Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice
As chief policy officer at HackerOne, Katie Moussouris helped the Defense Department launch its Hack-the-Pentagon program—the first federal bug bounty program that promises to pay hackers who uncover vulnerabilities in the DoD’s public-facing web sites. That was after spending three years to convince Microsoft to launch its first bug bounty program in 2013. And now Moussouris is branching out as an independent consultant to help companies and organizations interested in launching bug bounty programs move from the thinking stage to the doing phase.
“There’s huge momentum not just in the government space, but in private industry, where you’re seeing all types of vendors, not just tech vendors, … working with hackers,” she says. From medical device manufacturers and healthcare organizations to car companies and home appliance makers, companies that never considered themselves software vendors are now having to grapple with some of the same issues that Microsoft and Google face. As they add more digital code to their products, they have to worry about software vulnerabilities and patches. With that comes an increasing need to work respectfully with the community of white hat hackers and researchers who find and report vulnerabilities to them.
“We are riding this big wave where hackers are more and more being viewed as helpful as opposed to harmful,” she says. “That’s where I want to help.”
Moussouris was senior security strategist lead at Microsoft when she sold executives on the idea that paying researchers for vulnerabilities and disrupting the underground market for zero days—where vulnerabilities are sold to criminal hackers and spy agencies—would help secure Microsoft customers and also heal the rift that had arisen over the years between the company and security researchers.
She continued that work at HackerOne, which helps companies and organizations manage their bug bounty programs, including brokering communication between hackers and companies. She began discussing a bug bounty program with the federal government while still at Microsoft and continued those talks when she moved to HackerOne.
Throughout this period, however, she realized that a lot of companies and organizations need assistance at a much earlier stage before they even seriously consider launching a bug bounty program.
“That process to get them from just starting to talk to hackers to bug bounty seems to be a place where a lot of people want to get to, but there is a ton of infrastructure stuff and engineering issues [that they need to address first],” she says. “People are very concerned about vulnerability disclosure, but most organizations aren’t ready for them.”
Companies have to have staff in place who are able to review bug reports in a timely manner and verify that the issue being reported is a true vulnerability. They also have to have engineers available to create and test a patch, to ensure that fixing one issue doesn’t break something else. A company that isn’t prepared for the extra work a bug bounty program brings can quickly become overwhelmed, leading to long delays in responding to researchers and unpatched vulnerabilities that leave users at risk.
“Taking a complex organization like Microsoft or the US DoD and getting them all the way to where they’re paying hackers money… that’s exactly where I shine and that’s where I’m going to help people the most,” she says. “I want to make sure people roll out bounties that are really good for them, that are really good for the hacker and that they have the capability on the backend … to handle bug reports.”
Originally posted here: