Katie Moussouris: It’s dangerous to conflate bug bounties and vulnerability disclosure

“There are two extremes right now: no idea where to start or do a bug bounty,” says Moussouris, who built Microsoft's vulnerability disclosure program.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Put out a welcome mat for good Samaritans bearing bad news.

It sounds easy, but 94 percent of the Forbes Global 2000 offers no easy way for security researchers to report bugs in good faith. Part of the problem, Katie Moussouris tells CSO, is that business leaders confuse vulnerability disclosure with bug bounties. Good Samaritans and bounty hunters are not the same.

Moussouris built Microsoft's vulnerability disclosure program, the first of its kind for a major corporation, helped the U.S. Department of Defense (DoD) launch their Hack the Pentagon program, and has testified before the U.S. Congress on bug bounty programs. She's the co-author of ISO 29147, Vulnerability Disclosure, and ISO 30111, Vulnerability Handling Processes, and the founder and CEO of Luta Security.

In an interview with CSO, Moussouris talked about what a vulnerability disclosure program ought to look like, why companies can't outsource their security to bug bounty hunters, and her experience drafting ISO standards.

On whether bug bounty programs are right for all companies

Moussouris: What I have seen, which disturbs me as a practictioner in this area for 20 years, is that if you look at the Google search terms for bug bounties and penetration testing, they've finally converged. That to me is dangerous. It's dangerous when people think that bug bounties are the same as vulnerability disclosure.

They think they can replace penetration testing with bug bounties. It's not the same. A bug bounty is just an incentive to get people to report vulnerabilities to you. Most of the bug bounty bugs these days are XSS vulnerabilities. Tell me you couldn't have an intern find all those using free tools.

Vulnerability coordination and disclosure are absolutely not the same as bug bounty programs.

Yes, I helped create bug bounties. I was trying to create a mechanism for hackers to one, stay out of jail, and two, help people become more secure. It was supposed to catch the things you missed, not to replace penetration testing, replacing running your own tests.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.