
Why I Joined HackerOne as CEO - yarapavan
https://hackerone.com/blog/marten-mickos-why-i-joined-hackerone-as-ceo
======
kybernetyk
Wow, ok. So I took a look at their sales video[0] to figure out what they
product is about. And well ...

Today I learned that people in Siberia don't have mailing addresses - at least
that's what they claim in their sales video. But luckily with Hackerone you
can pay

> [a] security researcher in Siberia who doesn't have a mailing address

...

I find this horribly insulting. (And I'm not even from Russia).

[0] [https://youtu.be/1T6GSa0qPNk?t=99](https://youtu.be/1T6GSa0qPNk?t=99)

~~~
arice
That's me, and I'm quite embarrassed as I never paused to consider how it
could be interpreted.

That was a real story. Shortly after we established Facebook's bug bounty
program, we received several vulnerabilities from a brilliant computer science
student at Tyumen University (in Siberia). His dorm did not accept
international mail, he did not have an accepted government ID (didn't drive),
and figuring out how to pay him was a multiple month ordeal that Facebook's
accounting team was completely not prepared for. It's something that we take
for granted but international dispersements to _every_ individual with
internet access is actually an extremely challenging and unsolved problem.

~~~
davidu
That's interesting, and a really good answer. Thanks.

------
pinaceae
PR piece.

"Because I want to win in the start-up lottery and cash out." would be more
honest - and there is nothing wrong with that.

but this claim of making the world a better place - oh come on.

~~~
JoeAltmaier
Didn't he already do that? And maybe its some of both - help others, while
looking for a good opportunity for self.

~~~
jamesblonde
He presided over the sale of MySQL to sun. We, non VPs, got screwed there. 5
figures for the top developers, 7 for the vps, 8 for the CEO, and 9 for the
founders!

------
samstave
> __ _$5 million in bounties has been paid to 2,000 contributing hackers for
> finding over 14,000 vulnerabilities_ __

Thats an average of $357 /vuln - or $2,500 per "hacker" \-- or if you assume
everyone shared the 357/vuln that would only equate to $.17 per hacker per
vuln.

That seems really really low.

What % of the $5MM or the 14K did the top hacker or group take home?

How long is the tail of zero $$ per hacker in the community of the 2K?

(I met the founder on bart some time ago and was trying to get their services
at my last company, and I was just literally this morning thinking about H1 as
I need to have my PII SaaS system evaluated... but I am interested in the
economics of this as well)

~~~
arice
Great questions. We'll line up a more analytical post on the topic as I don't
know all the answers here, and we all should. In the interim, here's a few
rough from memory answers:

> Thats an average of $357/vuln

The 14,000 includes resolved bugs where no reward was offered (Bounties are
optional with ~40% of programs not offering any. i.e., "responsible
disclosure", a drop in replacement for security@company.com). If you reduce
the set to reports where a reward was offered, the average is closer to $750.

> What % of the $5MM or the 14K did the top hacker or group take home?

The top earner last year took $280k.

> How long is the tail of zero $$ per hacker in the community of the 2K?

This is a diverse group. Several hundred are active "hackers" driven
financially. The rest are developers, hobbyist, technical consumers, who just
happened to get curious about something in particular or even stumbled across
a security problem in passing (this is far more common than you'd reasonably
expect).

