From The Front Lines: Marten Mickos (HackerOne)
The Bowery Capital team is embarking on a ten week journey to cover B2B Marketplaces. We are doing deep dives on various companies, interviewing founders and investors, and learning what it takes to build success in the B2B Marketplace arena. Below is a part of our content series focused on insights from the people shaping the next generation of marketplace leaders. This week, Marten Mickos, CEO of HackerOne, answers some of our questions. You can read all of the posts in our series by going here.
HackerOne is the leading hacker-powered security marketplace, matching global hacking talent with top-tier enterprise clients. To date, HackerOne has raised over $100 million in venture funding and its platform is helping companies leverage hackers from around the world to identify potential issues before bad actors can exploit them.
HackerOne is a really interesting concept – what initially inspired you to create a bug bounty marketplace?
Security research had been oppressed for far too long. There were many factors at play, but most importantly, concerns around legality made it often unsafe for hackers to perform security research with the goal of improving a system’s security. The vendor they would try to help either ignored their helpful input, or worse, called in the FBI. Ten years ago, you would go to jail for finding a vulnerability in your bank’s software systems. Today, hackers earn big bounties by responsibly reporting vulnerabilities to banks like Goldman Sachs.
We experienced this firsthand via an experiment that we called the Hack 100. We found software vulnerabilities in over 100 companies and tried to responsibly report them to these companies so the bugs could get fixed. Finding the right person to disclose vulnerabilities proved to be hard. About a third of the companies never responded, and never fixed the vulnerability.
We knew that there were so many more hackers out there that found vulnerabilities every day. For many, the risk they would be exposing themselves to by trying to report it led them to remain quiet. There was so much untapped potential out there that was getting silenced unnecessarily!
We created HackerOne to function as a safe place where hackers and organizations can collaborate and where the human creativity and persistence of hackers is valued. We empower the world to build trust in our digital society.
How did you prioritize on-boarding supply (hackers) vs. on-boarding demand (corporates) when trying to get initial traction?
We launched HackerOne alongside the Internet Bug Bounty, a bug bounty program that focused on free open source software that often forms the core infrastructure of the internet. Think of software like nginx, OpenSSL, or programming languages like Ruby, PHP and Python. The program’s bounties were funded by Microsoft, Facebook and ourselves. Because this software was getting a lot of scrutiny already due to their open source nature, we put ourselves in front of an existing talent pool of both professional and hobbyist security researchers. This helped recruit an initial set of loyal hackers that were starting to enjoy sizable rewards for their work on breaking free open source software.
We knew it would take a lot of collective hacking talent in order to realize our envisioned solution of hacker-powered security. We figured out early on that the more bounties we pay, the more hackers sign up. So, we did everything we could to flood the marketplace with liquidity. This triggered a flywheel effect: more customers led to more bounties paid to hackers. The more opportunity there was for hackers, the more hackers signed up, which in turn unlocked more demand from customers. Until this day we continue to be maniacally focused on our North Star: the amount of money paid to hackers. A perfect numerical representation of value exchanged between hackers and customers, of which we are the facilitator. In May 2020, we crossed the mark of $100,000,000 in bounties paid to hackers. And the rate keeps increasing, just last week alone we paid $3.4 million to hackers.
What was your strategy for recruiting the supply side of your market (e.g., hacking talent)? How did you decide between focusing towards bringing on solo operators vs. cyber security firms that might be doing this work in a more formalized way?
Two of the founders of HackerOne are hackers themselves, so it was obvious to them that there is a practically unlimited potential among whitehats in the world. Cyber security firms have their strategies and often their outdated principles. Hackers can be engaged immediately and put to productive work without delay, outperforming all traditional methods and technologies. Whenever we have a debate about which side of the two-sided marketplace is more important, we arrive at the same conclusion. The money comes of course from the customers, but the power of the business model comes from the hackers. So, it is hackers first. That is why the company is called HackerOne and not EnterpriseOne. We have a conviction that the platform that pays out the most rewards to hackers will also attract the best hackers, and the platform with the best hackers will attract the best customers.
Was there a particular strategy or event that you found really spurred on platform adoption on the hacker side of the marketplace? What about on the corporate side?
With the hackers it is a question of community building. As noted above, you must be the one paying out more rewards than anyone else. But you must also have a software platform that hackers enjoy using. You must feed their competitive desires with leaderboards and competitions. You need to provide education and opportunities for social interaction and sharing of best practices. You need to be clear on principles and rules, judging fairly whenever there is a conflict or misunderstanding between company and hacker. And as a company, you have to be hackerish – diverse, optimistic, mission-driven, and so on.
Many B2B marketplaces need to do ‘unscalable’ things in the early years to get the traction required to have the opportunity to scale later on – can you remember any of the more inventive approaches you had to take in the early years to get liquidity onto the HackerOne marketplace?
We do a lot of things that are unscalable, because we have a conviction that anything can scale once you get the hang of it. We give hackers individual support, and so we learn what their most common problems or concerns are. We arrange live hacking events that are for the best of the best. The events don’t scale that well, but every event is followed by thousands (or perhaps tens of thousands) of hackers around the world who thereby get inspiration to become better and one day qualify for such an event.
How do corporates establish price in the bug bounty marketplace? Is it purely set on the demand side, or can hackers with a certain reputation use the market to ‘rent’ themselves out at a set fee?
Conceptually it is a little like Airbnb pricing. As the Airbnb host you can set your own price, but Airbnb will also give you very concrete guidelines on the going market rate for your type of property in your type of location and varying by season and time. Same with HackerOne. Customers can set their bounty tables freely, but we give them solid advice on this, and most of the time they follow our recommendations. We have paid out something like 50,000 individual bounties by now, so we have sufficient data to make useful predictions and recommendations.
What tactics do you employ to keep ‘transactions’ on the platform (e.g., how can you prevent a hacker/corporate taking their business ‘offline’ and going around HackerOne to avoid paying a take rate)?
We believe that marketplaces need to be open in order to be attractive. A reason for a hacker or customer to stick with us is that they know they can “flee” at any moment if they think they have a reason to. It is like with banks – we deposit money there because we know we can immediately withdraw them without advanced notice. At the same time, there are many functions that make it beneficial for a hacker or customer to keep their account going with us.
How have you seen the types of bugs companies are using HackerOne to identify change as the platform has matured?
I would say it is not a function of how the HackerOne platform matures. It is a function of how software is developed and deployed, how the customers mature, and to some degree how the hackers mature and improve their skills. Early on with new customers, we find a lot of low-hanging fruit. Later, the focus is on higher-severity vulnerabilities. But every company keeps deploying new code all the time, so actually there will always be low-hanging fruit to find.
If you liked “From The Front Lines: Marten Mickos (HackerOne)” and want to read more content from the Bowery Capital Team, check out other relevant posts from the Bowery Capital Blog. Look out for more content on B2B Marketplaces from us in the coming weeks.