This first appeared in the San Francisco Business Times on November 3, 2016. View the original article here: http://www.bizjournals.com/sanfrancisco/news/2016/11/03/marten-mickos-hackerone-hackers-bugs-bounties.html
Marten Mickos in SFBT
Marten Mickos is CEO of HackerOne, a cybersecurity firm with a unique business model. Rather than building and selling security products, HackerOne runs a marketplace that pays out “bug bounties” to hackers all over the world for scouting out kinks in companies’ software. The model has proven very effective, with a rapidly growing customer base that includes Uber, General Motors, Dropbox, Twitter, GitHub and the Pentagon. Mickos sat down with the Business Times to discuss company goals, the philosophy that’s driving HackerOne’s growth, and what Uber and Barbie Dolls have in common.
How’s business? We’ve had amazing growth, especially in the last six
months. It’s always a roller coaster, and the paranoid part of me is always thinking, “What’s going to break next?” But we’ve expanded our hacker pool, expanded our customers.
Hackers once carried such a negative connotation, but that’s not the case anymore. Why? We’re learning that admitting your vulnerabilities, being more open about who you are and what your intent is, is the way to be successful. You can’t just give a one-sided story all the time.
Since your business model is relatively new, how do you go about setting the bounties? Initially we didn’t know how to set the bounties, so we just did it. The minimum bounty is $100, the average bounty is $530. The maximum bounty varies, but it could be $15,000 or $30,000 depending on the programs. Now we have mathematical models to determine what the ideal bounty should be in any given situation.
We also have customers with different ambition levels, so we’ll have some customers say, “We want our bounties to be always above average. We want the best hackers.” When you come on board as a customer, you can choose to play the average game or you can pay more to get the best hackers. Slowly, this is driving bounties up, but it’s actually healthy because the benefit to companies today is so enormous that it’s only right that they pay a bit more for those findings.
What’s the biggest challenge in scaling up the model? The biggest challenge is a mind shift. What does it take for someone to admit vulnerabilities? For every human being, it’d be useful to go and have a medical checkup every year, but how many do it? Not everyone. It’s the same with companies. If they overcome that hump, then the next question is are their operations ready to deal with it? If you ask someone to tell you about problems, you must also have the readiness to fix.
Some companies where the software infrastructure is so old, or their methods are so old-fashioned, they can’t respond quickly. So there’s an operations shift as well. But once those two things are in place, there’s nothing stopping them. We have some very traditional organizations already running successfully on HackerOne: General Motors, Department of Defense, insurance companies, retail companies, airlines.
You’ve been CEO for about a year now. What was your No. 1 priority when you started? We have a very strong founding team and early employees, but didn’t really have an executive team with experience in building sales, marketing, services. So one of my early priorities was to build the right team. To get more philosophical again, your No. 1 job as CEO is to build a team. The second job is to make sure your company doesn’t run out of cash. We’re very well-funded so I didn’t have to worry about the cash side. As long as those two things are in place, you’re set up for success.
How do you go about broadening your pool of hackers? They are just coming to us. They hear about it from friends and sign up. It’s kind of like a cult movement. Many of these are curious, intelligent young people with time on their hands: They need something meaningful to do. We give them a task, we ask them to do a good deed every day and give them badges and points and all kinds of things to reward them – plus money.
So how does this “cult movement” grow? It’s kids talking to other kids, grown-ups to other grown-ups. We already have over 70,000 signed up. Our highest-paid hacker, a guy who lives in Las Vegas, has made over half a million dollars already on our platform. The youngest is a 10-year-old kid in Finland who got $10,000 from Instagram.
Next company goal you haven’t achieved yet? We want to grow our hacker community to one million hackers. It’ll take time to get there, but it’s really a goal. We differ from every other player in this space by having that goal.
Do you think a million hackers exist out there now? I think there are an order of magnitude more who would be doing this. So if we get a million, we’re still not hitting the ceiling in any way. Every town has this smart kid with a curious mind. All of them can be hackers.
Who’s your ideal customer? Anyone with an online presence and a brand they care about is a suitable customer for us. That Wi-Fi-enabled Barbie doll is in our program. Why would you have to protect a Barbie dolls from hackers? Because Barbie dolls are in the hands of kids with a microphone and a camera. Cybersecurity is omnipresent. Barbie dolls, too.
Predilections? I like to read books, I like photography, I like my road bike, hiking, skiing, sailing, and of course good food and wine. I don’t have time for all of those things, but I love my work too.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.