Skip to main content

An Interview With HackerOne CEO, Mårten Mickos

  • July 12th , 2016

Written by Jono Bacon
Alt textHackerOne CEO Mårten Mickos
Back in November 2015, HackerOne welcomed our new CEO, Mårten Mickos, to the ranks. A native Finn living in San Francisco, Mårten has a long history building successful companies.

Previously he led MySQL Inc and AB, which was later acquired by Sun Microsystems. He then went onto lead Eucalyptus Systems, before joining leadership roles at Nokia and HP. Throughout his career he has acted as an advisor to many organizations.

A New Beginning

Mårten has been one of the most consistent voices in open source leadership. His time with MySQL in particular was not just about building a successful company, but about facilitating a cultural change to open source...an approach that was terrifying to many back in those dim distant days. While the path may have been windy, his journey to HackerOne was ultimately unsurprising given where his passions lie.

“It was a natural step to join HackerOne and apply the powerful models on the security industry that have emerged and been perfected in the world of open source software,” says Mårten. “HackerOne represents a disruptive inside-out shift in software security that offers enormous value to customers while allowing some of the most talented security experts in the worldwide community make the most of their skill. And the team is fantastic.”

This road to HackerOne was not immediate. Mårten admits that he dragged his feet when going to the first meeting with HackerOne. “I wasn’t convinced I could get excited by security. The software security industry is so old-fashioned and unproductive, functioning only by scaring customers into believing they should pay billions for what amounts to little more than a heap of false positives,” he says.

When he sat down with the HackerOne founders, Merijn, Jobert, Alex, and Michiel, his eyes lit up immediately. “I saw a vision for a future where security is a positive and constructive thing - something that becomes a natural part of developing and deploying great software. I saw an ingenious business model where the smartest security experts in the world help great companies to become more secure. I was sold.”

Changing the Rules

The core of Mårten’s philosophy is that society will always face certain dangers and the assumptions in the security industry have become somewhat outdated.

Alt text
“We used to think that people are the problem and tech is the solution. It is actually the other way around,” he says. “We used to think that secrecy improves security, but in reality the opposite is true. We used to turn to a small group of experts with clearance to work out security threats. Now we know that many times the best help is in the broad community outside the organization. We used to think that there is a “perimeter” and all we have to do is protect it. Now we know that security threats exist everywhere and perimeter-based security is insufficient.”

Mårten believes that bug bounty programs and vulnerability coordination is to traditional security what open source is to closed source. At the core of the success of open source and HackerOne then, is our community, and Mårten believes this helping the community succeed will help HackerOne to succeed. “There is always more brain power outside your organization than inside it”, he says. “If you can tap into the collective intelligence of the broad community, you will be stronger and more productive.”

Building a Safer Planet

Part of the opportunity that Mårten is eyeing is helping organizations to focus on both preventive and corrective actions, and enabling both to be executed quickly. “The preventive actions should happen as early as possible,” he says. “Start by designing your software to be secure. Build security into every step of your software lifecycle, and make it an everyday consideration for everyone in the engineering team. Corrective actions should happen as quickly as possible. The faster you take action on vulnerabilities or other deficiencies or situations, the faster you will be secure again.”

Alt text

An interesting recent example of this is the Hack The Pentagon initiative on HackerOne in which hackers are invited to find vulnerabilities in government sites and services. Aside from the pure “lolwut!” reaction of many to the idea of the pentagon inviting hackers into their borders, Mårten sees this as another part of the security revolution.

“Governments all over the world used to think that they embody security as such and need no external help on that topic. The US Department of Defense saw it exactly au contraire” he says. “The Pentagon is arguably the most powerful organization in the entire world, yet they realized that they need the help of hackers to become secure. With the massive success of the Hack the Pentagon program, other agencies are now following suit. They see the enormous power of bug bounty programs for the public sector. This is such an important topic that one of the leading presidential candidates in the US publicly argued in favor of bug bounty programs for the government. This shows that the topic is of the highest importance to the government and to those who elect the highest official in the nation.”

A Community, not a Crowd

At the core of HackerOne is a belief in building a powerful, engaged community of hackers. In the same way communities in open source have helped technology go faster, have more meaning for those who build it, and launch the careers of hundreds of thousands of developers, HackerOne has precisely the same belief in community for hackers.

Alt textA recent hackathon at the HackerOne office.

“The hacker community is a phenomenal group of people,” he says. “They are self-motivated and opinionated people with endless curiosity and attention to detail. They think so fast that it can be difficult to follow their train of thought. The most seasoned ones have earned half a million dollars with bug bounty programs. The youngest we know about is a 10-year old kid who found a flaw in Instagram. Many are in their mid or late teens, attending high school and paying school fees and hobbies with the money they earn on bounties. They come from all social classes and all nations. Those I have communicated with directly are from India, Pakistan, Morocco, Saudi Arabia, the Philippines, USA and most European countries.”

It is clear that while Mårten had his initial reservations about a dusty world of security when he was first approached by HackerOne, it is the community that he sees as the real power and potential. He is not alone in this view, and the entire HackerOne team has rallied around the goal of building the greatest community of hackers in the world.

And Finally…

Now, as the resident Finn in HackerOne, we couldn’t let Mårten get away without sharing a few cultural nuggets of wisdom with us.

Alt text

So, we asked him for three Finnish words (other than Sauna) that our hackers can use to wow their friends with. He came through:

  • Sisu means tenacity, especially in adversarial conditions. We tend to explain it like this: “17 wars, and we have lost them all”. But we keep fighting.
  • Mämmi is a dessert we eat for Easter. It is absolutely delicious. But the look and feel of it leads you to believe something entirely different.
  • Löyly is the water we cast on the stones of the sauna heater or stove. The original meaning of the word is “soul”, which is a beautiful hint to the nearly sacred meaning of the sauna to people in Finland. And despite its visual simplicity, the word is very difficult for a foreigner to pronounce!

Oh, and “vulnerability” is “haavoittuvuus” in Finnish. Say that after a few gin and tonics…

Jono Bacon

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…