With bug bounties being all the rage, the platforms that support them are emerging as important pieces of the security research, disclosure and reward ecosystem. One of those platforms, HackerOne, has scored a major coup in hiring Katie Moussouris, the driving force behind Microsoft’s bounty program, to oversee its policy and disclosure philosophy and work with customers on the intricacies of vulnerability disclosure.
HackerOne is perhaps best known as the platform that supports the Internet Bug Bounty sponsored by Microsoft and Facebook. That reward program pays for vulnerabilities discovered in core Internet technologies such as the DNS system and SSL, as well as Linux and the major browsers from Google, Microsoft and Mozilla. But HackerOne also supports bug bounty programs for a wide variety of other companies and even individual developers.
Moussouris, who has been instrumental in many of the security initiatives at Microsoft, including the Blue Hat Prize, and has worked on international standards in the ISO community for years, said that she sees her role at HackerOne as helping to guide customers, policymakers and government officials through the labyrinth that is vulnerability research and disclosure.
“I’m looking forward to helping governments and policymakers do the right thing in terms of supporting and defending security research. The one thing that I’ve dedicated a lot of my career to is making room for research that’s helpful and not harmful and making sure that it’s not just tolerated, but supported and defended,” said Moussouris, who is the chief policy officer at HackerOne.
“Part of my mission is to help the powers that be understand the importance of this.”
In her role at Microsoft, Moussouris often worked with government officials and policymakers on standards issues, and she said that during initial discussions about the value of security research, policymakers often don’t see it and need some more education.
“When I say things like, please don’t make research and disclosure illegal because it will blind vendors and the only time we’ll find out about vulnerabilities is when they’re under attack, they usually don’t get it at first,” she said. “But when they follow it to the logical conclusion, that we’d rather find out about it from a friendly researcher, it makes sense. It doesn’t take much to convince them.”
In addition to the hiring of Moussouris, HackerOne also landed $9 million in new funding from Benchmark Capital.