How HackerOne open sources security--one hacker at a time

Mårten Mickos says hacker-powered security is where open source was 15 years ago, but it's moving much faster than open source did.


Image: zefart, Getty Images/iStockphoto

Few business executives have had as big of an impact on open source as Mårten Mickos, former CEO of MySQL and Eucalyptus and current CEO of HackerOne. While HackerOne might not look much like an open source company, that's kind of the point behind why Mickos wanted to join. No, not to escape open source, but rather to apply some of the lessons learned from his time in open source while learning some new lessons along the way. As he said in an interview, "HackerOne is doing to cybersecurity what Red Hat and MySQL did to software. It is about bringing the power of a vast community in a neatly packaged way to the tech companies and enterprises of the world."

SEE: Cyberwar and the future of cybersecurity (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Looking for a new home

In the early days of cloud, Mickos took charge of Eucalyptus, eventually selling it to Hewlett-Packard. When HP split into two entities, Mickos moved on. Or planned to. Though Mickos ultimately looked at 46 different companies, the process for getting there took time because he wasn't interested in just any opportunity:

I was looking for something with a huge business potential and an intellectually intriguing model. It was vital to me that I work for a company with a useful product that makes the world better, not worse. In my research into the various companies, I paid close attention to who the investors were, who were on the board, who the founders were (in the case of startups) and what the company culture was like. Other aspects played in as well. For instance, I was eager to work in a global business and I was eager to learn something new.

That eagerness to learn something new ultimately proved critical to Mickos' job search. As he said, "When I joined MySQL, I knew databases but open source was new to me. When I joined Eucalyptus, I knew open source but cloud software was new to me. With HackerOne, I knew community-driven models and software, but security was new to me." Applying what he already knew to an important market filled with technologies and practices that he didn't made for a delicious proposition. 

SEE: Cyberwarfare escalation just took a new and dangerous turn (ZDNet)

Open source methodology

In fact, Mickos seems to have stepped into the Wayback Machine by joining HackerOne. As he put it, "When we speak to prospects about bug bounty programs, it can feel like talking to prospects 15 years ago about MySQL and open source." Why? Because the questions and concerns are somewhat similar:

  • What if you run out of contributors? What if you run out of altruism?
  • How can we know that the community can be trusted? What if they try to do something bad? 
  • Who will take responsibility for this? What if something goes wrong?
  • Your offering does not fit into our internal policies or the compliance regimes we operate under.
  • Perhaps your solution is useful for hip Silicon Valley startups, but we are an established enterprise, and we don't do those things.
  • We already have an old solution intended to do what your solution does. In what ways is yours superior?

Great questions, but through open source we already know how they were answered in the open source world, and can guess how they'll be answered in the bug bounty world. In Mickos' words, "Today, if you do not use open source software, you are antiquated, and you will fall behind. That same transition is happening with hacker-powered security now, only faster because the problem is more acute."

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Like open source, the hacker-powered security model works not because everyone agrees, but because they don't, as Mickos laid out:

It is the power of pooled resources and efforts.... When people work together under a clear governance model, you can outperform any proprietary siloed model. People often think that open source or hacker-powered security can work only if people agree. It is actually the opposite. The power of those models is that they provide a governance framework that allows people who vehemently disagree to work together towards a common goal.... In hacker-powered security, hackers use different methods and arrive at different conclusions, but the platform summarizes everything into a prioritized list for the customer.

It remains to be seen whether HackerOne will follow in the successful footsteps of MySQL, now one of the most popular databases in the world. What is already clear, however, is Mickos' enthusiasm for the challenge. Indeed, the very fact that he comes from outside the security cabal may make him better able to help improve that industry, as he concluded: "Building a disruptive security company requires a certain amount of outsidership. Someone not from the industry will see opportunities that insiders might not."

Given the stakes involved, let's hope he's right.

Also see