Katie Moussouris – WindowsTechs.com

HackerOne, Verizon weigh pros and cons of making live hacking contests virtual

Posted on December 14, 2020 by Tim Starks

Among all the ways COVID-19 has affected the cybersecurity world, perhaps nothing is more impossible than live hacking events, which were once a staple of the industry. The coronavirus forced bug bounty company HackerOne and Verizon Media into hosting two online hacking events together since the outbreak, and they recently completed what they billed as the world’s largest live hacking contest. Live hacking events, whether virtual or in-person, give companies a chance to lure ethical hackers to find their security flaws before the attackers do, and can serve as recruiting opportunities for corporate positions, too. What made the most recent competition stand out was its massive size, and what the experiment could mean for the rest of the bug bounty community. The HackerOne/Verizon Media duo wasn’t the first to move live hacking events online. Pwn2Own made a similar transition in March. With more than 3,000 people from 59 countries registering […]

The post HackerOne, Verizon weigh pros and cons of making live hacking contests virtual appeared first on CyberScoop.

Continue reading HackerOne, Verizon weigh pros and cons of making live hacking contests virtual→

S3 Ep8: A conversation with Katie Moussouris [Podcast]

Posted on November 25, 2020 by Paul Ducklin

Here’s the latest Naked Security Podcast – listen now! Continue reading S3 Ep8: A conversation with Katie Moussouris [Podcast]→

Grindr’s Bug Bounty Pledge Doesn’t Translate to Security

Posted on October 6, 2020 by Lindsey O'Donnell

At SAS@Home, Luta Security CEO Katie Moussouris stressed that bug bounty programs aren’t a ‘silver bullet’ for security teams. Continue reading Grindr’s Bug Bounty Pledge Doesn’t Translate to Security→

RSAC 2020: Editors’ Preview of Hottest Sessions, Speakers and Themes

Posted on February 21, 2020 by Lindsey O'Donnell

From data privacy to industrial IoT cybersecurity concerns, Threatpost editors discuss the top stories they expect to see at this year’s RSA Conference, which kicks off next week in San Francisco. Continue reading RSAC 2020: Editors’ Preview of Hottest Sessions, Speakers and Themes→

Katie Moussouris: The Bug Bounty Conflict of Interest

Posted on February 12, 2020 by Lindsey O'Donnell

Kate Moussouris sounds off on the challenges behind creating successful bug bounty programs. Continue reading Katie Moussouris: The Bug Bounty Conflict of Interest→

Let’s make ransomware MORE illegal, says Maryland

Posted on January 29, 2020 by Lisa Vaas

… with a clumsily worded proposed bill that wouldn’t protect researchers. Continue reading Let’s make ransomware MORE illegal, says Maryland→

Apple’s $1 million bug bounty makes a lot more sense after that iOS hacking spree

Posted on September 4, 2019 by Jeff Stone

Say what you will about Apple, but the company certainly knows how to get the security community fired up. Ivan Kristic, Apple’s head of security engineering, announced Aug. 8 at the Black Hat security conference that the company would offer up to $1 million, or $1.5 million under specific conditions, to hackers who disclosed new ways of infiltrating the iPhone’s operating system. That million-dollar promise instantly earned praise as the highest bug bounty offer from a technology company, and seemed to indicate the notoriously inaccessible company was becoming more transparent. The weeks since, though, have demonstrated that the stakes are higher for Apple than initially understood. The company’s stellar security reputation took a hit when Google’s Project Zero announced that hackers had spent two years targeting thousands of iPhones by combining 14 vulnerabilities into five exploit chains that allowed them to spy victims with few limitations. Now, researchers and bug bounty participants […]

The post Apple’s $1 million bug bounty makes a lot more sense after that iOS hacking spree appeared first on CyberScoop.

Continue reading Apple’s $1 million bug bounty makes a lot more sense after that iOS hacking spree→

What Capital One’s cybersecurity team did (and did not) get right

Posted on August 2, 2019 by Greg Otto

There was no months-old, unpatched Apache flaw. A S3 bucket wasn’t publicly accessible to anyone with an internet connection. There was no effort to hide what happened behind the company’s bug bounty program. When taken at face value, the Capital One breach looks awfully similar to other massive security failures that have made national news in the past few years. But while people fixate on the amount of information taken, there are some in cybersecurity circles that see a silver lining in the way the bank has handled the incident. Multiple security experts told CyberScoop that while the incident is clearly severe and there are still questions that need to be answered, actions taken by the Virginia-based bank — who did not respond to CyberScoop’s request for comment — prevented this breach from becoming another example of extreme corporate cybersecurity negligence. “While it’s tempting to knock Capital One for this […]

The post What Capital One’s cybersecurity team did (and did not) get right appeared first on CyberScoop.

Continue reading What Capital One’s cybersecurity team did (and did not) get right→

The Vulnerability Disclosure Process: Still Broken

Posted on September 5, 2018 by Tom Spring

Despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits. Continue reading The Vulnerability Disclosure Process: Still Broken→

The bug bounty market has some flaws of its own

Posted on April 4, 2018 by Shaun Waterman

In the wake of Microsoft’s announcement of a $250,000 reward for new hardware vulnerabilities, there’s growing concern that inflated bounties might be creating perverse incentives for young cybersecurity researchers and distorting the market for white-hat bug hunters. “If you can make considerably more money hunting bugs, there will be nobody left to fix them,” tweeted Katie Moussouris, a security researcher who created the first Microsoft program that rewarded those who reported vulnerabilities. “Those who do the hard work of code maintenance in corporations, dealing w [office] politics for a salary that’s ~1 bounty are 1 bad meeting away from rage quitting to hunt bugs full time,” the tweet concluded. “Motivations vary among hackers … but most are driven by some combination of three factors,” she told CyberScoop: Financial compensation, peer recognition and “the pursuit of intellectual happiness — loving what you do.” Moussouris would know. In addition to her practical […]

The post The bug bounty market has some flaws of its own appeared first on Cyberscoop.

Continue reading The bug bounty market has some flaws of its own→