HackerOne Bug Bounty Programs Gain Ground in Enterprise
Mårten Mickos, the chief executive officer of the bug-bounty firm HackerOne, has a unique background. Having worked in the tech field since the 1980s, Mickos has held a variety of wide-ranging roles. He led a mobile sports entertainment firm.
He previously led the open-source database company MySQL, served as a senior vice president of Sun Microsystems and HP, and has also served on the board of directors at Nokia.
These days, he’s brimming with optimism about the growth of his company. At last count, HackerOne harnesses the efforts of half a million hackers to help organizations ranging from AT&T to Ecobee to the Department of Defense and the European Commission tamp down cyber-vulnerabilities.
A year ago, the company had roughly 120 employees. “Today we’re at 250,” Mickos said.
The company has attracted some $74 million in venture capital funding. Earlier this year, it announced it had paid out more than $60 million in bug bounties and has found more than 120,000 vulnerabilities to date.
A growing number of enterprise companies are employing HackerOne’s services. “We used to be sort of the obvious choice for any tech companies in Silicon Valley,” Mickos said. “Now, we have regular big corporations coming to us.” The roster includes AT&T, Equifax, Capital One, General Motors, Starbucks and Hyatt Hotels.
The company’s work with GM doesn’t currently extend to connected cars but focuses on digital properties such as websites. “We are not hacking their cars yet. But if you have a connected car, then you have a website where you can configure it or service it,” Mickos said. “So they all become somewhat amorphous domains.”
The attack surface of an IoT device, whether it is a connected thermostat or a connected car, extends far beyond the actual physical unit. It includes APIs as well as websites and mobile apps.
IoT security is an active area for the company, but Mickos stopped short of calling it a focus. “We don’t mind who we get as customers because we know that the entire world is insecure. There are vulnerabilities left and right,” he said. “Whoever joins us will be in better shape.”
The company is also seeing growing support from government agencies across the world, ranging from Singapore to the United Kingdom.
Vulnerabilities are everywhere, he said. “Whether it’s IoT or healthcare, or voting machines, or e-commerce, or wherever it is, it doesn’t look good today,” he said. “I don’t put them in any prioritized list. I don’t say one of them has more vulnerabilities than anything else.”
One focus the company does have is transparency. Quartz published an article explaining how the company stood out from other gig-economy peers like Uber, DoorDash and Instacart in how it treats its contract workers.
“People think we serve our customers well. We do. But we serve our hackers first and then our customers,” Mickos said. “And before we serve our hackers, we take care of our employees.”
The company may not offer its employees fancy catered lunch, but its leaders work to build a culture of openness and inclusivity.
If the company had a slogan, it might be: “‘Let me give you feedback,’” Mickos said. “That’s, of course, the essence of the HackerOne business. Not everybody wants feedback. But we try to make it natural. We share information.”
Sometimes, it can be challenging to interface with a subset of its hackers, who can “sometimes be obnoxious, and have false claims.” “But we have to respect them because the whole business is built on them bringing value [from that community] and take that to the customers,” Mickos said. “We have to remind ourselves: ‘Okay, we’re 250 employees, but that’s nothing. We have 500,000 hackers around us, and that’s the community. And we are just the tiny, tiny group coordinating the work,” he said. “That’s why we decided to value integrity, openness, collaboration and winning as a team.”
The company also takes cues from the field of aviation. “Why is it safe to fly? It’s because they have the practice of blamelessly sharing every piece of safety information with everybody, including competitors,” Mickos said. “They look for the root cause [of a problem] and what caused it.”
Part of the company’s plan for expansion is to diversify the services it offers. In that vein, it recently launched a penetration testing service. But like its core bug bounty offerings, the pen testing offering uses a crowdsourced approach. “And [the hackers] get paid only when they find something, not by the hour.”
Mickos said the company’s executives are also exploring other ideas such as potentially offering a crowdsourced equivalent of a security executive. “On a conceptual level, it’s true cybersecurity spans so many sub-areas that nobody can be an expert in all of them,” Mickos said. So it makes sense to pool resources and tap external resources to help fill in the gaps. “One of the creative ideas we had is to offer a CISO a service,” Mickos said, referring to a chief information security officer. “We would take a hundred hackers — none of them CISOs themselves. But together, they have the skill of a CISO,” he said. And for a client who deployed such a service, a different person could show up every day. “One person might be an expert on antivirus. One might be an expert in phishing. One might be expert in multi-factor authentication. We could bring them in as you need them.”