Summary5 min read

Success Story Podcast with Scott D. Clary

Episode: Lessons - Building a $100M Open Source Empire | Ian Tien

Date: December 17, 2025
Guest: Ian Tien – SaaS Scaling Expert, CEO & Co-founder of Mattermost
Host: Scott D. Clary

Episode Overview

In this “Lessons” episode, Scott D. Clary sits down with Ian Tien, SaaS scaling expert and CEO of Mattermost, to unpack the realities of building a $100M open source business. The discussion digs into what drives security and scalability in open source, why culture and investment matter more than open/closed models, how customer-led development fuels early enterprise adoption, and the methods Mattermost uses to attract and retain world-class technical talent.

Major Discussion Points & Key Insights

1. Open Source Security: Myth vs. Reality

[00:27-05:26]

Open vs. Closed Source Security
- Scott opens by asking whether open source is inherently more secure than closed-source software.
- Ian Tien: “It’s many things. It’s not just the open or closed model, right? It’s the investment on security. It’s, you know, your internal process.” [00:54]
Three Principles for Security
1. All Software Has Vulnerabilities:
  - “Nothing is secure. There’s always going to be vulnerabilities. All you can do is kind of move those around.” [00:54]
  - The open source model offers transparency; customers can view and report vulnerabilities.
2. Value Dictates Breach Effort:
  - Attackers target systems based on the value of what’s inside them. Centralized cloud solutions become “honeypot targets.”
  - Self-hosting with open source allows enterprises to keep their data segmented and protected behind their own defenses.
3. Security Is About Dedication:
  - Example: Mattermost works with high-security organizations (e.g., 20,000 US Air Force crew rely on Mattermost).
  - Ian highlights Mattermost’s security investments, e.g., bringing on Jerry Perello (former NYSE CISO) as advisor.
  - Memorable Incident:
    - Mattermost identified a vulnerability in Golang’s XML parser affecting SAML authentication.
    - They coordinated responsible disclosure and contributed the patch themselves—a process that took months and involved multiple entities.
  - Quote:
    - “That’s what it means to be part of the security community and really participate in not only the safety of our products and our customers, but of the general software community itself.” [05:18]

2. Security: It’s About Culture, Not Just Model

[07:40]

Ian and Scott agree:
- Security excellence stems from company culture and leadership, not just technology or architecture.
- Scott:
  - “It’s probably less about closed versus open and more about how forward thinking and looking the company is and where they want to spend their time and attention.” [07:40]

3. Landing the First Enterprise Customers

[08:37-10:39]

Early Go-To-Market (GTM) Approach:
- Focused on solving tangible problems, not on networking or pitching investors.
- Ian:
  - “It’s really about building something that people want. There’s a simple algorithm they teach at YC: talk to customers, build product, stay healthy.” [09:00]
The Feedback Loop:
- Mattermost used their open source presence to create a direct loop with users.
- Live conversations—contact forms, forums, emails—led to rapid feedback and feature requests.
- Example: Major interest came from customers demanding features for data privacy and SSO.
- Investors were only seriously interested after hearing from satisfied customers.
- Ian:
  - “Investors don’t really want to talk to…the founders, but what they really want is to talk to your customers.” [10:21]
- Key: Avoid distractions, focus relentlessly on talking to users and building what they want.

4. Attracting and Retaining World-Class Technical Talent

[11:06-16:47]

The Challenge:
- With sky-high compensation at tech giants, how does an early-stage open source company attract (and keep) top developers?
Ian’s Perspective on Motivation:
- Talent driven purely by money are steered toward hedge funds and massive tech companies—not Mattermost.
- Quote:
  - “If you want to make money, just go make money. If you want to build great software…think about…the impact that you’re going to have.” [11:54]
- At Mattermost, culture is defined by:
  - Impact: Making open source contributions that matter and have longevity.
  - Growth: Half of managers are promoted internally—personal development is prioritized.
  - Connection/Community: Staff in 20+ countries; 4,000 open source contributors; global camaraderie and belonging.
- The company only wants to hire those passionate about impact, growth, and human connection.
Recruiting Strategies:
- Referrals:
  - 56% of Mattermost’s hires are from employee referrals—evidence that the internal culture is strong.
  - Ian:
    - “When people really enjoy working here…and they get more and more people in, those are the best hires.” [14:36]
- Open Source Community:
  - Many hires started as open source contributors, later joining the company full-time.
  - Example: A contributor from South America independently internationalized Mattermost and submitted a 10,000-line pull request, eventually joining the team.
  - The open source ecosystem is a crucial pipeline for both innovation and hiring.

Notable Quotes

Ian Tien, on security culture:
- “I think when you think about, you know, what it means to be great at security, I think it’s not one or the other, it’s about…your investment [in] security, also the fact that keeps things safe.” [05:20]
On the hiring mindset:
- “We spend most of our life working, and if impact, growth, and connection is important, that’s what your life’s about, then we want to work with you.” [13:42]
On the customer feedback loop:
- “Talk to customers and build product, like that’s the loop…Don’t stop talking to customers and then don’t stop building product.” [09:03]

Highlight Timestamps

| Timestamp | Segment/Topic | Summary | |-------------|---------------------------------------------|-------------------------------------------------------------------| | 00:27-05:26 | Security in open source | Why security is about process & investment, not model | | 09:00-10:39 | Early enterprise customers, GTM strategy | Customer-led feedback, product development, and investor outreach | | 11:06-16:47 | Attracting/retaining top talent | Why mission, growth, and community win over cash-only careers | | 14:36-15:10 | Recruiting channels | Referral system and open source as hiring pipelines |

Memorable Moments

Mattermost’s Responsible Disclosure:
- Finding and helping fix a major Golang SAML vulnerability, enabling responsible disclosure across the broader ecosystem. [04:40-05:20]
Massive open source contribution:
- A community member singlehandedly internationalizing Mattermost and then joining the company. [15:10-16:00]
Cultural hiring:
- Emphasizing building a team of people motivated by lasting impact, not just high salaries. [11:54-13:42]

Summary

Ian Tien breaks down the realities of building a secure, scalable, and values-driven open source SaaS company. The core lessons revolve around investing in processes, building with and for your earliest customers, and nurturing a worldwide talent network built on mission-driven work and authentic culture. Whether you’re a founder, an enterprise buyer, or an aspiring developer, this episode provides tactical and inspirational takeaways on the future of open source business.

Listen to the full episode or explore more at: www.successstorypodcast.com

Loading summary

Transcript21 lines

[00:00]
A
In this lessons episode, explore what drives secure and scalable open source businesses amid growing cyber risks. Discover why security depends more on culture and investment than open or closed models. Understand how customer led product development enables early enterprise adoption and uncover how impact, growth and community attract and retain top technical talent.
[00:28]
B
The other thing that I think about when I think about open source is you've built this community of people that are always like pressure testing your software. Talk to me about security, talk to me about why open source. I've watched a couple other interviews you're in and just the security point I think is important, more important than ever before with the amount of people that do get compromised. So when you roll this out and when you build an open source project, is it more secure than a closed source?
[00:54]
C
Yeah, that's a great question. I think, you know, it's many things. It's not just the open or closed model, right? It's the investment on security. It's, you know, your internal process. Security doesn't come down to, you know, one or two things. The way that, you know, think about, there's sort of three principles to think about in security. One is nothing is secure. There's always going to be vulnerabilities. All you can do is kind of move those around. So that's, that's one. And when you're open source software, you have a lot of visibility and your customers are very motivated to work with you on security. Everyone runs the secure customers. We're in public sector, we're in like US Air Force, right? There's like 20,000 US air crews that rely on mattermost in order to fly planes. And the security and the rigor that we go through is at that level. And then you'll find us in many communities that have very, very high security standards. So I think that community and that understanding that yeah, all software is vulnerable, we've got transparency and people can report to us and we have a system to address that. That's all super important. So I think that's one on security that is for the open source model I think the second is really about there's a second principle which is the effort that goes behind a breach, right? That goes behind an attack is proportional to the value of that breach. So what that means is, you know, if you can think of like, hey, I've got everything in this giant cloud system, like everyone in the world uses this cloud. Great, guess what? There's going to be like an infinite amount of like resources that will be dedicated to breaching that like mega fortress, right? And all they need is a crack in the armor and they're going to be going after it. What open source and self hosting lets you do, we can do either cloud or self hosting, but what it lets you do is go, is put that behind your own defenses, right? So one, your data is not mixed in with all these other, you know, honeypot targets you've got, you know, your stuff is off the side and it's behind all your other security. And the only people that are breaching it are the people that want to breach you, not breaching you by accident by hitting somebody else. So I think that's the second piece and then the third is really just about the dedication to security. So one thing that I'm actually personally proud of is our security team and how it works with, how it works with the community. We just brought on a wonderful person, Jerry Perello, who is the former CISO of the New York Stock Exchange, as an advisor. So, you know, that's just an example of how much we care about security. And he, you know, he doesn't hold back, you know, on his opinions and what we need to do. And it's super helpful. And what I'm really proud of is just a little while ago we discovered as we're. Because we vet all the software that kind of comes into mattermost and we vet it very carefully as we're vetting a certain library for SSO SAML authentication. We, we found a vulnerability in the Golang language itself in the XML parser and this. And we're like, wait, this can't be true. And we looked at it and we're like, oh crap, this is true. That never went into, we were never exposed to that vulnerability. Our customers are not exposed to that vulnerability. But there were a lot of other people that use Golang and use SAML SSO that had a vulnerability. It took us three months working with the Golang team and working with the downstream libraries to figure out how do we do a coordinated disclosure. So the coordinated disclosure is tell the like, we created the patch mattermost itself, not the Golang, you know, folks, but we created the patch itself. We created, you know, a reference for, for how to fix it. We went through a very time series. We told the downstream libraries, we got them to prepare patches. We told the people, private and public companies and government institutions that were exposed to this vulnerability that was there so that they can fix it quickly. And then we did a public disclosure. So we did it in a responsible way. We cascaded it, we gave people time, let people know, it was important and this was a big deal like it would, you know, one of the tech giants, you know, had to, had a delay, one of almost had to delay one of their launches because of, because of this issue. So, you know, that's what it means to be part of the security community and really participate in not only the safety of our products and our customers, but of the general software community itself. So I think when you think about, you know, what it means to be great at security, I think it's not one or the other, it's about, you know, how do you, what is the whole story about your investment security also the fact that keeps things safe.
[05:26]
A
Monarch Money is a success story Partner now. You know, it's weird. I'm doing well financially, but I have this constant low level financial anxiety that I was missing something because I have crypto on all these different exchanges. I have multiple Investment accounts, old 401ks, savings scattered everywhere. See, I knew the pieces were fine, but I had no idea if the whole picture made sense. I finally got Monarch Money to pull everything into one view. And the first thing I noticed, I had $10,000 sitting in a temporary savings account from eight months ago when I sold some stock. That's eight months, $10,000. It could have been working instead of just waiting for me to remember it existed. Also, it showed me that I was spending tons monthly on all these subscription services that I couldn't even remember I signed up for. Every Sunday morning. It takes me five minutes to check everything. All my financial stuff in one place, wondering, no more anxiety. The Wall Street Journal just named it the best budgeting app of 2025. But honestly, it's more about finally having control. So don't let financial opportunity slip through the cracks. Use code success@monimalmoney.com in your browser for half off your first year. That's 50% off your first year at Monarch. Money.com with code success elay is a success story partner now. Are you spinning your wheels on low value tasks? Do you spend more time putting out fires and planning your long term goals? As your business grew, you brought on more people and booked more meetings. But focus became even harder to find.
[06:51]
B
Here's the truth.
[06:52]
A
Business leaders shouldn't lose hours to emails, scheduling, project tracking and avoidable interruptions.
[06:59]
B
Just because it all has to get.
[07:00]
A
Done doesn't mean it needs to be done by you. That's where our friends at Belay can help. Belay's US based remote executive assistants don't just take work off your plate. They learn how you operate, operate, what slows you down and where things tend to go sideways, then they get ahead of it. So if you're looking for a practical tool to help you start leading with clearer purpose, download Belay CEO Tricia Shortino's free resource, the 40 Hour CEO Work Week Planning Guide. Just text the word Scott to 55123 for your free copy today. That is S C O T T to 55123 to start accomplishing more while juggling less with Belay.
[07:41]
B
I was going to say it's also the fact that it comes down to the culture of the company and where you put your focus and attention too. So, you know, I think it's probably less about closed versus open and more about how forward thinking and looking the company is and where they want to spend their time and attention. I think that both, both could. But if somebody is so, so hyper focused on building the best possible solution and is so hyper focused on security all the time, like you said, like you're probably, you're probably leading the way in some security and some of the things you do for security that any other company could do, but you're doing it just because it's a focus of yours. That's sort of the takeaway that I get, but I want to, I want to pivot. So now we've spoken about like the, the, the, the engineering side of the business, but also, you know, the fact that you landed large enterprise customers starting a new company is also very impressive. So when you're taking a product like this to market, you just casually said, we landed an enterprise customer.
[08:37]
C
A lot of people would love that.
[08:39]
B
To happen to them when they're trying to take a new SaaS product to market. So how do you take a product like this to market? You, you understand you've solved a problem that you have, but how do you identify your icp, your buyer Persona? How do you go in and how do you sell that first version when you have no other customers? What was your, what was your first customer strategy? How did that close?
[09:00]
C
It's really about building something that people want. I think there's, you know, there's a simple algorithm to teach at YC which is like, you know, talk to customers, build product, you know, exercise and exercise basically stay healthy. Right? And that's, that's so important because like people can burn out, but talk to customers and build product, like that's the loop. And I think what happens is people don't realize how powerful that is. And talking to customers and just like well, hey, you came to our website. You know, we open source Slack. Well, why open source Slack? And it's like, oh, we need this for, like, data privacy, like, full stop. And we need this SSO feature and we need, we need this. It's like, would you pay for that? Yeah, we'll pay for that. Like, that's it. Like, that's the market discovery. Just, you know, put something on the web. Create. Like, we use discourse as a form. So we like people to talk back and forth. You know, we email, hey, contact us form. And people just felt the contact us form maybe like, okay, well here's, here's what I want to know. Like, why, why, why are you interested in mattermost? And like, and then you put that down the dropdown list. Oh, it's a hipchat replacement. Oh, it's for like, you know, we have, we're deployed, the free version. We want to get, you know, these paid features. So it just conversations. And as you have more conversations, you can, you can speed the conversations, you can have them, you can categorize things. So just don't stop talking to customers and then don't stop building product. And then, you know, always stay healthy. That's really important. And do those three things. It's magical how quickly you can move. I think people, they get, especially in the early stages, they get very distracted. They're like, oh, should I be speaking at a conference? Oh, should I be talking to investors? We spent very little time talking to investors and everything. Just, you know, and the thing is, investors don't really want to talk to. I mean, yeah, they want to kind of talk to the founders, but they really want to do is talk to your customers.
[10:40]
B
Right?
[10:40]
C
So then, you know, whatever logo list you've got on your website, they're going, they're back channeling. They're like, okay, what do you, why do you use it? Why'd you buy that? And then when they, the good investors, when they're ready to talk to the founders, they already have the context. So just build a great business and don't worry about like networking and speaking and just talk to customers. Build the product and the feedback loop for that. Yeah, yeah.
[11:07]
B
When you're scaling up and you're technical yourself. But one of the things that I thought was interesting and one of the things that is interesting now, at least for me, because I came from a SaaS company where we had a lot of, we had a lot of difficulty with this, but hiring great talent and most importantly, development talent as a startup, when these are Just obviously like these are numbers that I can't verify. But you know you see the, the Netflixes of the world paying 300,000 plus for a developer, a software engineer and then some, and then you look at some of the, you look at some of the salaries in the valley, like how do you find and scale up great talent and retain great development talent when you don't have a 20, 50 million plus dollar investment?
[11:54]
C
Yeah, that's a great question. I'm like so the people that are money motivated, great, go be, go work in hedge funds, right? Like just you know, don't even think about Netflix. Just go straight to hedge funds like and because they make a ton of money and you know, they don't really create that much value but like you know you're basically advanced day trading. Like go create you know, high, high velocity training trading, right? Like there's. If you want to make money, just go make money. If you want to build great software, if you want to, you know, think about, you know, the impact that you're going to have. If you think, I think about the personal growth that you're interested in, whether it's a technical, whether it's the languages or it's you know, being on the manager track or however you think about it, you know what, what is growth? That is, you know, that's just a different frame. Think about the frame we have is impact. It's growth and it's connections, right? Connecting, connecting to the other human beings that are in, that are on the mission with you, right? So for us, you know, the impact is about being open source. Like you write it once and if you do it right like it never has to be written again, right? Like we have if you're into an open source Slack open source notion, open source Trello and you know, coming up sort of open source, you know, huddles, right? Clubhouse. We're adding the audio piece too. You know, once you build that and it's an integrated suite like it never has to be built again, you've made your mark in software history. Like if that's important, you know that's, that's one of the pillars that we've got at mattermost. The second one is, is personal growth. Half of our managers at the company are promoted from within. So you know that track and that dedication to enabling managers and making them successful is also you know, super important to us. And the third is, you know we have staff in 20 countries, we have contribute, we have 4,000 contributors in the open source community and it's the Ability to sort of like, you know, walk off a plane in like, you know, 20 different cities around the world and have people greet you at the airport, have your friends, you know, show up. And I think that that connection, that like, concept, that's like, oh, yeah, people aren't like machines in the, in the, they're not cogs in a machine, that they're here with other human beings to go build something that's meaningful together. You know, that's, you know, that's the people that we want. So if there's people that care about, you know, we spend most of our life working and if impact, growth and connection is important, that's what your life's about, then we want to work with you. If your life is about, you know, how many Netflix options can I have in my portfolio? Then you should work for Netflix when.
[14:29]
B
You, when you try. So what are some of the strategies that you use to find people like that?
[14:37]
C
56% of the staff at Mattermost, 56% of our hires come from referrals. So the people that like, hey, I love working here, this is really great, you know, that's, that's more than half of our team. And I think when you, you think about NPS Net promoter score, it's like when people really enjoy working here and they tell their friends and they get, you know, more and more people in like, that those are the best hires.
[15:01]
B
No, no, I was about to say. So you focus on, you focus mostly on referrals. And then you were going to say something else. Sorry, I think we're like, there's like a two second delay, so I never know. Go ahead. Sorry.
[15:10]
C
No, so referrals is, is referrals is the majority and we'd love to continue that and then keep going because that really means that people enjoy it here and love it and they're, they're bringing on all the folks that they know. The second biggest source in the early days definitely was the open source community. 4000 people contributing and just saying, hey, let's work together, let's do this professionally. So a few months after we released our commercial version, we got this person who pinged us and they're like, look, I've never contributed open source before, but I would like to contribute a translation infrastructure for every string in your system. I have got this pull request that localizes everything and I've translated everything that is Spanish and it's 10,000 lines of code. Would you be open to this pull request? Which is kind of bananas. So what happens is this person was working in South America, and their company was reselling Mattermost, but it had to be in Spanish. So this person actually translated all of Mattermost the right way, not with hard coded strings, but with the actual infrastructure. But every month, you know, we talked about why it's difficult to fork Mattermost. Every month we're pushing out new features and innovations. It took them a week to, like, merge it back in. So it was in this person's best interest to offer that upstream so that we could, you know, put that in the product, make it better for everyone and make that person's life easier. We hired that person. So, you know, that's just a great way, you know, to say, because it's a great offer. It's like, well, just stop what you're doing and why don't you work on the mainline product rather than derivative? So that's another great path to hiring.
[16:47]
A
Thanks for tuning in. If you found this valuable, don't forget to hit that subscribe button so you never miss an episode. And if you want to dive deeper into this conversation, check out the links in the description to watch the full episode. See you in the next one.