How hackers are making products safer

Jono Bacon, the former community manager of Ubuntu, recently left GitHub (his second job since leaving Canonical) to start his own consulting firm. He is currently working with HackerOne, which just announced its Hack the World competition. I spoke with Bacon about HackerOne, his role with the organization and the competition. Following is an edited version of the interview.

What exactly is HackerOne?

The idea is simple: companies want to ensure their products and services are secure. HackerOne provides a platform where hackers can safely hack those products/services to find vulnerabilities, submit them, and potentially earn a bounty for their work.

In much the same way open source disrupted the software development model by enabling a global community of developers to work together, HackerOne is enabling a global community of hackers to make the Internet a safer place, grow their skills/reputation safely, and earn some money. It maps particularly well to security as the community can cover a broader attack surface than any individual company could.

Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer internet.

How are you associated with HackerOne?

I run a community strategy and management consultancy practice and a while back my friend Mårten Mickos joined HackerOne as their new CEO. He brought me in to help grow the HackerOne community and make it the most fulfilling, productive hacker community in the world.

I started working with the team and have been having a blast. The HackerOne team are a pleasure to work with, wicked smart, and are doing great work. There is a bright future ahead for the company.

How do they pick projects?

HackerOne is a platform that any organization can use, and I believe the majority of companies come to HackerOne to provision it for their products.

HackerOne has a large directory of programs. This includes Uber, Adobe, GitHub, Square, Slack, Dropbox, GM, Twitter, Yahoo!, and many more. Hackers can simply explore the programs available and start hacking on them and earning bounties.

What is pretty awesome here is that it offers a rounded set of benefits for hackers. They can (1) safely submit vulnerabilities and work with security teams, (2) learn and experiment with new hacking methodologies, also safely, (3) build experience and knowledge, (4) develop a reputation, and (5) earn some cold hard cash!

It is about software or beyond that?

HackerOne can be used by any organization that can expose their products to hackers. Now, some products are particularly well suited to this, for example, web applications, as they are always available. Some other products are certainly valid, but may be a little more work for hackers to find vulnerabilities (e.g. mobile apps, core infrastructure, etc).

Fundamentally though, pretty much any software or service can benefit from being on the platform and we want to ensure it is as simple as possible for hackers to hack on fun and rewarding programs and companies to efficiently get the benefits of hackers on their products and services to make them more secure, faster.

Can you talk about some of the big projects HackerOne is working on?

There is lots of awesome work going on at HackerOne that is focused on the broader community experience. I am a firm believer that building communities is an end-to-end function, and we need to ensure that every step in the process is well defined, crisply scoped, intuitive and rewarding.

There are lots of projects going on, but we are not quite ready to share them. So, stay tuned!

Is there any open source angle here?

Open source it at the heart and soul of HackerOne. The company is founded by fans of open source, by leaders in open source and many open source projects are using HackerOne as part of the Internet Bug Bounty.

We are not stopping there, though, so again, stay tuned!

Do they run any competitions to attract more developers?

Yes indeed. We just launched our new competition, Hack The World 2016 where new and existing hackers alike are invited to hack on programs and can win cash, gadgets, awesome limited edition swag, and some impressive bragging rights.

What is neat about Hack The World is that it provides a fun, competitive challenge to drive the most reputation from great report submissions. So sure, there are some great prizes and cash to be won (and some just awesome looking swag), but the bragging rights are going to be intense. It will help to showcase some of the best hackers in the world.

Hack The World is also a great chance for new hackers to get started, and we even give away a free copy of Peter Yaworski’s Web Hacking 101 e-book (worth $10) for people getting involved in HackerOne.