Bug Bounty Evolution: Not Your Grandson's Bug Bounty

Presented at Black Hat USA 2022, Aug. 11, 2022, 10:20 a.m. (40 minutes).

Bug Bounties, once heralded as a security best practice, are growing stale without ever having brought the revolutionary security benefits and great ways to earn a living to the masses that proponents like me dreamed of. What have we been getting wrong and what can we do to save security and our souls?

Before Google invigorated the bug bounty practice in 2010 by paying nearly triple the going rate that Mozilla set in the mid-1990s, bug bounty programs had received little fanfare during their previous 20 years of existence. Then, in 2013, when these programs were still not considered mainstream for most organizations, Microsoft launched its programs with the largest bounty amounts in the industry by any software vendor at the time. Then, in 2016 came Hack The Pentagon, and suddenly everyone was either running a bug bounty program or wanted to run one.

Where are we now and what have we learned since 2010? Were the myths of being able to compete on price with the offense market true or was it all just marketing by VC-backed bug bounty platforms? Is there an alternative solution for hackers who currently get treated like disposable workers? What's the best path forward for hackers, organizations, and the security industry now that we have seen over a decade of modern bug bounty programs in practice?

This talk is for the dreamers, the wishers, the post-modern risk economists, the hackers of labor systems, the destroyers of status quos. This is not your grandson's bug bounty.


Presenters:

  • Katie Moussouris - Founder & CEO, Luta Security
    Katie Moussouris is the Founder & CEO of Luta Security. As a computer hacker with more than 20 years of professional cybersecurity experience, Katie has a unique and unparalleled perspective on security research, incident response, vulnerability disclosure, and bug bounty programs. Currently, Katie serves as the founder and CEO of Luta Security. During her tenure with Microsoft, her work included industry-leading initiatives such as starting Microsoft Vulnerability Research, which formalized multiparty vulnerability and supply chain vulnerability coordination across hardware and software as well as launching Microsoft's first bug bounty program. Katie is also the co-author and co-editor of ISO 29147 (vulnerability disclosure) and ISO 30111 (vulnerability handling processes). Working with the Department of Defense, Katie led the launch of the U.S. government's first bug bounty program, "Hack the Pentagon." She also worked with the State Department to help renegotiate the Wassenaar Arrangement, specifically changing the export control language to include technical exemptions for vulnerability disclosure and incident response. Katie serves in three advisory roles for the U.S. government as a member of the Cyber Safety Review Board, the Information Security and Privacy Advisory Board, and the Information Systems Technical Advisory Committee. She is a cybersecurity fellow at New America and the National Security Institute. Katie is also the founder of the Pay Equity Now (PEN) Foundation, and through the PEN Foundation, she established the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity at Penn State Law in University Park. Additionally, she served as a visiting scholar with the MIT Sloan School, a Harvard Belfer affiliate, and an advisor to the Center for Democracy and Technology. In 2018, Katie was featured in two Forbes lists: The World's Top 50 Women in Tech and America's Top 50 Women in Tech.

Links:

Similar Presentations: