Application Security , Governance & Risk Management , IT Risk Management

So You Want to Build a Vulnerability Disclosure Program?

Bug Bounty Pioneer Katie Moussouris on Challenges, Sustainability, Election Security
Katie Moussouris, CEO, Luta Security

So you want to build a bug bounty program? Start by focusing on achieving specific, short-term goals rather than trying to make it run forever.

See Also: Breaking Down Silos With a Holistic View of Security, Risk

So says Katie Moussouris (@k8em0), the founder and CEO of Luta Security, which helps organizations create vulnerability coordination programs. She says organizations running such programs should avoid thinking of these efforts as quick-fix "bug bounty Botox" to be repeated ad nauseam. Rather, she recommends using such crowdsourced programs to improve the "secure development and deployment life cycle," focusing on "building a sustainable ecosystem" and hiring some of the best people reporting these flaws.

In a video interview with Information Security Media Group, Moussouris discusses:

  • Steps to success: How to create vulnerability disclosure programs that are effective and sustainable;
  • Federal moves, including the U.S. Department of Homeland Security's binding operational directive (20-01), which aims to use vulnerability disclosure policies to improve election security;
  • The dark side of relying on the gig economy for bug hunting.

Moussouris is the founder and CEO of Luta Security, which helps organizations create vulnerability coordination programs. The company, which specializes in government and multiparty supply chain vulnerability coordination, recently helped Zoom refine its bug bounty programs. Previously, Moussouris started bug bounty programs for Microsoft and the Pentagon and also served as the chief policy officer for HackerOne. She has testified before the U.S. Senate as an expert on bug bounties and the labor market for security research and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the U.S. State Department to help renegotiate the Wassenaar Arrangement, helping to change the export control language to include technical exemptions for vulnerability disclosure and incident response.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.