How HackerOne open sources security--one hacker at a time

Few business executives have had as big of an impact on open source as Mårten Mickos, former CEO of MySQL and Eucalyptus and current CEO of HackerOne. While HackerOne might not look much like an open source company, that's kind of the point behind why Mickos wanted to join. No, not to escape open source, but rather to apply some of the lessons learned from his time in open source while learning some new lessons along the way. As he said in an interview, "HackerOne is doing to cybersecurity what Red Hat and MySQL did to software. It is about bringing the power of a vast community in a neatly packaged way to the tech companies and enterprises of the world."

SEE: Cyberwar and the future of cybersecurity (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Looking for a new home

In the early days of cloud, Mickos took charge of Eucalyptus, eventually selling it to Hewlett-Packard. When HP split into two entities, Mickos moved on. Or planned to. Though Mickos ultimately looked at 46 different companies, the process for getting there took time because he wasn't interested in just any opportunity:

That eagerness to learn something new ultimately proved critical to Mickos' search. As he said, "When I joined MySQL, I knew databases but open source was new to me. When I joined Eucalyptus, I knew open source but cloud software was new to me. With HackerOne, I knew community-driven models and software, but security was new to me." Applying what he already knew to an important market filled with technologies and practices that he didn't made for a delicious proposition.

SEE: Cyberwarfare escalation just took a new and dangerous turn (ZDNet)

Open source methodology

In fact, Mickos seems to have stepped into the Wayback Machine by joining HackerOne. As he put it, "When we speak to prospects about bug bounty programs, it can feel like talking to prospects 15 years ago about MySQL and open source." Why? Because the questions and concerns are somewhat similar:

Great questions, but through open source we already know how they were answered in the open source world, and can guess how they'll be answered in the bug bounty world. In Mickos' words, "Today, if you do not use open source software, you are antiquated, and you will fall behind. That same transition is happening with hacker-powered security now, only faster because the problem is more acute."

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Like open source, the hacker-powered security model works not because everyone agrees, but because they don't, as Mickos laid out:

It remains to be seen whether HackerOne will follow in the successful footsteps of MySQL, now one of the most popular databases in the world. What is already clear, however, is Mickos' enthusiasm for the challenge. Indeed, the very fact that he comes from outside the security cabal may make him better able to help improve that industry, as he concluded: "Building a disruptive security company requires a certain amount of outsidership. Someone not from the industry will see opportunities that insiders might not."

Given the stakes involved, let's hope he's right.

Also see