Uncover the vulnerability and exploit internally, don’t rely on bug bounties alone
L33tdawg: Got bugs? Come to #HITBCyberWeek in October. Katie will be there for Driven2Pwn!
Cyber security professionals are often male and white. So it was an interesting experience this week to interview a woman expert, Katie Moussouris, who is adept in vulnerability disclosures and a pioneer in bug bounty programmes.
She believes that bug bounties are good but should only be used as a way to discover the well-hidden vulnerabilities and exploits that in-house security experts cannot find. A security vulnerability is an error in an IT system that can be exploited by an attacker to compromise the confidentiality or integrity of the system or to deny legitimate user access to a system.
To detect and report the vulnerabilities so that they can be fixed, organisations offer rewards to individuals to report such errors. These are called bug bounty. Moussouris believed strongly that organisations should not use bug bounties as a lazy way to detect vulnerabilities, at least not before trying to find some of the loopholes themselves.
She was speaking to Techgoondu on the sidelines of the GSEC security conference, organised by Hack in the Box.