Subscribe to the O'Reilly Security Podcast to examine the challenges and opportunities for security practitioners, with a focus on the people on the frontlines of security, working to build better defenses. Find us on Stitcher, iTunes, SoundCloud, RSS.

In this episode, I talk with Katie Moussouris, founder and CEO of Luta Security. We discuss the five stages of vulnerability disclosure grief, hacking the government, and the pros and cons of bug bounty programs.

Here are some highlights:

The five stages of vulnerability disclosure grief

There are two kinds of reactions we see from organizations that have never received a bug report before. Some of them are really grateful, and that's ideally where you want people to start, but a lot of them go through what I call the five stages of vulnerability response grief. At first, they are in denial; they say, ‘No, that's not a bug—maybe you're mistaken,’ or they get angry and send the lawyers, or they try to bargain with the bug hunter and say, ‘Maybe, if we just did something really stupid and tried to mask what this is, and maybe you won't talk about it publicly, or tweet about it.’ Then they often get really depressed because they realize this is just one bug report from one bug finder and there might be a ton of bugs they don't know what to do with. Until finally, they get to the acceptance stage. Ideally, we like it when organizations have gotten to that acceptance stage, when they realize there are bugs in everything, and eventually somebody is going to report a security vulnerability to the organization. Even if you've just got a website on the internet, it's possible that somebody will find and report a security issue to you.

Hacking the government

Hack the Pentagon came about because the U.S. Department of Defense was really interested in hearing about manipulating bug bounty market incentives. Each of those types of bugs would have fetched six figures on the offense market. At the time, Microsoft wasn't paying six figures per bug for beta bugs—in fact, nobody was—so understanding those market behaviors actually helped the Pentagon feel comfortable in trying out a bug bounty pilot, which is what happened last year. The results were great for the Pentagon. They got 138 vulnerabilities reported in a 21-day period. They fixed them all within six weeks, I believe. They paid $75,000 in bug bounties to find that many vulnerabilities. Through their usual vendors, it was costing them more than a million dollars a year in federal contracts with different security vendors, and they were typically receiving maybe two or three bug reports a month. There was finally a legal channel for security researchers who wanted to help the government to be able to do so without risking their freedom.

(Editor’s note: Moussouris just helped launch a similar effort with the UK’s National Cyber Security Centre.)

The pros and cons of bug bounties