HackerOne, a computer security startup that runs what’s known as “bug bounty” programs, has a grand new plan to help every company hire legions hackers to attack their systems, all in the name of better computer security.
And along the way, its famous new CEO, Marten Mickos, has become a sort of a fatherly pied-piper figure to a generation of socially awkward teen hackers, many of them living in developing countries. He’s guiding them to the light of hacking for good, and earning some money, instead of causing mischief.
Bug bounty programs are when companies invite hackers to break into their software, then pay prizes for the bugs they find. The scarier the bug, the bigger the prize. It’s a way of finding out how bad-guy hackers would break your software using real-world conditions in a controlled setting.
On Friday, HackerOne launched a bunch of new products that makes bug bounty programs more accessible for everyday companies. This includes a new subscription business model for software that helps customers with a bunch of related tasks, such as running small bug-bounty pilot programs and tracking the bugs through the process of fixing them.
Since it launched in 2012, the company has landed 550 customers, all without a sales force. With the new software, the 50-employee company just changed that, too. It hired its first sales person, Marjorie Janiewicz, previously from MongDB, and she’s in the process of hiring more.
Humans are the problem and the solution
HackerOne is a hot Valley startup that’s raised $34 million from VC backers like Benchmark and NEA and individual “angel” investors like Marc Benioff, David Sacks, Drew Houston, and Jeremy Stoppelman.
About seven months ago, it hired Mickos as CEO. He’s known for joining young companies in promising fields and selling them for big bucks. He was the CEO of mySQL back when open source software was new, and sold it to Sun Microsystems in 2008 for $1 billion. Then he joined cloud company Eucalyptus and sold it to HP (the terms were not disclosed, but most reports put the amount at less than $100 million).
Mickos wasn’t at first interested in HackerOne, he told us.
He barely agreed to meet with the founders, Jobert Abma and Michiel Prins, two twenty-something best friends, who have been hacking into computers since their high school days.
“I was asked to take a look at this company, and I was thinking to myself, ‘Oh no, a security company. Who the heck could get excited about security?’ I sort of dragged my feet to the meeting,” Mikos told us.
Obviously, he changed his mind.
“I realized that this company is turning security inside out. You used to do all the security on the inside, now we realized the rescue is on the outside. You used to buy more and more [security] tech. Now we realize that tech is not the solution, tech is the problem. Humans are the solution,” he says.
Today HackerOne has a network of “tens of thousands” of hackers in its system, he says, many of them are teens that he’s befriended over Facebook and Twitter.
A better outlet for ‘misfit’ teens
Mickos said he feels a bit “emotional” about this company’s mission.
“There are all these young, capable people who are a bit lost and may feel like they are misfits in society and if you give them a good task and ask them to do a good deed, they will,” he says.
HackerOne “I was just in Facebook chatting with my new friend in Pakistan. He’s 15 or 16. He learned to hack on his own. He earned a bounty from Coinbase. He’s a great guy and sends me small messages. He will be a CSO [chief security officer] one day of some amazing company. He’s growing up far away and all he has is a smartphone and a laptop.”
“I was just in Facebook chatting with my new friend in Pakistan. He’s 15 or 16. He learned to hack on his own. He earned a bounty from Coinbase. He’s a great guy and sends me small messages. He will be a CSO [chief security officer] one day of some amazing company. He’s growing up far away and all he has is a smartphone and a laptop.”
Mickos says that he’s gotten to know similar teens in the Philippines, Morocco, Saudi Arabia, the UK, Russia, and Scandinavia.
“You find them all over the place. And they are so full of energy and hope. It’s exactly like Brexit. The old guys are disenfranchised and ready to leave. But the young kids, they are ready to build a great digital society for us.”
In fact, the founders were the same sort of teen hackers in the Netherlands. They launched a company when their parents insisted they put their talents to good use instead of mischief and sentences of community service.
All told, HackerOne has paid out $8.5 million in bug bounties since it was founded in 2012, Mickos says.
Not all the hackers are teens. Many of them are software and security pros earning extra money moonlighting as bug hunters. Some of them will earn an $100,000+ a year, including founder Abma himself, he recently told us.
Even the Pentagon is asking these folks to hack it
HackerOne isn’t the only company out there running bug bounty programs. Bugcrowd, CrowdSecurity, and Synack are some others.
But it does have an impressive gaggle of customers including Uber, Dropbox, Airbnb, GitHub, GM, and Twitter.
Probably its most impressive feat was a program put on by the Department of the Defense called Hack the Pentagon, which concluded in May. Over 1,400 hackers participated. They found 138 bugs and the DOD paid out $71,200 in bounties. The Pentagon was so happy with the program, it sent every participant a specially made commemorative coin.
That’s a far cry from the Pentagon’s previous relationship with hackers, which might have involved jail.
If the Pentagon can do a bug bounty, than any company can.
— Travis Lee (@eelsivart) June 25, 2016