HackerOne's Mårten Mickos
Hacker-Powered Security
Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.
Mårten Mickos is one of the most respected members of the open source world. The former CEO of MySQL AB during its prime now serves as the CEO of HackerOne, a vulnerability coordination and bug bounty platform. I sat down with Mickos to understand HackerOne's purpose and his perspective on the security of open source software.
HackerOne's Role
In layman's terms, HackerOne brings the hacker community to an organization to hack into their code in search of vulnerabilities. As Mickos said, "Sometimes we joke that if you are going to be hacked anyway, it's better to get hacked by someone you can trust." HackerOne has built a platform for secure intelligence report sharing and payment, along with a reputation system for hackers.
When an organization announces a bug bounty program through HackerOne, the hacker community starts looking at the organization's code and filing their reports. The platform enables the bug bounty program's organizer to vet these vulnerabilities. The hacker who filed the report gets rewarded.
"HackerOne serves as the portal connecting organizations with the largest community of over 200,000 registered ethical hackers and connecting hackers with more active programs than any other platform," said Mickos.
HackerOne's approach is simple but effective. It acts only as a mediator, without getting involved with the code itself. "HackerOne does not review customer code unless our technical program manager team is instructed to do so in order to help the organization evaluate the severity and advise on a bounty payment," clarified Mickos.
Community-Driven Security
HackerOne has a massive community of more than 200,000 white-hat hackers in its network. "The hacker community is filled with smart, curious, communal, and charitable human beings. Over 90% of hackers are under the age of 35, 58% are self-taught, and 44% are IT professionals. They come from over 90 countries including the US, India, UK, etc.," said Mickos.
Hackers are rewarded based on the vulnerabilities they find. HackerOne works with each customer to carefully outline a bounty structure based on the bug's severity and its impact on the organization. Hackers are rewarded based on the assessment of each valid bug reported.
"A total of 116 bug reports over $10,000 were paid out in the past year with the amount paid for critical issues rising to over $2,000 on average and organizations offering as much as $250,000," said Mickos.
Customers determine bounties based on the severity and potential effect on the organization. Most organizations pay bounties through the HackerOne platform. HackerOne requires tax forms from every hacker in order for them to get paid.
To date, HackerOne has paid more than $31 million in bounties. "Unlike Apple, that takes a 30% cut from developers when they publish their paid app on the App Store, HackerOne doesn't take any cut from hackers. Hackers will always receive 100% of the bounties they earn," said Mickos.
But money is not the only motivating factor behind the HackerOne community. "The biggest takeaway of the 2018 Hacker Report was that the ethical hacking community is eager to do good in the world. They are already finding vulnerabilities. Hackers are motivated by opportunities to learn, be challenged, and have fun more than [by] money. While money definitely still attracts hackers to different programs, it's not the key driver of what they do," said Mickos.
Hack the USA
HackerOne helps both the public and the private sector. "We work with them [the private sector] to find vulnerabilities in their systems. Every vulnerability we find and fix leaves fewer possibilities for criminals to break in. We are reducing the cyber risk with every step we take," he said.
In 2016, HackerOne signed a deal with the US Department of Defense (DoD) Defense Digital Service (DDS) team to hack the Pentagon. It became the first bug bounty program in the history of the federal government.
The first vulnerability report was filed within 13 minutes of the launch of the Hack the Pentagon challenge [1]. In just six hours, around 200 reports were filed, and a new report was filed every 30 minutes. During the entire project, more than 1,400 hackers participated in the hack, more than 138 legitimate vulnerabilities were found, and $75,000 was paid in bug bounty rewards.
The success of Hack the Pentagon led to more projects – Hack the Army [2] and Hack the Air Force. In total, the federal government awarded more than $300,000 in rewards. Looking at the massive defense budget, this number might look small, but it's not.
"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," said former Secretary of Defense Ash Carter regarding HackerOne's Hack the Pentagon.
HackerOne and the DoD just kicked off the sixth bug bounty challenge for the US government. At the kickoff event in Las Vegas, Hack the Marine Corps paid out over $80,000 to ethical hackers who surfaced 75 unique valid vulnerabilities in public-facing digital assets.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.