Building Technical Communities With Luke Tucker

Posted on Tuesday, Sep 29, 2020
Luke Tucker is in charge of building the global hacker community at HackerOne, where over 800,000 members gather to help make the Internet more secure. Scott and Luke talk about building and running such a large community spread all over the world.


Episode Transcript

Scott McAllister: Welcome to Page It to the Limit, a podcast where we explore what it takes to run software and production successfully. We cover leading practices used in the software industry to improve both system reliability and the lives of the people supporting those systems.

I’m your host, Scott McAllister, @stmcallister on Twitter. Today, we’re going to talk about building technical communities. Founded in 2012 by four hackers who are passionate about finding vulnerabilities and some of the tech industries most prominent companies, Hacker One has grown its community to over 800,000 hackers. Their mission is to empower the world to build a safer internet.

We’re joined today by Luke Tucker, senior director of the Global Hacker Community at Hacker One. Luke, welcome to the show.

Luke Tucker: Thanks for having me.

Scott McAllister: So to get us started, tell us a little bit about yourself and give an overview of Hacker One as a business, and your role specifically.

Luke Tucker: Yeah, happy to. So you did a good intro for Hacker One. We’ve been around for about eight years now. And one of the stats I’m really proud of for our company is we’re crowdsource security. So we connect hackers on one side of a marketplace with companies and organizations on the other side. So we took a model that was championed by the Facebooks and Googles and the Mozilla Firefoxes of the world, and in the early 2000s, and we turned it around to make it accessible for many, many people.

And one of the stats that we love to talk about is how much we’ve paid to hackers. And that number is now over $115 million that, in the eight years since Hacker One was founded, 45 of that has been in the last 12 months, Scott. So it’s pretty crazy to see the growth in this community, the desire and interest from individuals and companies, that are looking to tap into cybersecurity talent, because as probably many of your listeners know, and you might’ve even known we’ve talked about, there’s a massive shortage of skillsets that know and understand security and can do it well. So it really makes a lot of sense to tap into the global workforce.

I’m like a chief talent agent. As the head of community, we’re all about community engagement, retention, and growth of this really incredible group of people. And that’s what we’re about. We want to be the number one place for the world to come to for cybersecurity talent, and we’re well on our way to get there.

Scott McAllister: So you mentioned that you’ve paid out quite a bit of money to hackers. Explain how they get money. How does that work?

Luke Tucker: Yeah, so we send out homing pigeons and then they come back. It’s actually really a fascinating part. For anybody that’s in early stage startup, I’ll tell a quick little anecdote of how important the payments' functionality was in the early days of Hacker One. It’s such a pain point to pay anybody in a country that you’re already headquartered in. But to think of the hundreds of countries in this world, and how crazy it might be to pay someone in Estonia or something, and then to have all the options, and hackers love Hacker One payment mechanisms for them. It’s actually pretty easy. It started with PayPal. PayPal is one of our largest bug bounty customers, and have a huge public program. We just did a massive live hacking event with them virtually earlier this year. With all the tools that are just at their disposal, it removes the pain point from our customer base.

The other thing is swag. I’m sure many developers in your community absolutely love swag. We were talking about some swag that I have on today from a live hacking event. Hackers just eat that stuff up. So I can’t tell you how many times we get hackers that, “Oh, I just want the hoodie.” The hoodie is our quintessential achievement. When you hit a certain milestone on the platform that you’ve hacked enough, you’re going to get recognized for receiving that, or we’ll do many giveaways and things. But those are two basic examples of how, when we pay someone, we obviously have to make sure they’re not what I call the OFAC list, Office of Foreign Assets Control in the United States. We can’t be paying terrorists and things like that. So we help remove any of those pain points for customers and organizations.

And we work with some of the most scrutinizing organizations in the world. You might’ve heard of Hack the Pentagon. That was a Hacker One project closely with the Department of Defense and the Defense Digital Services about a little over four years ago. And our relationship with government, not just the United States government, but UK-based agencies, European Commission, as well as the Singapore Ministry of Defense and others. They trust us. We got the community. We got the ability to pay them, and obviously to send the swag.

Scott McAllister: As a developer, I’ll admit, I mean, I like money. Don’t get me wrong. I like money. But good swag is awesome. And for all you listeners, Luke is wearing this Hacker One shirt that is basically modeled after a soccer jersey. So it has the patch of the event in the upper left breast of the shirt, just like a soccer jersey. And then it says Hacker One across the front, like a good sponsor says. It caught my attention, the moment I saw it. So I can see why swag would definitely speak to your participants. What are some of the myths or misconceptions that you would want to debunk about hacker communities?

Luke Tucker: Yeah. I give a talk where I start off and I just pull up a screenshot image of a Google search. And it’s like, if you ever see those wired auto complete interviews with celebrities, and it’s like the Internet’s asking this question, and then they peel off the answer. So it’s kind of like that. But I pull up, and it says like, “Hackers are… " And then Google’s going to show you people in black hoodies and dark rooms with green screens. And it’s funny because we’re joking about the hoodie swag, because community does love it, true to form in that way. But not true to form is people equate hacking with malicious intent. Many people in the Zeitgeist, the term is not equivalent, especially in a Silicon Valley vernacular. If you take an aerial shot of the Facebook headquarters, it says Hacker Way. Hacker, this term, it’s a creative intellectual thinker who enjoys overcoming limitations. That’s the Hacker One definition.

So anybody who self-identifies as a hacker should have a home on Hacker One. We have many cybersecurity enthusiasts, those who come and hack on bug bounty programs, because they’re software. You know, there’s no such thing as perfectly secure software. So a myth is… Hacking is not evil. In fact, we celebrate this achievement. We talk, life hacking is a thing. You Google all these different resources out there to try and find the best way to improve your life and whatnot.

Well at Hacker One, we will never shy away from the term hacker. It’s like if we’re going to sell to these massive enterprises and the governments that I mentioned before, we can’t shy away from that term. We have to embrace it with all we can, and all the great things that come with it. So a myth is, when anybody that you see on the news or in media that references hacking in a negative way, turn it around and be like, “That’s a cyber criminal.” That is not someone who would be represented in the Hacker One Community. And others probably like yourselves, that would identify as, “I’m a hacker,” whether you build or break something, both sides of the community.

And many hackers are developers, not all of them though. You don’t have to understand all the intricacies of how to build software and understand code. You’re going to be benefited by it. But that’s another myth. Everybody thinks like, “Oh, I have to understand all these different aspects of software.” It’s like, honestly, no. You’re reverse engineering in many ways. You’re actually doing some black box testing externally. So if you can just think outside the box, that’s the beauty of a crowdsource model, is it’s creativity from all around the world. We’re better when we do security together. We’re better results when you get the minds in that same room. So that’s a myth. Hacking is not evil.

Scott McAllister: So true. And if you want to take your definition of hacker, I’m very good at the breaking side of it, when you want to talk about software. So you’re the community builder. And the community is gigantic, I mean, 800,000 hackers. Talk about some of the keys to successfully building such a strong technical community.

Luke Tucker: Yeah. I tell the 110/100, to kind of break the community down. So the 800,000 registered user number, it’s a power-law distributed marketplace. So the bigger the community, the sharper the tip is going to be more valuable. So the best talent will come to the top. So I say power-law distributed, because it’s even more acute than Pareto’s Law. It’s like 20% of the people do 80% of the work. In our case, it’s more like the 110/100, meaning out of that 800,000 group, we invest a lot into the educational side. So we have a is anybody who wants to either level up their skills or get started hacking. So they can start from zero and try and get to the Private Bug Bounty Promised Land, where they can earn money.

When they go into these labs, they go to simulated real world environments. And so we invest a ton into education. And that group of people is around 90,000. So that’s about 10% of the overall registered user number. And then we go all the way down to the people that are super active weekend week out. That’s going to be closer to that 1% number. That’s pretty standard in a power-law distributed marketplace.

We have thousands upon thousands of people that are engaged in security work on our platform, 70,000 to 100,000 per month. For any community, it’s all about retention and engagement. So they have the choice. This is a very in-demand skillset. So we are not the only bug buying platform of choice, but we are the top. So we invest the most in rewarding hackers the best.

So when I mentioned the $115 million, that’s a priority for us. We want to be structured from the beginning, in any ways we engage the hacker community, to pay them top dollar. So when we roll out new products, like pen testing is a new crowdsource pen test model on Hacker One. It’s where pay for effort, versus the Bug Bounty is pay for results. So you could spend 10 hours on a weekend, and maybe you don’t find anything. You’re getting good security research. You’re learning a lot, hopefully. But you’re not actually resulting in valid bugs that are getting paid out, so you’re not getting the reward that way.

That’s the part of the difficulty of Bug Bounty, for people that are just getting started. If you do paid for effort work in pen testing, we’re able to pay that community a much higher clip than any competitors that are out there. And this affords opportunity for those there, the dollar goes a lot further, to pretty much live the life they want with some more predictability in that income stream.

The top bug bounty hunters make hundreds of thousands of dollars a year. This is a very lucrative space, and it’s very accessible for many people that dedicate. A guy on our platform called Space Raccoon, a Singapore-based hacker, he started on Hacker101 learning in December of 2018. And within 18 months, he accelerated up to be one of our most valuable hackers. We’re putting him on billboards and events. He had gone through all the learning material and he accelerated through that.

Now he was also a computer science graduate from Yale. So he had a pretty good stability of technical gifts and turned it into the security space. So I’m always an evangelist, right, Scott. So I’ll tell all your developers, they should moonlight as Bug Bounty hunters, as well as builders. It’ll help make them better developers. It’ll help make them producing more secure software, because that’s really what we need.

So some of those aspects of building, put your community first, and do it from the top down. So if we reward them, we also know they come to us to further their career. So they want to learn. They want to earn. We have the premier CTF solution that’s 24/7 educational. We do some of the best live hacking events and beautiful swag that we can give them. We reward them for their efforts. We do leaderboards. It’s eco enhancement. We do a lot of collaboration. And I could talk more about some things that are very recent, but we’re doing more regional-based community-driven building with leaders in different regions.

So I heard a great stat from a company, Duolingo. They develop English software. And the founder was a Google that just, I think he developed captcha, a brilliant guy. But they have a very small community team. And the way they can do events all around the world is by building leaders in these different regions that just want to get people together to learn. They want to all learn English. So a community is just people that keep getting together, that’s the important part, over a common cause. So they’re all interested in the same thing. And we repeat engagement, is what defines that community. And the longterm sustainable communities are going to have people at the top that are saying, “I’m going to build with you, not for you.”

Scott McAllister: I love what you said there, how a community is a group of people that keep getting together over a common cause, because then you can take that, and it just shatters all boundaries, as far as we all are in communities, we’re all building communities, whether they’re at work or whether they’re in our society, like in our towns and our-

Luke Tucker: I can’t take credit for the quote. If you’re interested in this, and I recommend a book called Get Together by Kai Elmer Sotto, Bailey Richardson, and Kevin Huynh. They run a company called People and Company. And they were at Facebook and eBay and Instagram in the early days. And Kevin, I think, did some cool stuff with Creative Mornings. So they are passionate about community, and they’re some of the experts. So they wrote a book published late last year, and they’ve got some fascinating things to say. Very digestible, very readable, and some of those clairvoyant truths, like that phrase, where it’s just like, “This makes a lot of sense.”

Scott McAllister: Awesome. That’s great. Great recommendation. Thanks. I’ll have to check that one out. So with the community of 800,000, how big is your team at Hacker One that manages this community?

Luke Tucker: So our CEO, Mårten Mickos, always jokes. He says, “Luke, you have the biggest team at Hacker One,” because he’s like, “You got all the hackers,” but our full-time staff’s predominantly focused on community initiatives only, or my team, there’s six of us, including myself. And we also oversee a Discord group of about 30,000 people, primarily built around the educational platform, the Hacker 101 resources. And so we have about 12 part-time moderators that help in that big group. As the health and the purpose in that, communities at scale can go toxic quickly. Communities and social media bring out the best of people and the worst of people. So you always make sure, as you can be inclusive and bring in people outside of your core audience initially, like at the very beginning, when you’re growing the communities, and this is the same for startups too. Get 100 fans, a hundred people that are super passionate fans. That’s the beginning of something special, no matter what it is. A hundred fans.

And going back to, from our community, our team side, we do a lot of events. So COVID really shifted our calendar for 2020 quite a bit. We would be in conferences and doing regional-based work in different universities and schools, and producing live hacking events in exotic places around the world. So my team, give big credit to them. We had to pivot pretty quickly into virtual experiences, but it’s been a positive way.

And I’d encourage anybody listening, as you try and mirror, essentially, some of those experiences you might be doing for your community in the physical space, where it was so rich, it was wonderful to see them, high five them in person, get to break bread and share drinks together. That’s just a rich human experience that you will never replace with any virtual experience, but we could reach more people.

So there’s drawbacks and benefits. And it was a forcing function, where for us, many of our customers that do these live hack events with us, invest a lot of time and money to make it happen for the hacker community. We have to convince them to be able to pivot to the virtual space. And so when you have no choice and you’re like, “Well, we think it’ll work. We think this is going to be great. Let’s try it out.”

There are some great partners with Verizon Media and PayPal. We’ve got some other big events that are coming up. We just announced another one. So that’s just one example of, you can be a small team, and I’m encouraged, and I challenge my team with the Duolingo example. I’m like hey, they had a team of five to six people. And they were putting together 3000 different groups, because you have to develop the leaders. And so for us to scale our reach, we have to reach in and find those ambassadors in the community that can level up. Because if Luke stops coming to the meetup, is it going to keep going? Who’s that person behind me? Leaders develop leaders. And we can’t be just forcing their hands, because it’s not going to have long-term stability.

Scott McAllister: Yeah, absolutely. I manage a local JavaScript user group, and making that shift from the rich personal experience to a virtual experience has been hard. In fact, it’s pretty much non-existent at this point, because we don’t have a way to connect, or that we’ve really taken the effort to do that. So as you’ve hit this new era where we’re less physically in the same spot as we used to be, have the tools changed, or is it more just a shift of thinking, and just saying, “Okay, now it’s virtual, now we’re doing the same thing,” like you said?

Luke Tucker: Yeah. They’ve shifted maybe a bit, or you double down on certain tools. Obviously, we’re a fully distributed team. So from us to get work done, we’re pretty accustomed to that, for how our community interacts with us. We’ve had the longstanding Discord group. We started doing more Twitch. So as a tool, getting out, we started our own Twitch stream.

We have a YouTube channel that’s had a lot of content. We’ve done streams there. We’re very active on Twitter. And we invest in Slack and Discord groups. So our community connects with us that way at scale. And we obviously use tools like Intercom to be able to communicate through our platform with users. So, “Hey, congratulations on this milestone,” or, “Hey, here’s a learning module that you might find valuable,” and obviously anything related to the bounties they receive, or vulnerability reports and comments on reports, because that’s the majority of the comments and the experience of our community comes through the technical staff that’s reviewing the validity of the bug. And that’s either our professional services, like our services team at Hacker One, so triagers that will review it and provide feedback and ship it off to the customer to fix it, or do whatever they need. Or sometimes customers can manage their own program. And so they’re the ones directly interacting.

So that’s actually a majority of their interaction with us comes through that report module when they’re submitting bugs and doing the work. Engagement to us is valid vulnerabilities and bounties, and in terms of pen tests completed, or hours submitted in terms of work, things like that, that we’re measuring. So if our engagement’s there, that doesn’t really change too much, because we’re pretty much operating that way.

In fact, COVID has really driven a significant increase in the interest top line, because people are like, “Well, I’m home now. I’ve always talked about doing this or thought about it. Why not now?” And others that are like, “Well, I have more free time now. My social calendar is pretty much nixed. Might as well go make some money hacking on Hacker One, and build community, build friends.”

And so we’ve invested a lot more into virtual experiences through CTF. When we produce these live hacking events, that production, instead of a physical real estate space, which has all its own complexities of finding the right real estate vendor, getting the wifi, gosh, the wifi in these different places. With 50 to 60 hackers being on a network, trying to roll up their scans, and do what we need to do, you can imagine the bandwidth that’s required to maintain that.

But we’re just spending more money to have partners in a virtual space. I had never used OBS before. If you’re OBS, open broadcasting system, you can be a producer, and manage all these Twitch streamers, basically pull in an OBS feed of your audio and your video. These are things that personally, I don’t have to do as much. My team does more of it. But those are things that we had to learn. So if you have people that are really accustomed to doing physical event planning, that switch over to virtual is a lot of the same kind of ideas to execute, but the actual tools, and the investment, very different. So those are some of the tool answers. And I wrote a blog, a Heavy Bits blog, that we can reference in the materials, that goes through a little bit more of the arrows in the quiver, so to speak, for how we at Hacker One approach communicating and building our community at scale.

Scott McAllister: Yeah. We can definitely add a link to that blog post in our show notes. You mentioned that folks, because of the added time that they’ve had at home, have you seen more, like an uptick in activity in more people, or just people being more active now in the last six months?

Luke Tucker: We have, yeah. I’m trying to pull the actual stats. I think during coronavirus, this is early part of this year, I think new hacker signups increased 59%. Bug report submission, so somebody that found something and submitted what they thought was a valid bug, increased 28%. Organizations paid 29% more bounties in the months immediately following the start of the pandemic than the months before. So those are some just high-level of realities of what we saw at the top level interest. And then the engagement throughput for the community, from a community management standpoint, that’s what we want to see. At the end of the day, our customers come to us to tap into the creative intellectual humans that are on the other side of the marketplace that Hacker One vets and provides a rich reputational graph, so they can go forth and solve more idiosyncratic problems. That’s why they’re with us.

So when we look at valid vulnerability submissions, bounty volume, that means, hey, these vulnerabilities were there already before, and now you’re getting more time and attention there. That’s a really good thing. And that’s actually a challenge. Any company we even work with, they have to communicate to their internal stakeholders of why this bug is a good thing, because we’re actually more secure as a result of Hacker One’s help.

Scott McAllister: What other types of metrics would you use to measure a success of a community? I mean, you’re talking about number of bugs found, or number of people involved. What are some other metrics you would use?

Luke Tucker: Yeah. So when I talk to the team, we measure our community in three primary ways, criticality, consistency, and community. So I want critical reports. I want to increase the impact of the submission. So at the beginning, we mention valid vulnerability volume. If you find a valid bug, hey, that’s a really good thing. Is the bug you found more critical or more impactful or better written than it was last week, last month, last year? So I want to measure the improvement of, and speed of accomplishment of critical… And then I want to know if you’re consistent. If you consistently hack on a target and you’re performing, you’re going to get rewarded for that.

And then the community side is being professional, like the golden rule. Do unto others that you would have them do unto you. I make the joke all the time that having a valid security bug submission, and you put it up on a whiteboard with five different security experts in the room, they’re probably all going to debate, to some extent, the criticality or the nature of it. I’m sure there’s very good developer examples as well. It’s like, “What’s the best way to do this? What is the true impact?” And everyone has their own qualitative opinion. So there’s always that difficulty in the hacker security analyst or customer relationship sometimes. That’s why you work with a platform, to help, hey, we’ve seen lots of these cases. We can help communicate. But we’re looking for those professionals on our platform that get it, that aren’t coming and just demanding or coming selfishly saying from their own way. We help provide some of that.

So when I talk about community, it’s measuring that capacity. And the code of conduct, making sure there’s no violations, making sure they have professionalism, we’re actually tracking more, because we qualitatively look at a lot of the reports. We can say, “Here’s a really good feedback, nice, well-written, incredible proof of concept,” or professional engagement, or responsive. These are qualities that will show forth, and we can actually then track the performance on both sides, because we have a value at Hacker One called Default to Disclosure. And so as much as we can, we want to encourage transparency, because we believe transparency builds trust. And the only way to do security the best way is together. And that’s why Hacker One and Crowdsource Security exist in the first place, and we’re building on top of that innovation. So those are areas that I want to track.

And then we talk about hacker satisfaction. So we do a net promoter score to our entire earning audience or learning audience. So if you’re on our platform and you’re doing CTF or learning modules, or you’re finding bugs and making money, you at some point in the calendar year are going to get a request to fill out a survey, to tell us how we’re doing, to tell us how we can improve, and we measure that in a scientific way. It’s an NPS score, same as what we do on the customer side. And we utilize that to be able to surface up, these are the three primary areas that we, as a product or as a company, need to improve product and service, because it’s not just the technology that they interface with, most of it is human interaction.

Because we’re not there yet as a platform, where we can auto-analyze and get all the beautiful machine learning, so that any bug they submit is going to tell you if it’s good or not. We have some of that baked in at the front, and we’re iterating and adding more nuance as we have the largest vulnerability database, probably in the world, of any company. We’re going to be able to build really fascinating things with that data going forward, but criticality, consistency, community, and the speed of accomplishment of those and the satisfaction scores that we measure.

Scott McAllister: And if somebody wanted to get involved with Hacker One’s community, you mentioned before that there’s the Tell me more about that, and what that helps do.

Luke Tucker: So, CTFs, learning modules, free resources. We’ve got dozens of videos on there produced from members of the community by Hacker One, for free. And you go on. When you do the CTF flags, which are basically simulated real-world bugs, and you find flags, it’s a fun puzzle. You’re going to get invites to private Bug Bounty programs on Hacker One’s platform. So you will see a ticker at the top of your experience that will say, “Hey, two more flags and you’re going to get your first private invite,” which will then allow you to utilize some of those skills you’ve just learned or applied or proven, and then go find bugs in the wild in Bug Bounty programs, which have a policy page, a bounty table. It gives you the lay of the land.

So Hacker 101 is for anybody that wants to either level up their skills, do you want to learn GraphQL hacking? Are you a GraphQL developer, and you want to go test some of your security chops? Well go in. We have a whole learning module for you. Three or four videos, a couple of different libraries of Capture The Flag challenges.

We also do CTS off Hacker 101 platform for different events all the time. So we’re very active in that space, believe in it strongly, invest heavily as a company, and we’ll continue to in the educational platform, because I think it’s one of the best ways for really anybody to either ease in or come in at the top and prove, because we track going back to that, the speed of accomplishment. I have metrics and reports that will show me if Scott came in and you found three of the hardest flags in the same 48 hour window, you’re going to flag up on reporting and be like, “Oh, hey, let’s get this person more opportunities.” And they’re going to go to a fast track too, because we want to help you develop faster at recognizing talent development. That’s hard in a massive community. So the more we can do that through Hacker 101, the better.

And we have a whole community of people that are learning alongside you. So join the Discord group, chat alongside other hackers, other people that are in various stages of learning, and you can help achieve your goals, whatever you want to do.

Scott McAllister: And this is more of a personal question for me. Is there an age requirement? I have a son who may be very interested in this.

Luke Tucker: Great question. There is not an age requirement to sign up, but just like any laws of the land, in order for someone that’s underage to get paid, you have to go through a legal guardian to ensure that. So there is no age requirement to sign up, but if you’re going to get paid a bounty, then you’ll get to that point and you’ll make sure that you have an adult or a guardian or someone that will be able to vouch for you and go through the same steps as many other things for kids that are underage.

Scott McAllister: For sure, for sure. You might be seeing me sign up in lieu of somebody else then soon. Now Hacker One has an event coming up later in October. You want to talk about that?

Luke Tucker: I would love to. So Security@, which brings together individuals that are interested in security, that are part of the hacker-powered community, to learn all about vulnerability, disclosure, submission, security best practices, running bug bounty programs, vulnerability, disclosure, philosophy, all the things. We’ve had some incredible guests in the past. Go And this is the fourth annual event that we’ve run. It’s virtual this year, just like any events that you’re pretty much experiencing, coming up October, I believe, 20th to the 24th. Depending on the time zone you’re in, it’s going to have some different dates, so they can have access to that material. And of course it will be available thereafter. But register now. We’ve had thousands of people already sign up. And also check out has hacker related resources, that we just did a virtual conference. So Security@, probably pretty soon after we release this content, Scott, they’re going to be able to get on that list and register and participate with people all around the world.

Scott McAllister: Super cool. So we have a tradition on this show, where we have a few recurring questions that we’d like to ask you. And the first is, what’s one thing you wish you would’ve known sooner when it comes to securing software in production?

Luke Tucker: You can also do hacking in test servers.

Scott McAllister: True. True, true. And it’s good, right? It’s good to do it in test first?

Luke Tucker: Depending on the attack surface, that’s our term for basically any app or scope. A lot of times hackers love to test and prod, but it’s going to be a challenge sometimes. So if you can have a simulated environment that is up-to-date, and that is not existing with bugs, because one of the hardest things for hackers is if you have known issues that you haven’t fixed yet, but you throw it out for them to go hack on it, they submit something and they tell you about it. You’re like, “Hey, sorry. I already knew about that. I’m not going to pay you anything.” That’s kind of a crappy experience. So as much as you can have the most up-to-date patched secured staff in a simulated environment for them to just go ham on and go nuts, the other thing is the more that you can open up the scope so that they can pivot internally and be able to tell you where the real damage is, not just like, “Here, let me bypass your WAF.” That’s not going to be as most interesting for us.

Scott McAllister: And what’s something you’re glad we didn’t ask you about securing software in production?

Luke Tucker: I’m glad you didn’t ask me about when things went wrong.

Scott McAllister: Like with Hacker One, or just with like someone going on a Bug Bounty?

Luke Tucker: No. I mean, we have hundreds of thousands of programs, and thousands upon thousands of hackers. And so just any ingredients over time, when you’ve been a company for eight years, there’s no shortage of challenges and things that can pop up. So I’m glad we didn’t have to go into the airing any dirty laundry. Everybody’s got them. Everybody’s got bugs in software, just like there’s bugs in processes. And as we’ve scaled our community and excitement, I’m glad we didn’t have to dive into all that.

Scott McAllister: No problem.

Luke Tucker: What a note to end on there, Scott.

Scott McAllister: Right. As I commonly tell people, “It is software, therefore it has bugs.”

Luke Tucker: No truer words were spoken.

Scott McAllister: Yes. Luke, thank you again for joining us, and for sharing with us about, honestly, the meteoric rise of Hacker One, and the community that you’ve built there. And congratulations on building such a strong and big community. And thanks for sharing that with us.

Luke Tucker: Scott, it’s a pleasure to be here. Thank you.

Scott McAllister: This is Scott McAllister, and I’m wishing you an uneventful day.

That does it for another installment of Page It to the Limit. We’d like to thank our sponsor, PagerDuty, for making this podcast possible. Remember to subscribe to this podcast if you like what you’ve heard. You can find our show notes on, and you can reach us on Twitter at PageIt2theLimit, using the number two. That’s @Pageit2thelimit. Let us know what you think of the show. Thank you so much for joining us. And remember, uneventful days are beautiful days.

Show Notes

See a transcript of this episode by clicking the Display Transcript button above. Also, any links for additional resources mentioned during the episode are listed below.

Additional Resources


Luke Tucker

Luke Tucker

Luke is an expert in community development and creative marketing and is currently the Senior Director, Global Hacker Community at HackerOne - the leading hacker - powered security platform with the largest community of hackers in the world. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development. Prior to HackerOne, he served in several creative and marketing leadership roles at Captricity, Sultan Ventures, and Central Pacific Financial. Luke is active on Twitter under the username @luketucker, and blogs at


Scott McAllister

Scott McAllister

Scott McAllister is a Developer Advocate for PagerDuty. He has been building web applications in several industries for over a decade. Now he’s helping others learn about a wide range of software-related technologies. When he’s not coding, writing or speaking he enjoys long walks with his wife, skipping rocks with his kids, and is happy whenever Real Salt Lake, Seattle Sounders FC, Manchester City, St. Louis Cardinals, Seattle Mariners, Chicago Bulls, Seattle Storm, Seattle Seahawks, OL Reign FC, St. Louis Blues, Seattle Kraken, Barcelona, Fiorentina, Juventus, Borussia Dortmund or Mainz 05 can manage a win.