So You Want to Build a Vulnerability Disclosure Program?Bug Bounty Pioneer Katie Moussouris on Challenges, Sustainability, Election Security
So you want to build a bug bounty program? Start by focusing on achieving specific, short-term goals rather than trying to make it run forever.
See Also: Managing API Security
So says Katie Moussouris (@k8em0), the founder and CEO of Luta Security, which helps organizations create vulnerability coordination programs. She says organizations running such programs should avoid thinking of these efforts as quick-fix "bug bounty Botox" to be repeated ad nauseam. Rather, she recommends using such crowdsourced programs to improve the "secure development and deployment life cycle," focusing on "building a sustainable ecosystem" and hiring some of the best people reporting these flaws.
In a video interview with Information Security Media Group, Moussouris discusses:
- Steps to success: How to create vulnerability disclosure programs that are effective and sustainable;
- Federal moves, including the U.S. Department of Homeland Security's binding operational directive (20-01), which aims to use vulnerability disclosure policies to improve election security;
- The dark side of relying on the gig economy for bug hunting.
Moussouris is the founder and CEO of Luta Security, which helps organizations create vulnerability coordination programs. The company, which specializes in government and multiparty supply chain vulnerability coordination, recently helped Zoom refine its bug bounty programs. Previously, Moussouris started bug bounty programs for Microsoft and the Pentagon and also served as the chief policy officer for HackerOne. She has testified before the U.S. Senate as an expert on bug bounties and the labor market for security research and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the U.S. State Department to help renegotiate the Wassenaar Arrangement, helping to change the export control language to include technical exemptions for vulnerability disclosure and incident response.