To the board of HackerOne

I would love to be CEO of HackerOne. The company is addressing one of the

most significant challenges of the digital civilization.
I am stoked by the opportunity and know I can do a great job. The company has a wonderful team
and an excellent start. With the right strategy and strong execution, HackerOne can win in its
category and become a major force in the software security space.

Growth and success should come early and the loftier goals will take 5-10 years to achieve. No
success is easy; this one is doable. It is exciting. I want to empower the world to build a safer
internet.

Vunerabilities
The great promise of the civilization of the 21 st century is that everything becomes software-defined.
But as that happens, the notion of a “vulnerability” expands from being one mechanical threat
among many threats for a small number of companies to an every-day threat that may occur in any
systems and affect all of mankind. Vulnerabilities become a worry for every citizen, and this may
slow down the necessary developments that are under way. HackerOne brings the best possible
cure: the explorative ingenuity of responsible hackers around the world. HackerOne enables hackers
to choose responsibility over irresponsibility, building a safe and sound digital society.

Company culture
The company is purpose-driven and has a culture of integrity, transparency, equality and
accountability. Integrity and trust is paramount. HackerOne is a marketplace for responsible
enterprises requesting the help of responsible hackers. Both sides must be able to completely trust
their middleman.

Strategy
Current assumptions and strategic decisions:
 the time is NOW for building the business
 in the world and in this particular industry segment, the aggregated good intents will
outmaneuver the bad ones
 network effects are at work, so it is a landgrab game and HackerOne’s success hinges on
capturing the best customers quickly
 a freemium model will work best
 the maturity of various customers to do this varies greatly, so go-to-market needs to focus
first on the customer categories that are prepared: companies with a large attack surface
and a lot at stake, perhaps most typically public companies with broad B2C activity plus
some non-public cloud-native companies
 for this strategy, the SaaS offering is vital
 within the SaaS offering, the “relevance engine” is vital (assigning relevance to vulnerability
reports and to hackers, and figuring out a “certification level” for customers)
 it is important that the usage of the SaaS offering does not require too much professional
services (which would skew the business model towards services that don’t scale that well)
  over time and with growing success, it will be important to keep a close eye on adjacent
market segments – perhaps entering some of them and at a minimum making sure that they
cannot outshine the segment where HackerOne operates

Why?
I believe that my excitement about the role is also a description of why I am a good fit for the role:
 Vulnerabilities in publicly facing computer systems is one of the greatest challenges that our
digital mankind is currently facing. HackerOne is an ingenious response to that challenge. It’s
a model that needs to get built and a story that needs to get told. That’s stimulating.
 The market category and the business model are new, and the HackerOne business can be
disruptive and highly scalable.
 In this business, you get to work with some of the best people – both within the company
and among customers and partners.
 The founding and early team of HackerOne has established a compelling company culture.
 This is a model where good outshines bad and where intelligent hackers are given an
opportunity to do good and be recognized for that.
 Due to the nature of the category, selling this offering to enterprises must be based on full
trust and transparency.

Me - Marten
This is an opportunity where my core skills are needed (leadership and building a team, disruptive
business strategies, telling a story, dealing with hacker communities, building trust with enterprises,
building a functioning software offering, operationalizing and growing the organization, etc.) while I
also get to learn a new industry category: software security.

To figure out what kind of leader I am, check out my leadership blog, the School of Herring:
http://schoolofherring.com/

Success
How will we know success?
 signing up customers that matter
 engaging the signed-up customers in real activity
 getting paid well and continuously by good customers
 signing up hackers who matter

As an early thought, 2016 should see a 3X growth in signed-up customers and 4X in sales bookings
compared to 2015.

Actions
If I were the CEO of HackerOne, this is what I would initially focus on, largely in this order:
 Customers – always a top priority
 Employees. Getting to know everyone and working on strengthening company culture and
operational efficiency.
 Management team. Building cohesion in the team, and pursuing new hires as needed.
 The SaaS platform. Doing the hires needed. Reviewing and validating plans. Getting
customer input. Planning and making projections. Driving this initiative with vigor.
  Strategy, story, value prop, product marketing. Getting those things in shape (and perhaps
they already are)
 Customer Success. Understanding the customer lifecycle at HackerOne. Establishing the
services needed. Ensuring that customers get value as soon as possible out of the offering.
Hiring, if needed, for this team.
 Outbound activity. Talking to customers, talking to the public. Spreading the gospel and
ensuring that HackerOne is seen as THE place to go to.
 The hackers. Understanding who they are and what they react positively to. Figuring out
how to build the strongest hacker community in the world.
 Finance, operations and analytics. Ensuring that the company spends its pennies wisely,
that operations are as frictionless as possible, and that the organization produces timely
reports of everything that goes on.
 Board. Working with the board on strategy, management team composition, and other key
topics.
 Self-security. Making sure that the company is well prepared for all the hacks and attacks
that it and its systems inevitably will be the target of.

I am eager to hear input on my thoughts above. They are early thoughts, I may have misunderstood
something, and the thoughts will certainly evolve over time.

Mårten Mickos
eager to be the CEO of HackerOne