In November, Uber disclosed that a year earlier, in 2016, hackers stole 57 million driver and rider accounts and that it paid them a $100,000 ransom to delete the information. The breach was reportedly part of Uber’s bug bounty program, wherein it pays hackers to test its software for vulnerabilities. But the amount was exorbitant by typical standards, and the episode has fueled criticism over the bug bounty practice, which is seen by some as funding criminal activity.
At an industry event in San Francisco this week, Marten Mickos, the CEO of HackerOne — which runs Uber’s bug bounty program — answered questions about Uber’s hacking, which is now the subject of at least four lawsuits. His interviewer, cybersecurity reporter Kate Conger, also pressed him on the definition of a good versus bad hacker — and whether there’s much of a difference.
Excerpts from their sit-down follow, edited for length.
KC: For those who don’t know, what does HackerOne do?
MM: The simple truth today is that every single system will get hacked. And the only question is, who do you want to get hacked by? People you trust or criminals? If you choose the former, you swallow that pill, you come to us. We have 160,000 ethical hackers in our network who will hack you within 24 hours. They’ll tell you how they broke in and you’ll pay them a lot of money, but it’s much, much less than if you swallow the other pill.
KC: You were in the news recently and maybe not for the most positive reasons: You administered Uber’s bug bounty program and it got wrist-slapped for [losing the data] of 57 million people and paying out $100,000 to the hacker to keep him quiet. Do you think that behavior muddies the water between ethical hackers and bug bounty programs and bribery?
MM: I’m not here to comment on any particular case. I can note, however, that it hasn’t been shown than 57 million records have been lost forever. They might have been lost for a short time only, but we’ll leave that to others to figure out. But it’s clear that in the world of hacking, if there is intrusion and data exfiltration or extortion, it has nothing to do with ethical hacking or bug bounty programs.
The line there is very clear. We’re very fortunate to run Uber’s bug bounty program and many other really large programs [including for the U.S.] Air Force, Army and Pentagon. So sure, with technology always, it’s the same technology used for good and bad purposes, and technology itself doesn’t have an opinion about what it’s being used for.
KC: So is that the ethical line between a good and bad hacker — data exfiltration? You can break in as long as you don’t take anything?
MM: The difference between the hacker and the criminal is intent. If you’re an ethical hacker and you’re looking for vulnerabilities in order to report them, you must break in. If you have a neighborhood watch and you ask your neighbors to see if they can break into your house, they have to break in to show you that they can do it. Once inside the house, they shouldn’t take anything, though.
The same idea applies [with bounty programs]. [Hackers] have to show that it’s possible to break in. That’s where you get to the question of authorized versus unauthorized conduct, and then again, it’s the owner of the house who decides which is which. When you break into the house, how much do you need to do? Do you need to bring something outside to show it was possible or not? And that’s an individual decision for every customer of ours, who determines what they need as proof. The more proof you need, the deeper the hackers need to go to find it.
KC: In the security industry in particular, a lot of things that are considered best practices seem from the outside sketchy, for lack of a better word. When we were talking earlier about the Uber situation [before the event], you said you felt like Uber averted a lot of risk. Can you talk about what you meant by that?
MM: When you say things look sketchy, things look sketchy when we are fearful, and we are fearful when we have too little information. Once you understand something, it doesn’t look sketchy anymore.
We represent a new model that hasn’t been done, so many people on first blush think that it’s dangerous when it’s actually the opposite. There’s an exact analogy to immunization and vaccines and how they work. The ethical hacking and bug bounty work is the immune system of the internet, so you have to create some of the bad stuff in order to create the defense.
It’s similar here. So when you actually do a bug bounty program, you can have situations where it can escalate or de-escalate. Some of these hackers are no older than 15 . . . [and] there is excitement in the moment. These are hunters; they are hunting for a trophy. And when they find it, they get very excited. And they may in the excitement say something, do something or ask for something that the other side finds problematic. If you then have the ability to de-escalate the situation, everybody will be happy and step by step, everybody will learn the proper conduct. There are many situations where properly managed bug bounty programs will diffuse situations that otherwise could have gotten out of hand.
KC: You recently testified before the Senate. What was that like?
MM: It was fantastic actually. I’ve never done it before, and I’m not even from this country, so it had special meaning for me.
The Senate asked us to testify for them two weeks ago to tell them what bug bounty and vulnerability disclosure programs are. So at the highest level of legislation in this country now, they have an understanding of the importance of hackers, [and know] we need them. We need hackers more than anything else.
But seeing the senators and their staff, the people working there [who are] seemingly underpaid and overworked are so sharp. I sent them one evening probably 20 URLs [along with] all our white papers and studies and literature — everything — and by the morning they’d read it and they had very good questions. And in the hearing, every senator who spoke up said they believed in ethical hacking. They think bug bounty programs are a vital part of security in today’s society.
KC: One of the cool things about the last year, between Russia and these hacker stories, is people finally care about hacking.
Some [of the hackers we work with] are teenage boys and girls today, and they’ll write us and say their life has changed. They bought an apartment for their mother, or they bought a motorbike for themselves. They show up on social media in their HackerOne hoodies. That’s their identity. It’s shaping them into respectable, contributing citizens who take responsibility for the world. It’s amazing to see how these young people stand up when we adults have been screwing up this world.
KC: You’ve told me you try to be frugal. When you’re raising all this money (roughly $75 million to date), where does frugality enter the picture?
MM: Not when you are raising money. No, no. When you are raising money, you talk about the biggest numbers you’ve heard anybody utter. [Laughs.]
You have to remember when you build a company to never believe your own PR and never to believe that you have to spend the money you get from VCs. You can raise a lot of money, but you don’t have to spend it — even when they say you should, which has happened in my career, in a company that went bankrupt.
VCs don’t take as much responsibility for their dollars as they take for their time. So as a CEO, you have to treat it as your own money and spend it wisely.
The world says it’s so inexpensive today to do a startup today and to use open-source software and to run your business in the cloud, and of course you can. Yet you end up paying for all kinds of additional services. We are paying for 150 different software or SaaS packages right now. So you have to watch out who has an account and who can use it for what. You can easily spend all your money without noticing, so you want to be careful — unless you are one of our competitors, in which case, do spend your money. If you run out of cash, that’s fine with me.