Some of those hackers might be companies that grew out of university CS departments, and some of them may be individual high school students working from their kitchen tables. Would a large company Board of Directors trust a kid hacker who came to them with a bug he found in their software? Probably not. But if Mårten or one of his hackerone people contacts that company, it's likely to listen -- and set up a bug bounty program if they don't have one already.
Essentially, once again Mårten is working as an intermediary between technically proficient people -- who may or may not conform to sociey's idea of a successful person -- and corporate executives who need hackers' skills and services but may not know how to find non-mainstream individuals or even know the difference between "hackers" and "crackers." Editor's note: I have known and respected Mårten for many years. If this interview seems like a conversation between two old friends, it is.
Slashdot: Hello. I am Robin Miller for Slashdot, and today we have with us Marten Mickos.
Slashdot: This is the guy who took MySQL and built it up to the point where he sold it to Sun for a billion dollars. Which is a neat trick. And then he went to work for Eucalyptus as CEO – a company that does big data type cloud stuff, and again a big success sale. And so what did he do? Did he go home and play with his children and hope for grandchildren one day? No. He is now CEO of a company called HackerOne. So tell us, what is HackerOne?
Marten: Hey Robin, great to be on your show again. HackerOne is a company that orchestrates bug bounty programs and vulnerability coordination on behalf of internet companies. And we do that by reaching out to a worldwide community of security researchers and hackers--some of them are teenagers who come in and look for vulnerabilities and when they find them, they get paid bounties by our customers. So you could say that we are a marketplace or a trading place for responsible hackers who work with responsible companies.
Slashdot: But mostly you are dealing with independents.
Marten: We are dealing with independents so we are dealing with people, many of whom we know, some of whom we don’t know, they are anonymous but they are highly intelligent, creative. They have a desire to do the right thing, and find the vulnerabilities before criminals do so. Because we have seen already that criminal organizations will break into your systems and are probably trying as we speak. So it is important to find the holes quickly and fix them.
Slashdot: So it is also interesting that I would think that some of the people you are sending money to would otherwise possibly be criminals what do you think?
Marten: It could be. I do think that we deal with people who are through and through who have good intentions, but sure if you are young or if you have very little money, there could be a temptation to do something which is borderline legal or immoral and of course in this way, we put the incentives exactly right. So that good deeds are rewarded, and then they will say, wow, I could pay a down payment on my house mortgage or I can pay my studies at the college and they realize that it is driving them on a path to success and away from any criminal or shady activity.
Slashdot: How do you get along with? Okay, some people I know and I have done some work video type of work for Codenomicon (thinking of people in Finland) and they are really nice guys and that’s what they do, they are pen testers, you ever deal with companies like that?
Marten: Yeah, we do work together with pen testing companies because many times when our platform is in operation, it creates initially a lot of vulnerabilities and the companies need help in fixing them and assessing them and triaging them, so we bring in partners to do that. Because our business is purely to be the marketplace between the responsible hackers and the responsible companies.
Slashdot: So do you guys get a lot of corporate business, do you go look for it, does it come to you, how does that work?
Marten: They are coming in from all directions right now, but sure. Initially we had the internet companies, so big big internet companies, like... Twitter is a customer, Yahoo! is a customer and so on, and now we are seeing more traditional enterprises – big banks, even governments, the manufacturing industry and so on – come to us. But of course it is a similar shift in mindset as we saw with open source, initially big companies were afraid of open source and now they realize it is the best thing since sliced bread. And it is a similar thing here that you have to get accustomed and comfortable with the transparency around vulnerability disclosure and when you realize that the criminals are hacking on your system anyhow you realize the benefit of asking ethical hackers to help you find the holes. But it is a shift of mindset that is required.
Slashdot: You know something that makes me sad that I didn’t think about until just now, and don't have the information in front of me, but there is a group of guys in Miami, Florida who have a very similar deal and they are kind of like an ethical hacker collective, and they look like a Linux users group or something, they meet every week in a reasonably nice restaurant and they go over who wants what in the corporate side, the corporate customers and who is going to do it.
Marten: Right. Oh okay.
Slashdot: And they are fairly local. I mean they are in Miami. You know it sounds when I saw the HackerOne stuff I said this is really great, but already there are people doing it.
Marten: Oh yeah, many are doing it, this has been a practice since Netscape pioneered it 15 years ago. But it hasn’t been turned into a global movement and practice yet, and what we do is we have this hackers and security researchers from all the world, we have the biggest network of them, and you may need some specific talent that you don’t find in your hometown or in your own network, but we have access to all of them, there are tens of thousands of hackers that we can reach out to and say, here is a customer who needs help now in looking for holes in their system, when you find them, send the reports, the best reports will get rewarded.
Slashdot: The best reports?
Marten: Not all reports, but the best report. So it is up to the customer to decide how much they pay in bounties.
Slashdot: Okay, and do they put that amount out in front so that people can say “yes” or “no, that’s not worth it?”
Marten: It depends on the customer. You can do it in many different ways. You can have a public program on invitation only, you can announce the bounties ahead of time or only afterwards, it is a function of how mature the organization is. If you take one of those who really do it well, Facebook, Microsoft, Yahoo! they have programs. They tell them what a bug is worth, and that drives, of course, the interest of these security researchers or hackers, whatever you will call them. They are experts on security.