The do’s and don’ts of bug bounty programs with Katie Moussouris

In the rush to launch, cybersecurity doesn’t always get the attention it deserves, and yet it’s one of the first things that startups learn can — and will — go wrong.

Hacker and security researchers can be some of your biggest assets in helping your startup stay secure. Vulnerability disclosure and bug bounty programs are part of working with the hacker community to build a stronger, more resilient company. But these are not a replacement for security investments, which as a growing company you should not overlook.

Katie Moussouris has been in cybersecurity circles since some of the world’s biggest tech companies were startups, and helped to set up the first vulnerability disclosure and bug bounty programs. Moussouris, who runs consultancy firm Luta Security, now advises companies and governments on how to talk to hackers and what they need to do to build and improve their vulnerability disclosure programs.

At TC Early Stage, Moussouris explained what startups should (and shouldn’t) do, and what priorities should come first.


Knowing the basics

A bug bounty alone is not enough, and outsourcing the process to a platform isn’t going to save you time. Moussouris explained the basics and what differs between vulnerability disclosure, penetration testing and bug bounties.

Vulnerability disclosure is the process by which you hear about vulnerability from the outside. You digest that vulnerability somehow internally in your organization and figure out what to do with it — whether to create a patch, how to prioritize that patch, and then what to release to the public [ … ] What it comes down to is that organizations need guidelines on how to handle these issues appropriately.

Next we’ve got penetration testing: hiring professional hackers under contract [who have] a specific set of skills that match your problem set, and you pay them. They’re under a nondisclosure agreement (NDA) to keep your vulnerabilities secret for as long as you need them — perhaps forever — and you are at your leisure as to whether or not you fix those vulnerabilities.

Finally, bug bounties are simply adding a cash reward to the process of vulnerability disclosure programs. (Time stamp: 3:20)


ISO standards are your friend