Views on Bug Bounty Programs and Ethical Hacking From HackerOne Inc. Chief Executive Officer Marten Mickos

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Some of the world's largest companies—Yahoo! Inc., Twitter Inc. and General Motors Co., among others—participate in bug bounty programs. Companies in these programs pay rewards to “white hat” or “ethical” hackers for finding cybersecurity vulnerabilities in their networks.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Marten Mickos, chief executive officer of HackerOne Inc. and former senior vice president and general manager for Hewlett-Packard Co., on why companies should join bug bounty programs and whether hackers will help businesses shore up their cybersecurity.

Bloomberg BNA:

Do companies become part of the HackerOne bug bounty program platform by application or invitation?

Marten Mickos:

Companies come to HackerOne in most cases because they understand the benefits of working with hackers to improve software security so they contact us to sign up. HackerOne has created a global network of hackers and companies who work together to find and resolve software vulnerabilities.

Because of this community we also see customers arrive by invitation from either a hacker who has found a vulnerability and would like to report it using the HackerOne service, or they are invited by a customer or business partner of theirs. We also conduct outreach to invite others to join. Each new customer on HackerOne poses a unique challenge for our talented hackers and this helps us attract the best hackers and foster our community.

Bloomberg BNA:

Do you think allowing white hat or ethical hackers to exploit network vulnerabilities is the best way for companies to both detect and prevent future cyberattacks?

Mickos:

Inviting white hat or ethical hackers to hunt for bugs is a very powerful solution to a very common and complex problem. Every software system has vulnerabilities and every industry is struggling with security. Even if you’ve bought all the right products or followed all the best practices there are still no guarantees that your systems are secure. By inviting friendly hackers to look for vulnerabilities you will find out what you missed.

Most of our customers find a security vulnerability within 24 hours of launching on HackerOne. This is why organizations, including the U.S. Department of Defense, General Motors, Google Inc., Yahoo, Microsoft Corp. and Uber Technologies Inc., work with hackers as part of their security strategy.

marten mickos

Bloomberg BNA:

Is there any clearance process for hackers that join the program that might ease concerns of company leaders who may be hesitant about joining a bug bounty program?

Mickos:

The power of a bug bounty program lies in the large number of highly skilled hackers looking at your code. These hackers do not get any special access to your systems that a criminal would not have. In most cases there is no formal clearance process.

It’s the model itself that ensures that only people with good intent will bother to sign up to help you improve your security. To help companies better understand who they are working with, HackerOne also has a reputation system for our hackers that is based entirely on their track record. This reputation system allows our customers to see what other programs and vulnerabilities this hacker has found and how they rank. In some cases our customers have specific hacker requirements but overall we find that the more hackers participate the better the results are.

Bloomberg BNA:

Do you think more hackers will turn to white hat hacking instead of malicious hacking because of the legal rewards involved?

Mickos:

I believe that the overwhelming majority of any group of people will be ethical and have an innate desire to do good. White hat hacking is also an exciting intellectual challenge. So we will always have ethical hackers who will helps us find vulnerabilities no matter what the reward. But to get the best hackers to pay attention to your system, you will want to pay competitive bounties. This creates an enormously powerful mechanism where you pay only for results, and hackers get appropriately rewarded for their ingenuity.

Bloomberg BNA:

From your perspective what is the biggest risk companies face today regarding cyberattacks or network vulnerabilities?

Mickos:

Unfortunately there is no single biggest risk. Any computerized system has an attack surface exposing a variety of vulnerabilities. Additionally you have risks of physical intrusion, social hacking, internal malicious actors and so on.

Perhaps the answer is that the biggest risk is ignorance or arrogance. Once a company acknowledges its risks, it is actually fairly straightforward to start building defense mechanisms. Vulnerability coordination and bug bounty programs are a powerful way of finding vulnerabilities that inevitably exist in production systems and products.

Bloomberg BNA:

How did you get your start in cybersecurity and what made you join on as CEO for HackerOne?

Mickos:

The cybersecurity industry has accomplished a lot in the past decade, but it has also struggled with being seen a separate isolated industry. To truly achieve security, we must see security as an integral part of the software development lifecycle from start to end. We must see it as positive and constructive action, not a defensive one. This is where HackerOne represents the way of the future.

I have personally been involved in businesses based on openness and collaboration for the past 15 years. Now I get to employ those learnings on the most pressing need of today’s connected society. I get to work with the smartest minds across the globe, and as a result hundreds of millions of people can be a little less worried about cybersecurity. This is why I felt I absolutely had to join HackerOne. It’s a vital mission.