Success Story Podcast with Scott D. Clary

Episode: Lessons - Building a $100M Open Source Empire | Ian Tien

Date: December 17, 2025
Guest: Ian Tien – SaaS Scaling Expert, CEO & Co-founder of Mattermost
Host: Scott D. Clary

Episode Overview

In this “Lessons” episode, Scott D. Clary sits down with Ian Tien, SaaS scaling expert and CEO of Mattermost, to unpack the realities of building a $100M open source business. The discussion digs into what drives security and scalability in open source, why culture and investment matter more than open/closed models, how customer-led development fuels early enterprise adoption, and the methods Mattermost uses to attract and retain world-class technical talent.

Major Discussion Points & Key Insights

1. Open Source Security: Myth vs. Reality

[00:27-05:26]

• Open vs. Closed Source Security

  • Scott opens by asking whether open source is inherently more secure than closed-source software.
  • Ian Tien: “It’s many things. It’s not just the open or closed model, right? It’s the investment on security. It’s, you know, your internal process.” [00:54]

• Three Principles for Security

  1. All Software Has Vulnerabilities:

     • “Nothing is secure. There’s always going to be vulnerabilities. All you can do is kind of move those around.” [00:54]
     • The open source model offers transparency; customers can view and report vulnerabilities.

  2. Value Dictates Breach Effort:

     • Attackers target systems based on the value of what’s inside them. Centralized cloud solutions become “honeypot targets.”
     • Self-hosting with open source allows enterprises to keep their data segmented and protected behind their own defenses.

  3. Security Is About Dedication:

     • Example: Mattermost works with high-security organizations (e.g., 20,000 US Air Force crew rely on Mattermost).

     • Ian highlights Mattermost’s security investments, e.g., bringing on Jerry Perello (former NYSE CISO) as advisor.

     • Memorable Incident:

       • Mattermost identified a vulnerability in Golang’s XML parser affecting SAML authentication.
       • They coordinated responsible disclosure and contributed the patch themselves—a process that took months and involved multiple entities.

     • Quote:

       • “That’s what it means to be part of the security community and really participate in not only the safety of our products and our customers, but of the general software community itself.” [05:18]

2. Security: It’s About Culture, Not Just Model

[07:40]

• Ian and Scott agree:
  • Security excellence stems from company culture and leadership, not just technology or architecture.
  • Scott:
    • “It’s probably less about closed versus open and more about how forward thinking and looking the company is and where they want to spend their time and attention.” [07:40]

3. Landing the First Enterprise Customers

[08:37-10:39]

• Early Go-To-Market (GTM) Approach:

  • Focused on solving tangible problems, not on networking or pitching investors.
  • Ian:
    • “It’s really about building something that people want. There’s a simple algorithm they teach at YC: talk to customers, build product, stay healthy.” [09:00]

• The Feedback Loop:

  • Mattermost used their open source presence to create a direct loop with users.
  • Live conversations—contact forms, forums, emails—led to rapid feedback and feature requests.
  • Example: Major interest came from customers demanding features for data privacy and SSO.
  • Investors were only seriously interested after hearing from satisfied customers.
  • Ian:
    • “Investors don’t really want to talk to…the founders, but what they really want is to talk to your customers.” [10:21]
  • Key: Avoid distractions, focus relentlessly on talking to users and building what they want.

4. Attracting and Retaining World-Class Technical Talent

[11:06-16:47]

• The Challenge:

  • With sky-high compensation at tech giants, how does an early-stage open source company attract (and keep) top developers?

• Ian’s Perspective on Motivation:

  • Talent driven purely by money are steered toward hedge funds and massive tech companies—not Mattermost.
  • Quote:
    • “If you want to make money, just go make money. If you want to build great software…think about…the impact that you’re going to have.” [11:54]
  • At Mattermost, culture is defined by:
    • Impact: Making open source contributions that matter and have longevity.
    • Growth: Half of managers are promoted internally—personal development is prioritized.
    • Connection/Community: Staff in 20+ countries; 4,000 open source contributors; global camaraderie and belonging.
  • The company only wants to hire those passionate about impact, growth, and human connection.

• Recruiting Strategies:

  • Referrals:
    • 56% of Mattermost’s hires are from employee referrals—evidence that the internal culture is strong.
    • Ian:
      • “When people really enjoy working here…and they get more and more people in, those are the best hires.” [14:36]
  • Open Source Community:
    • Many hires started as open source contributors, later joining the company full-time.
    • Example: A contributor from South America independently internationalized Mattermost and submitted a 10,000-line pull request, eventually joining the team.
    • The open source ecosystem is a crucial pipeline for both innovation and hiring.

Notable Quotes

• Ian Tien, on security culture:

  • “I think when you think about, you know, what it means to be great at security, I think it’s not one or the other, it’s about…your investment [in] security, also the fact that keeps things safe.” [05:20]

• On the hiring mindset:

  • “We spend most of our life working, and if impact, growth, and connection is important, that’s what your life’s about, then we want to work with you.” [13:42]

• On the customer feedback loop:

  • “Talk to customers and build product, like that’s the loop…Don’t stop talking to customers and then don’t stop building product.” [09:03]

Highlight Timestamps

| Timestamp | Segment/Topic | Summary | |-------------|---------------------------------------------|-------------------------------------------------------------------| | 00:27-05:26 | Security in open source | Why security is about process & investment, not model | | 09:00-10:39 | Early enterprise customers, GTM strategy | Customer-led feedback, product development, and investor outreach | | 11:06-16:47 | Attracting/retaining top talent | Why mission, growth, and community win over cash-only careers | | 14:36-15:10 | Recruiting channels | Referral system and open source as hiring pipelines |

Memorable Moments

• Mattermost’s Responsible Disclosure:
  • Finding and helping fix a major Golang SAML vulnerability, enabling responsible disclosure across the broader ecosystem. [04:40-05:20]
• Massive open source contribution:
  • A community member singlehandedly internationalizing Mattermost and then joining the company. [15:10-16:00]
• Cultural hiring:
  • Emphasizing building a team of people motivated by lasting impact, not just high salaries. [11:54-13:42]

Summary

Ian Tien breaks down the realities of building a secure, scalable, and values-driven open source SaaS company. The core lessons revolve around investing in processes, building with and for your earliest customers, and nurturing a worldwide talent network built on mission-driven work and authentic culture. Whether you’re a founder, an enterprise buyer, or an aspiring developer, this episode provides tactical and inspirational takeaways on the future of open source business.

Listen to the full episode or explore more at: www.successstorypodcast.com