Recently I started doing some work with HackerOne and I thought many of you would find it interesting enough for me to share.
A while back my friend Mårten Mickos joined HackerOne as CEO. Around that time we had lunch and he shared with me more about the company. Mårten has an impressive track record, and I could see why he was so passionate about his new gig.
The idea is pretty neat: HackerOne provides a service where companies (e.g. Uber, Slack, General Motors etc, and even The Pentagon) can provide a bug bounty program that invites hackers to find security flaws in their products and services. The company specifies the scope of the program (e.g. which properties/apps), and hackers are encouraged to find and submit vulnerability reports. When a report is approved, the hacker is often issued a payment.
HackerOne is interesting for a few reasons. Firstly, it is helping to build a safer and more secure world. As we have seen in open source, crowdfunding, and crowdsourcing, a productive and enabled community can deliver great results and expand the scope of operations far beyond that of a single organization. This is such a logical fit when it comes to security as the potential attack surface is growing larger and larger every day as more of our lives move into a digital realm.
What I also love about HackerOne is the opportunity it opens up for those passionate about security. It provides a playground where hackers can safely explore vulnerabilities, report them responsibly, build experience and relationships with security teams at popular companies, and earn some money. Some hackers on HackerOne are earning significant amounts of money (some even doing this full-time), and some are just having a blast on evenings and weekends earning some extra cash while having fun hacking.
I am working with HackerOne on the community strategy and execution side and it has been interesting exploring the different elements of building an engaged community of hackers. One of the things I have learned over the years building communities is that every one is different, and that is very much the case for HackerOne.
More broadly, it is also interesting to see echoes of similar challenges that faced open source in the early days, but now applied to hacking. Back then the world was presented with the open source model in which anyone, anywhere, could contribute their skills and talents to improve software. Many organizations back then were pretty weirded out by this. They worried about their intellectual property, the impact on their customers, losing control, and how they would manage the PR.
Believe it or not, WarGames is not a documentary.
In a similar way, HackerOne is presenting a model in which organizations can tap the talents of a distributed community of hackers. While some organizations will have similar concerns to the ones back in the early days of open source, I am confident we will traverse those. This will be great for the Internet, great for organizations, and great for hackers.
If you are an existing HackerOne user, I would also love to hear your feedback, thoughts, and ideas about how we can build the very best community. Feel free to send me an email to firstname.lastname@example.org – let’s build a powerful, engaged, global community that is making the world more secure and making hackers more successful.