HackerOne boss on why the future's bright for bug bounties

RSA 2016 Three months ago HackerOne, the group that pays a bounty to security researchers for bugs, appointed Mårten Mickos as its new CEO, and the tech-savvy Finn has clear ideas about the future of hacking for pay.

Mickos was a surprise hire. At the turn of the century he was the CEO of MySQL, and remained there for eight years before moving to become the CEO of cloudy cluster firm Ecalyptus, which was sold to HP. After getting reorged out of HP, Mickos surprised many by taking the HackerOne job.

On Tuesday, HackerOne will begin a soft launch of its subscription vulnerability service, while retaining its free buglist. So El Reg sat down with him to find out what the future holds for bug bounties.

Q: So why HackerOne? It appears to be so different from the rest of your career.

I looked at a lot of companies. I knew I wanted to be a CEO again and people came with offers, but HackerOne intrigued me.

There are two things I like doing; building teams and bringing new concepts to the market, so that was the initial point of interest. But I believe in hackers and giving them a useful thing to do is enormously inspiring.

It's rewarding because it's useful to the world but also enormous business potential. I want to make the world better and have a profitable business – it's not all altruism.

Q: The group has paid out over $6m in bounties so far, in increments of up to $30,000 per bug. What's your criteria for measuring the importance of a bug and what gets the big money payouts?

We pay whatever a customer wants to pay, but the biggest we have seen is $30,000. Bug reports are submitted unconditionally, but our customers can set any bounties you like, but if you set it too low the hackers won't come back to you with flaws.

Some of our researchers file hundreds of bug reports, so if one company abuses the system it won't hurt the hacker too badly, but word gets around. If a company abuses the system then people don't report their bugs, and word gets around quickly in the community if someone isn't playing fair.

In the long term, companies will be judged by how much they pay for their bugs – it'll be the ultimate grade for what you do in the code lifecycle and how much you value good code; there's an invisible hand there at work.

Q: It has taken a long time for many companies to get their heads around paying researchers for bugs. Are there still holdouts?

Almost none, and we don't see it as a problem. We argue that a well-functioning ecosystem means you will have to pay bounties to make sure good hackers come to you. But hackers are driven by different motivations; the financial side is just one part of it.

Recognition is another part of the equation. Finding a bug – and getting recognized for it – is worth it when jobs and reputation in the industry are involved. But the intellectual challenge is as important.

We find that a lot of hackers aren't obsessed with financial rewards beyond paying the rent. A lot will sell bugs for bounties to commercial companies, but refuse to take payment from non-profits and charities. Morality is a very strong force in the hacking community.

Q: Are there circumstances where you won't deal with a particular researcher, or ethical boundaries that come into play when deciding to make a payout?

There is a code of conduct you need to live up to, but it's largely a self-governing issue. To be a member of the community it will work only if you have good intent, since someone with bad intent has no reason to be there.

But we have a system of dealing with it. We either contact the hacker and say that the feedback isn't going down well with customers and give some tips to improve communications, or say you hacked one side but violated a stated policy. We assume the best of intentions but have enforcement mechanisms; when we reduce someone's reputation scores it's unhealthy.

The vast majority of conflicts come from well-intentioned people who just don't know English that well or haven't had experience in dealing with companies, or simply not recognizing that a flaw is not as big a bug as they thought it was.

Q: The basic HackerOne vulnerabilities list is free, and while you take a 20 per cent cut of each bounty, the serious money would appear to be in subscription services. How amenable are companies to that?

The subscription service hasn't properly launched – we're soft-launching it tomorrow – but it already has a lot of interest.

So far, when a customer comes on board they can either pay bug bounties for their software or subscribe for a SaaS version. It depends how technical they are – companies like Yahoo! and Adobe are happy to fix flaws themselves, but on the other hand some want us to handle mitigation.

With HackerOne Professional, companies can pay $2,000 a month and get updates and a full-service system to fix problems. HackerOne Enterprise is costed on a per-company basis but offers more services.

Anyone can use the free service but we will make sure companies pay proper bounties. We have responsibility for hackers, and everyone who uses hackers' services needs to reward them somehow – we want a fair trade between hackers and companies. We don't want free riders who don't reward hackers.

Q: You recently cited the case of a 15-year-old in Pakistan who is earning using HackerOne. In terms of researchers under the group's wing, how spread out are they geographically?

It's worldwide, but with clumps in certain places. There's a very high number of Northern Europeans, Russians, and a lot from the Indian subcontinent. The US, of course, is very big and we see clusters anywhere where there's a high internet penetration.

Q: A lot of companies complain that they can't hire hackers who want to work with them. Why do you think that is?

People say hackers are socially awkward, but I think corporations are – too many treat people like robots, telling them what to wear, how to behave, and what to think. It's not healthy for mankind – if you start thinking like a robot then a robot can replace you.

When hackers get very skilled then they understandably begin to take certain liberties and some refuse to take orders, but they are outliers. If you look at the center of the bellcurve then you find highly intelligent people with a strong sense of independence.

Granting them the right to be themselves is why they are so good, and the vast majority are just trying to make the world a better place. If you try and force them into a stereotype you limit them. Men and women have the right to focus on being good at what they do, that's where the real society is – if people don't have the rights to make decisions they stop thinking creatively.

It's odd – 15 years ago with MySQL I used to get the same complaints about open source people; companies were scared to let these free-thinkers into their businesses. Now open source coders are in high demand and are totally accepted, for all their quirks. ®