Skip to content
Dos and Don’ts of bug bounty programs with Katie Moussouris – TechCrunch


In the rain To get started, cybersecurity doesn’t always get the attention it deserves, and yet it’s one of the first things startups learn can – and will – go wrong.

Hackers and security researchers can be some of your greatest assets in helping your startup stay safe. Vulnerability disclosure and bug bounty programs are part of working with the hacker community to build a stronger, more resilient business. But these are not a substitute for security investments, which you shouldn’t overlook as a growing business.

Katie Moussouris has been in cybersecurity circles since some of the world’s biggest tech companies were startups, and helped set up the first vulnerability disclosure and bug bounty programs. Moussouris, who heads consultancy firm Luta Security, now advises businesses and governments on how to talk to hackers and what they need to do to create and improve their vulnerability disclosure programs.

At TC Early Stage, Moussouris explained what startups should (and shouldn’t) do, and which priorities should come first.


Know the basics

A bug bounty alone is not enough and outsourcing the process to a platform will not save you time. Moussouris explained the basics and what differs between vulnerability disclosure, penetration testing, and bug bounties.

Vulnerability disclosure is the process by which you hear about vulnerability from the outside. You somehow digest this vulnerability internally in your organization and determine what to do with it – whether to create a patch, how to prioritize that patch, and then what to release to the public. [ … ] Ultimately, organizations need guidelines on how to deal with these issues appropriately.

Then we have penetration testing: hire professional hackers under contract [who have] a specific set of skills that match your set of problems, and you pay for them. They are under a Non-Disclosure Agreement (NDA) to keep your vulnerabilities a secret for as long as you need them – maybe forever – and you are free to know whether or not you fix those vulnerabilities.

Finally, bug bounties simply add a cash reward to the vulnerability disclosure program process. (Timestamp: 3:20)


ISO standards are your friend



Source link