The Vergecast Bug bounties: the good and the bad of computer security
Jul 7, 2020
Katie Moussouris, founder and CEO of Luta Security and a pioneer in bug bounty programs, discusses the dual-edged nature of these initiatives. She shares insights on how bug bounties can enhance cybersecurity while also highlighting concerns about their impact on internal security efforts. Moussouris explores encryption dilemmas, the economic dynamics of vulnerability compensation, and the pressing challenges of securing election infrastructure. The conversation also touches on the complexities related to smart device obsolescence and sustainability.
AI Snips
Chapters
Transcript
Episode notes
Early Bug Bounties
- Netscape offered the first bug bounties in the mid-90s, paying $1,000 per bug.
- A Dilbert comic from 1995 satirized the potential for perverse incentives, with engineers creating bugs to claim bounties.
Microsoft's Bug Bounty
- Google's bug bounty program in 2010 prompted Microsoft to reconsider its stance on paying for bugs.
- Microsoft's concern about increased volume, given its 800+ products, led to a strategic approach.
IE Bug Bounty Success
- Microsoft's IE bug bounty targeted beta period bugs by offering credit and money.
- This resulted in 18 vulnerabilities reported in 30 days for about $28,000.