Community-Driven Security

HackerOne has a massive community of more than 200,000 white-hat hackers in its network. "The hacker community is filled with smart, curious, communal, and charitable human beings. Over 90% of hackers are under the age of 35, 58% are self-taught, and 44% are IT professionals. They come from over 90 countries including the US, India, UK, etc.," said Mickos.

Hackers are rewarded based on the vulnerabilities they find. HackerOne works with each customer to carefully outline a bounty structure based on the bug's severity and its impact on the organization. Hackers are rewarded based on the assessment of each valid bug reported.

"A total of 116 bug reports over $10,000 were paid out in the past year with the amount paid for critical issues rising to over $2,000 on average and organizations offering as much as $250,000," said Mickos.

Customers determine bounties based on the severity and potential effect on the organization. Most organizations pay bounties through the HackerOne platform. HackerOne requires tax forms from every hacker in order for them to get paid.

To date, HackerOne has paid more than $31 million in bounties. "Unlike Apple, that takes a 30% cut from developers when they publish their paid app on the App Store, HackerOne doesn't take any cut from hackers. Hackers will always receive 100% of the bounties they earn," said Mickos.

But money is not the only motivating factor behind the HackerOne community. "The biggest takeaway of the 2018 Hacker Report was that the ethical hacking community is eager to do good in the world. They are already finding vulnerabilities. Hackers are motivated by opportunities to learn, be challenged, and have fun more than [by] money. While money definitely still attracts hackers to different programs, it's not the key driver of what they do," said Mickos.

Hack the USA

HackerOne helps both the public and the private sector. "We work with them [the private sector] to find vulnerabilities in their systems. Every vulnerability we find and fix leaves fewer possibilities for criminals to break in. We are reducing the cyber risk with every step we take," he said.

In 2016, HackerOne signed a deal with the US Department of Defense (DoD) Defense Digital Service (DDS) team to hack the Pentagon. It became the first bug bounty program in the history of the federal government.

The first vulnerability report was filed within 13 minutes of the launch of the Hack the Pentagon challenge [1]. In just six hours, around 200 reports were filed, and a new report was filed every 30 minutes. During the entire project, more than 1,400 hackers participated in the hack, more than 138 legitimate vulnerabilities were found, and $75,000 was paid in bug bounty rewards.

The success of Hack the Pentagon led to more projects – Hack the Army [2] and Hack the Air Force. In total, the federal government awarded more than $300,000 in rewards. Looking at the massive defense budget, this number might look small, but it's not.

"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," said former Secretary of Defense Ash Carter regarding HackerOne's Hack the Pentagon.

HackerOne and the DoD just kicked off the sixth bug bounty challenge for the US government. At the kickoff event in Las Vegas, Hack the Marine Corps paid out over $80,000 to ethical hackers who surfaced 75 unique valid vulnerabilities in public-facing digital assets.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Military-Malware Complex

    Modern cyberwarfare and its resulting monetary allocations have significantly impacted the exploit market, but where does that lead?

  • News

    GitHub offers free private repositories, Linus Torvalds welcomes 2019 with Linux 5, SQLite database vulnerable, hacks abound, Kubernetes vulnerability found and fixed, and Dolphin announces new switch for composable architectures. 

  • Insecure Candidates: Chrome Wins Hacking Contest

    At the CanSecWest Vancouver 2009 conference's PWN2OWN hacker's competition the Safari, Internet Explorer 8 and Firefox browsers were successfully hacked to run code on their systems. The Chrome browser was recognized as being the least impacted by the hackers.

  • Chaos Communication Congress

    Chaos Communication Congress visitors were probably more interested in their digital civil rights, as reflected in the congress motto "Nothing to hide," but first they had to cope with closed ticket counters and overflowing rooms.

  • Sun to Acquire MySQL

    Sun Microsystems is to acquire database manufacturer MySQL at a purchasing price of around US$ 1 billion according to Sun.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More