In September 2017, I created a list of 10 essential bug bounty programs for 2017. Readers with a keen eye to detail might have noticed that nearly half of the companies included in that catalog host their vulnerability research programs, otherwise known as vulnerability disclosure programs and responsible disclosure programs, through HackerOne. A popular bug bounty platform, HackerOne is currently headed by CEO Mårten Mickos.
Mickos was kind enough to sit down with me and discuss his experience in the security industry, his work with HackerOne, and his thoughts on bug bounty programs in general. A record of our conversation is presented below.
David Bisson: How did you first get involved in digital security and vulnerability research?
Mårten Mickos: I had some early curiosity about encryption back in the 1980s. Later in the 1990s when I was involved in producing software for the telecom industry, there were rigorous testing requirements on software. Buyers had specific testing requirements, and vendors delivered reports on the results of those tests.
Then came the web and all the joy of an open global network – the internet – where everyone could share information freely. This era was more ad-hoc. Although testing happened and security was the focus of some, it was not a central part of software development.
About a decade ago, security again started being on everyone’s mind, not the least because of an increase in cyber criminality.
By now, I have seen most sides of this, and for a couple of years now, I have been heads-down in digital security and vulnerability research. It is an exciting topic because we are making so much progress these days. The state of security in online applications and products is miserable, but the trend is turning and we are heading towards better days.
DB: What brought you to HackerOne?
MM: The short answer is that I met with the founders and was immediately sold. The longer story is that I was getting ready for my next career step. I looked at 40+ companies and opportunities. Security was not that high on my list because I had an outdated prejudice that it’s an industry of pessimists who rely on ambulance-chasing and fear-based selling.
Perhaps that was true in the past, but in HackerOne, I found the exact opposite: a powerful value proposition where you pay for results, not for products that may or may not solve your problem. Whereas old security companies are built on secrecy, hacker-powered security is built on openness and collaboration. I realized that this model would soon become indispensable to anyone who develops and deploys software. Here we had something that was addressing the most pressing problem of our digital society in a very productive way. I was also intrigued by how this model provides a way for security experts all over the world to come together and do good… and earn a buck while doing so.
DB: What benefit do you feel HackerOne serves customers over other VRP platforms? The security community?
MM: Great question. I think customers come to HackerOne because we provide the most powerful service in this field. We are fortunate to operate some of the top programs in the world like Hack the Pentagon, Uber, New Relic, Starbucks, Snapchat, Twitter, AirBnB, and General Motors.
We also have the largest marketplace for hacker-powered security and attract the best hackers. We already have over 140,000 hackers signed up on the platform. No single customer needs that many hackers in their program, but thanks to this vast community, we can identify the ones that are best for each customer – whether they need 5, 50, 500 or 5000 hackers. HackerOne also has the widest product portfolio, offering each customer what they need at every step of the journey.
DB: Do you feel there’s a risk that bounty hunters could turn malicious? Please explain.
MM: There certainly are black hats in the world who can cause a lot of damage to companies and government agencies. But there are about three times more white hats, i.e. good hackers who will do the right thing and report the vulnerability to its owner. It is this latter community from which HackerOne draws its hackers.
Criminal hackers don’t wait for an invitation to hack. They come to you uninvited. Indeed, computer criminals don’t sign up with a service like HackerOne because it provides them no benefit. We give no special access or special privilege to our bug hunters. The only way to get a benefit from HackerOne is by doing the right thing: reporting a vulnerability to the owner of the system.
Your question was whether someone who is a white hat at some point could turn black hat. We have not seen that happen. It could perhaps be argued that a zero-day (if you find one) or exploit is worth so much in the black market that a bounty hunter could be tempted into selling it there rather than getting a bounty from the owner of the system or product.
But for some reason, that is not how bug hunters act. I think the main reason is that the skill to find zero-days only comes over several years, and once you have several years of experience, you also have a professional profile that’s tied to your past accomplishments. You have accomplished so much, and often earned so much as a defender, that it does not make sense to risk it all.
And even if you would try to sell a vulnerability in the black market, the risks are high. You may first need to weaponize the vulnerability, i.e. develop an exploit that will use it. That takes time and effort. Once you are ready to sell the vulnerability, another bug hunter may already have reported the same vulnerability to the owner of the system or product. In that case, you have nothing.
So in summary, selling to the black market is a complicated route for a hacker to choose, so they don’t. By submitting their find on HackerOne, they can be certain that they will not be legally prosecuted, and they know they will get the bounty they deserve. Because the criminal activity happens at all times whether you like it or not, the effect of paying a bounty for a vulnerability can only be positive.
DB: Where do you see vulnerability research in the next 5-10 years?
MM: It will be exciting to see all developments in the coming years! Simple vulnerabilities will probably disappear as a category as software engineers develop more secure code and as software frameworks and tools improve. But new types of vulnerabilities will probably emerge. There is nothing such as 100% secure code. There is just software with better security today than yesterday. Every piece of software should be subject to the scrutiny of ethical hackers.
I believe we will see significant advances in how vulnerability information is shared among defenders. By pooling our efforts, we can become more proactive and faster in our reactions to cyber attacks.
We should also expect machine learning and AI to bring new dimensions of benefit to vulnerability research. Of course, we must also be prepared for our adversaries to use ML and AI, so in a way it’s an arms race. Actually, I think that software security always was and is an arms race. You can never be perfect, but you must every day be better than the day before, and you must try to be as fast or faster than the adversaries. When you do that, you can reach a state of high security.
DB: What’s your advice for companies looking to maximize the success of their bug bounty programs in the here and now?
MM: My first piece of advice is: Do not start with a bug bounty program. Start with a vulnerability disclosure program (where you receive vulnerability submissions but you don’t reward them financially). Or start with a crowdsourced pentest. These two forms of hacker-powered security will allow you to get going without getting overwhelmed. Every organization needs to grow into the use of hacker-powered security. We have made sure that you can approach it one step at a time.
When we engage with a new customer, we offer them a fully managed option in which the customer mostly just fixes the vulnerabilities and we handle the rest. As the customer gets up to speed with their program, they can choose to do more in-house. This will increase the interaction with hackers and thereby increase the rate of learning.
For any company or organization that’s looking at hacker-powered security, there are three groups in the company that need to give their blessing. First, top management and those engaged in risk management need to give their blessing to make the program a part of the overall risk management in the company. With many of our most successful customers, the decision to start a program came from the top: the CEO or even the audit committee of the board of directors.
Secondly, you need to have buy-in from the software engineers who will be fixing the security vulnerabilities. When a vulnerability has been triaged and assessed, it can be sent with one click to JIRA or other work management tool that Engineering is using, and when that happens, it is vital that the engineers are committed to prioritizing the fix.
Thirdly, the owner of a bug bounty or vulnerability disclosure program is the security team. Often this is a security team with mandate over all software and IT in the company, and sometimes it is a product security team that works tightly with the product engineers. Whichever it is, the security team is often small and understaffed. We see companies with 20-40 times more software engineers than security engineers. This is again a reminder that the security team must maintain good relations to the engineering teams because the security team is not large enough to handle everything themselves.
When you plan with these things in mind, you are onto a good start. The first step is easy and manageable. As hacker-powered security demonstrates its unparalleled power to you, you can broaden and deepen the program to get even more out of it. The main goal for a customer is to reduce risk. By applying external scrutiny on live software code, the risk of data breach is reduced.
Only Part of the Equation…
As my conversation with Mickos reveals, bug bounty programs are just part of the equation when it comes to organizations’ defense strategies. Companies also need to have solutions in place that can help keep them safe against known vulnerabilities. These tools should, for instance, help businesses detect, manage, and remediate these types of security flaws.