I wrote earlier this week about how life is, generally, hard. There’s no question about that.
One of my favorite things about the Internet, and probably the most exciting thing about working in venture capital, is being around people who are working to re-architect the world to make hard things easier. And by easier, I mean: by designing clever social / technical / collaborative hacks that redesign the problem and the solution.
Yesterday, I was out in SF for USV’s semiannual Trust, Safety and Security summit — Brittany runs USV portfolio summits twice a month and one of the ones I don’t miss is this one. It brings together folks working on Trust and Safety issues (everything from fraud, to bullying, to child safety, to privacy) and Security issues (securing offices & servers; defending against hacker attacks, etc.). Everyone learns from everyone else about how to get better at all of these important activities.
Trust, Safety and Security teams are the unsung heroes of every web platform. What they do is largely invisible to end users, and you usually only hear about them when something goes wrong. They are the ones building the internal systems that make it possible to buy from a stranger online, to get into someone’s car, to let your kid use the internet. If web platforms were governments, they would be the legislature, law enforcement, national security, and social services.
Often times at these summits, we bring in outside guests who have particular expertise in some area. At yesterday’s summit, our guest was Alex Rice, formerly head of Product Security at Facebook, and now founder of HackerOne. Side note: it was fascinating to hear about how Facebook bakes security into every product and engineering team — subject for a later post. For today: HackerOne is a fascinating platform that takes something really hard — security testing — and architects it to be (relatively) easy, by incentivizing the identification and closing out of security holes in web applications and open source projects.
The magic of HackerOne is solving for incentives and awkwardness, on both sides (tech cos and security researchers). Security researchers are infamous for finding flaws in web platforms, and then, if the platforms don’t respond and fix it, going public. This is only a semi-effective system, and it’s very adversarial. HackerOne solves for this by letting web platforms sign up (either in public or private) and attract hackers/researchers, and mediating the process of identifying, fixing, and publicizing bugs, and paying out “bug bounties” to the hackers. Platforms get stronger, hackers get paid. In the year that it’s been operating, HackerOne has solved over 5,000 bugs and paid out over $1.6mm in bug bounties.
Thinking about this, it strikes me that there are a few common traits of platforms that successfully re-architect something from hard –> easy:
Structure and incentives: The secret sauce here mediating the tasks in a new way, and cleverly building incentives for everyone to participate. Companies don’t like to admit they might have security holes. They don’t like to engage with abrasive outside researchers. Email isn’t a very accountable mode of communication for this. But HackerOne is figuring out how to solve for that — if every company has a HackerOne page, there’s nothing to fear about having one. Building a workflow around bug finding / solving / publicizing solves a lot of practical problems (like making payments and getting multi-party sign off on going public). Money that’s small for a big company is big for an individual researcher — one hacker earned $20k in bug bounties in a single month, for a single company, recently Essentially, HackerOne is doing to security bugs what StackOverflow has done for technical Q&A: take a messy, hard, unattractive problem with a not-very-effective solution and re-architect it to be easy, attractive and magical.
Vastly broadening the pool of participants: After the summit, I asked Alex how old the youngest successful bug finder on the platform is. Any guesses? 11. Right: an 11 year old found a security hole in a website and got paid for it. Every successful hard –> easy solution on the internet does this. Another of my favorite examples is CrowdMed, where a community of solvers makes hard medical diagnoses that other specialists could not — 70% of the solvers are not doctors. (They typically solve it with an “oh, my friend has those symptoms; maybe it’s ____” approach, which you can only do at web scale).
Deep personal experience: It takes a lot of subject matter expertise to get these nuances right. It makes sense that Alex was a security specialist, that Joel at stack overflow has been building developer tools for nearly two decades, and that Jared at CrowdMed was inspired by his own sister’s experience with a rare, difficult-to-diagnose disease. I would like to think that it’s also possible to do this without that deep expertise, but it seems clear that it helps a lot.
The fact that it’s not only possibly to make hard things easy, but that smart people everywhere are building things that do it right now, is what gets gets me going every day.