#SecurityMeetUpMail.Ru

Bounties and Other Incentives

Katie MoussourisChief Policy Officer

http://twitter.com/k8em0 <-- that’s a zero

Who I amChief Policy Officer, HackerOne

Mother of Microsoft’s Bounty Programs, Internet Bug Bounty Panelist

Chair of BlueHat Content Board 2010-2013

My (security*) work in bullet points:

◆ Linux Dev and Security Tzarina - TurboLinux, circa 2000

◆ Pen Tester - Artist formerly known as @stake

◆ Founder - Symantec Vulnerability Research (SVR)◆ Founder - Microsoft Vulnerability Research (MSVR)

◆ Policy Maker

◆ Editor for ISO standard on Vulnerability Handling (30111)

◆ Lead SME for US National Body on Vulnerability Disclosure (29147)

◆ Lead editor for Penetration Testing as it applies to Common Criteria (20004-2)and Secure Application Development processes (27034-3)

* Was a molecular biologist in a past professional life; worked on the Human Genome Project

● Vulnerability Coordination Platform

o Built by Facebook, Microsoft, Chrome security folks

● 100+ live programs with well over $100k paid out each month

● 1,000+ users hackers (researchers?) recognized for their work

● Important: We only host these programs.

o Researchers & Security Teams manage their own programs.

o HackerOne employees do not have access to reports.

What is HackerOne?

H1 Programs (Average)

Signal-to-Noise Ratio

● There's noise on the internet

● Researcher Reputation - Good for researchers and teams

o The best researchers stand out from noisier ones

Mutual incentives to maintain a high-signal environment

o Security Teams benefit from additional context

o An Anecdote!

"Noisiest" researcher had 1,500+ submissions and a <5% success rate.

One month later: same researcher now has 60%+ success rate.

Reputation: Plus Rate Limiting

● Sharing knowledge is valuable to the entire community

o Those who do not learn from the mistakes of the past are doomed

to repeat them

● Q: How can we encourage more vulnerability sharing?

o One-click disclosures

o Streamlined coordination

o Shared goals

o No surprises

Knowledge

HackerOne Transparency

View the details of every vulnerability HackerOne has ever had: https://hackerone.com/security

IE Preview Bug Bounty: All in the timing

● Running a bounty program during the Preview (beta) period for IE11 addressed the greatest number of issues with the least impact to customers AND engineers

● Vulnerability brokers don’t offer payment for the IE browser in beta, so there is a gap in the marketplace

● Actual Results: 23 submissions, 18 bulletin-class issues – including 4 sandbox escapes

IE 11 Preview Bounty --> Reverses Reporting Trend

Hacker!

"Hacker"?

● Definitions suck.

● Security is for everyone

o It needs to be more accessible & inclusive.

● Be a part of the security community

Questions?