Open source models are the backbone of the modern internet. Therefore, it’s our duty to defend them. That’s why HackerOne has joined the Node.js Foundation as a member and CEO Marten Mickos has joined its board. Node.js Foundation sat down with Marten to learn more about his vision, mission and why he’s passionate about Node.js and the open source community.
What is HackerOne and how do your offerings intersect with Node.js developers?
HackerOne is the number one vulnerability disclosure and bug bounty platform, helping organizations receive and resolve critical vulnerabilities before they can be exploited. We connect over 140,000 ethical hackers with over 900 organizations like Github, New Relic, Riot Games, Gitlab, General Motors, U.S. Department of Defense, Uber, LendingClub and Starbucks. As a result, we’ve helped fix over 55,000 vulnerabilities and paid out over $21 million dollars to hackers. We call this “hacker-powered security.”
Openness powers our platform, our infrastructure, and the way in which we engage with our community. Node.js specifically helps power our website and manage JavaScript security issues. We also work with the Node Security Project to assign CVEs for vulnerabilities in Node.js modules. Our approach to security aligns with the goals of all Node.js developers — build secure code that the world can benefit from. Open source and Node.js developers are to thank for the foundation of our connected world. Because of this, we feel we have a responsibility to Node.js and open source developers to help grow their community, while also empowering them to be secure.
How can developers use HackerOne to help them with their jobs?
A developer’s responsibility starts with the first line of code and ends when their development is finally depreciated. Code improves with the addition of every collaborator. Security is no different. Shipping agile code quickly is key in software development. HackerOne is a platform to help developers deploy the most secure code efficiently. Developers can leverage the global community of hackers to identify vulnerabilities in active systems and find resolutions in real-time. Simply opening up a channel of communication with hackers can start those conversations. What you learn from vulnerability submissions will make you a better software developer.
What is your company’s overall philosophy when it comes to security and ensuring that we are building code securely now and into the future?
Security happens in the open, not in closed quarters. It happens in collaboration, not in isolation. Security starts with code, not any later in the deployment cycle. When security is open, collaborative and early, it begins to function. As we all know, it is generally not possible to create 100 percent secure code, but it is possible to get very close to 100 percent. And it is always possible to be more secure today than you were yesterday. Security is not a decision or rule or end state. Security is daily diligence.
The HackerOne mission is to empower the world to build a safer internet. An extra set of eyes can help catch bugs that may have otherwise been overlooked. How about an extra 140,000 sets of eyes? Thus far, our community has found and fixed over 55,000 vulnerabilities, including those in open source projects such as GitLab, Open-Xchange, WordPress, NextCloud, Ruby on Rails, Discourse, bitwarden, CodeIgniter, Square Open Source, and others. Tapping the global hacker community for help can ensure not only Node.js code is secure, but also that anything build on top of it is secure. Open source models like Node.js serve as the foundational infrastructure of the internet. We collectively have a responsibility to ensure its security today and beyond. We all have a responsibility to do our part for the greater good of the internet.
How did HackerOne come about and how has it grown over the years?
HackerOne was founded in 2012 by two hackers and security leaders who understood, first hand, the value of working with the hacker community to improve security. Not every company has the expertise, budget, bandwidth and resources to implement home grown programs like Facebook, Microsoft and Google. Organizations ranging from early stage startups to global corporations in every major vertical work with HackerOne and its community to help boost their security. Since 2012, HackerOne has helped over 900 customers resolve nearly 55,000 vulnerabilities and pay out over $21 million to ethical hackers. Our community has grown to the largest in the world — over 140,000 hackers strong.
Why was it important for you to join the Node.js Foundation?
Node.js Foundation’s mission is to foster and grow the Node.js community, who are building the backbone of the internet. Our approach to security is also an open source model — security research and testing through collective community efforts. It’s important for us to help foster a community supplying the code for the web applications that power our connected world while partnering to help ensure it’s secure. Together, we can build as safer internet.
In addition to our work with Node.js Foundation, we founded Internet Bug Bounty (IBB), which is a bug bounty program for core internet infrastructure and free open source software. Bounties are donated and rewarded through donations from companies like Ford Foundation, Facebook, GitHub, Microsoft and HackerOne and determined by a panel of industry leaders and experts. IBB has rewarded more than $630,000 in bounties to 147 friendly hackers for uncovering 656 flaws that have helped improve the security of the Internet, including: WannaCry ($10k), ImageTragick ($7.5k), Heartbleed ($15k), and Shellshock ($20k).
What is your new role on the Node.js Foundation board and what does that entail?
The board sets the goals for the work of the foundation and makes decisions on governance, funding and such. As a member of the board, I will do my best to contribute to great decisions being made timely.
What is the Foundation doing to ensure a Node.js will be a sustainable ecosystem for the next five years?
Like with any open source community, the power is truly in the community. No foundation ever built a community. But the foundation is there to provide the infrastructure and home for the most central work in the community. For these reasons, it is important that the foundation acts to encourage and empower community-initiated and community-driven work.
Any interesting projects that you are working on that you are excited about, and what to share with the Node.js community?
Together with Google, we just introduced the Google Play Security Reward Program. Developers of popular Android apps are being invited to start hacker-powered security programs on HackerOne, and Google Play is providing a bonus reward of $1,000 on qualifying vulnerabilities. This is the first program of its kind and demonstrates how an ecosystem, one of the largest in the world, is encouraging developers and partners to work with the hacker community.
You can find the apps that are opted in at the Google Play Security Reward Program page on HackerOne. As more developers opt-in, more apps will be listed over time.
If you’re not a Google Play app but are working on an open source project, Node.js or otherwise, and want to work with HackerOne to boost the security of your product(s), check out HackerOne Community Edition.