Collaborate Disseminate
At SAS@Home, Luta Security CEO Katie Moussouris stressed that bug bounty programs aren’t a ‘silver bullet’ for security teams. Continue reading Grindr’s Bug Bounty Pledge Doesn’t Translate to Security
Senators rebuked Uber on Tuesday during a Senate Commerce subcommittee hearing over the company’s handling of the data breach it disclosed in November 2017, with one lawmaker calling the company’s decision to wait a year before publicly disclosing it “morally wrong and legally reprehensible.” Uber’s actions “violated not only the law but the norm of what should be expected,” said Sen. Richard Blumenthal, D-Conn., the subcommittee’s ranking member said. Uber revealed in November 2017 it paid $100,000 to delete data of 57 million users worldwide that was maliciously obtained by Florida-based hackers. The data included names, email addresses and phone numbers, and in some cases, encrypted passwords and driver’s license numbers. While Uber says that the hackers acted maliciously, the company paid them through HackerOne, which hosts Uber’s bug bounty program – a way for ethical hackers to receive payouts for informing companies about vulnerabilities. During the hearing, the lawmakers questioned Uber’s chief […]
The post Senators grill Uber CISO over 2016 breach, extortion incident appeared first on Cyberscoop.
Continue reading Senators grill Uber CISO over 2016 breach, extortion incident
A software vulnerability disclosure program recently launched by popular drone maker DJI has turned into a messy public relations battle pitting several security researchers against the growing Chinese technology firm. After DJI recently launched a bug bounty program, two researchers — Sean Malia and Kevin Finisterre — publicly disclosed vulnerabilities in DJI products. The revelations resulted in the company challenging each researcher’s findings and seemingly threatening one with a lawsuit tied to the Computer Fraud and Abuse Act. For researchers who have been poking and prodding DJI’s digital properties and products for about three months, Malia and Finisterre stories strike a familiar tone. Several researchers who approached DJI with information about evident vulnerabilities say the outcome has been less than satisfactory. DJI disputes aspects of some of these accounts, but experts say the firm has gone too far. “Many companies mistake a bug bounty program for a penetration test, in which the […]
The post How DJI fumbled its bug bounty program and created a PR nightmare appeared first on Cyberscoop.
Continue reading How DJI fumbled its bug bounty program and created a PR nightmare
The U.S. Air Force launched a new bug bounty program dubbed “Hack the Air Force” on Wednesday, continuing a trend within the U.S. military that began last year with Hack the Pentagon and Hack the Army. Before the Pentagon’s bug bounty programs launched, it was illegal to search for vulnerabilities on Defense Department networks. The trend has extended overseas, as well, with the U.K. government’s announcement of its own bug bounty program last month. The Air Force program is directed by HackerOne, the bug bounty platform behind Hack the Pentagon that just raised a $40 million investment in February, and Luta Security, the security consulting firm driving the U.K. program. HackerOne and Luta Security are partnering to deliver up to 20 bug bounty challenges over three years to the Defense Department. “This outside approach — drawing on the talent and expertise of our citizens and partner-nation citizens — in identifying our security vulnerabilities will […]
The post U.S. launches ‘Hack the Air Force’ bug bounty program appeared first on Cyberscoop.
Continue reading U.S. launches ‘Hack the Air Force’ bug bounty program
It’s basic economics: When supply drops but demand keeps rising, price goes up. It’s no different for pieces of information that give cyberattackers big advantages. The number of zero day exploits revealed in the wild fell for a third straight year in 2016, pushing the prices for them skyward and driving attackers to use alternative tactics, according to new research from Symantec. The total number of zero days exploited — a “zero day” is a software vulnerability that hasn’t been disclosed to the vendor and thus hasn’t been patched — dropped to 3,986 in 2016, Symantec said. That number was as high as 4,985 in 2014. Meanwhile, demand for zero days is as high as it’s ever been. Zero days discovered by security researchers are purchased by a wide variety of parties including militaries, intelligence agencies, law enforcement, software vendors, cybercriminals and military contractors. Their intentions also vary widely: Some buyers want to fix and defend software, others want to mount […]
The post Zero day exploits are rarer and more expensive than ever, Symantec says appeared first on Cyberscoop.
Continue reading Zero day exploits are rarer and more expensive than ever, Symantec says
Katie Moussouris on how bug bounty programs have gone mainstream, the success of Hack the Pentagon and Hack the Army, and where things stand with the Wassenaar Arrangement. Continue reading Katie Moussouris on Bug Bounty Programs, Hack the Army, and Wassenaar
We offer tips and advice to businesses facing the challenge of dealing with updates as Microsoft changes how it pushes out patches Continue reading What the end of Patch Tuesday means for businesses
Mike Mimoso talks to Katie Moussouris about her newly launched consultancy Luta Security, the Hack the Pentagon bug bounty program, and more. Continue reading Katie Moussouris on Hack the Pentagon, Embracing Hackers