Careers & People
8/23/2017
02:00 PM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Changing Face & Reach of Bug Bounties

HackerOne CEO Marten Mickos reflects on the impact of vulnerability disclosure on today's security landscape and leadership.

Bishop Fox's Vincent Liu sat down recently with Mårten Mickos, CEO of the popular bug bounty platform HackerOne. In a wide-ranging conversation, Mickos shared his views about the changing face and reach of bug bounties, and what it takes to be a leader in the security industry today. We excerpt highlights below. You can read the full text here.

Fifth in a series of interviews with cybersecurity experts by cybersecurity experts.

Vincent Liu: Vulnerability disclosure [is] something that has grown organically over time. The community determined the social norms. How do you make security something that everyone can grasp?

Mårten Mickos: First, I sense orthodoxy in complex terminology. In the database industry [where I got my start], they developed complex words for everything because it was a small, tightly knit group. In the security space, it was similar. But then we thought, we need to bring the benefits of this to everybody. We needed bug bounty programs to be so easy to understand and to consume that any company could do it. And of course, it is demanding. You must commit to it; you must know what you are doing. There is a necessary skill level, but you don't have to overcomplicate it. You should simplify it.

VL: Something that really stuck with me was that you expanded your team to not just people from the security industry but people from other disciplines. What's your philosophy behind that?

MM: This idea of inclusiveness is something I learned and practiced while working at MySQL years ago. We decided early on that our mission was to make this superior database technology available and affordable for all — people who were in the industry as well as people who were not in the industry. We wanted to give it to everybody. When I came aboard to HackerOne, I had a similar thought. Security experts over the years had created this amazing concept of vulnerability disclosure, which as you know evolved into bug bounty. But it was still being kept as a secret practice among a select few, the "elite." Not many organizations were bothering with bug bounties. I think we are still finding new areas where there's unnecessary complexity or seclusion, where people are holding on to things very tight. They say, "Only invited people can come. And you can only come if you speak this language, if you've been in the industry for 20 years, if you’re cynical." We want to break that perception. This is largely why we've been so open to inviting people from other industries to join HackerOne. It's reflective of both our platform and our culture.

VL: Are there any other orthodoxies that could use some updating? 

MM: Another would be visual appearance. We introduced pink into our color palette last year. We wanted to bring in something that would be unusual and maybe shocking. We've also decided at HackerOne not to be cynical. We don't talk about how security is a problem. People know that the sky is falling. But instead of dwelling on that, let's look at the constructive things we can do.

VL: How do you envision the impact of bug bounty on the entire security landscape?

MM: Let's say you get hacked. Then, the government presses charges against the hackers, and you start a bug bounty program to make sure you know about vulnerabilities before they're exploited. Alternatively, you can start the bug bounty program and save yourself from any pain and humiliation in the first place. There is no perfect solution, though. We can never reach 100% perfection, but bug bounty programs are the most powerful way of preventing cybercrime.

VL: Do you think there will ever be a backlash against a bug bounty? What about from malicious hackers?

MM: If you have no detractors, you are not making an impact. We will have situations where a malicious hacker will do something. As a vendor, we must be careful how we handle such issues. We need to keep our database secure. We follow up with our hackers and take disciplinary action if they are meandering from the rules. 

PERSONALITY BYTES

HackerOne CEO Marten Mickos
HackerOne CEO Mrten Mickos

On leadership: A leader needs to bring to the organization a certain level of confidence and stability in the face of fluctuating realities. A leader must lend confidence and balance to the situation. In security, there's so many possible threats. Leadership must provide that environment of stability, of confidence, of acceptance. People will know that even when they make a mistake, they are still accepted, no matter what.

Advice lines: As far as resources, I'd choose Ryan McGeehan’s blog. He's a security expert with clear ideas. As far as challenges, security is so important that you can't delegate it to one person ... [and] make sure there is security in everything. We often sacrificed security for ease of use. Ease of use is important, but security is more so. Then, there is the problem every CEO faces, which is that of priorities.... I say start small. Embed a little bit of security in everything you do.

Transparency versus paranoia: [At] HackerOne, we stand for inclusion, collaboration, and power. And that is a more prominent presence than paranoia. We default to disclosure. Many times, we share things that another company would keep in the C-suite. Growing up in Scandinavia, which is ostensibly the most open society, and working in open source for 15 years, made me comfortable with transparency. And I believe transparency is the only way for society to thrive.

Bio: Mårten Mickos is the CEO of bug bounty and vulnerability coordination platform HackerOne, Inc. Previously, Mickos was the CEO of Eucalyptus Systems, acquired by Hewlett-Packard, where he was the head of the cloud business. He was the MySQL AB CEO from 2001 to 2008 and a board member of Nokia from 2012 to 2015. Marten is a thought leader on leadership and disruptive business models.

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/26/2017 | 10:08:56 AM
Target
"If you have no detractors, you are not making an impact."

Well, sure, but no need to make yourself a bigger target than necessary.

Allow me to step outside the bug bounty context of InfoSec for a moment. Sony always comes to mind as the example of this -- when the company got the brilliant idea to sue a 13-year-old hacker for modifying his PlayStation.

In what universe does that NOT invite mass attacks for months on end?!?
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.