Vulnerabilities / Threats
5/28/2014
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft, Facebook Security Leaders Head Startup

The HackerOne project spins off into a new company aimed at facilitating vulnerability disclosure between researchers and software, web properties.

HackerOne, a bug bounty and vulnerability disclosure project originally funded in part by Facebook and Microsoft, has secured $9 million in Series A funding and spun off into a full-blown startup that will be led by former senior security leaders from the two companies.

Katie Moussouris -- the senior security strategy lead who spearheaded Microsoft's work with security researchers, as well as its BlueHat Prize and historic bug bounty program -- has left the software company and joined the HackerOne as chief policy offer. Former Facebook director of security Alex Rice, one of HackerOne's co-founders, has been named CTO. Merijn Terheggen, another HackerOne co-founder, has been named CEO. Facebook and Microsoft worked together on the formation of the original HackerOne project, a community bug bounty program launched in November to pay researchers for flaws they found in popular open-source software and Internet protocols.

"I had been running the vulnerability disclosure and white hat program at Facebook for the last couple of years. I have been completely blown away by how effective the disclosure programs have been there," Rice says. "I've been working the past year and a half helping other people... run a disclosure program. HackerOne helps [organizations] make a disclosure process and [facilitates] communicating back and forth with the researchers."

HackerOne, which received the cash infusion from Benchmark Capital (registration required), provides an online platform to automate the vulnerability disclosure process between the software vendor or website and the researchers who find the bugs. The platform itself is free for use, but HackerOne does charge a fee for bounty payment transactions.

Rice said the move to become a full-blown company was the next logical step after HackerOne's Internet Bug Bounty program, which Microsoft and Facebook helped sponsor, and supporting other companies' disclosure processes. HackerOne's platform is geared for companies of all sizes to work with researchers who find flaws in their software. "We branched out to help more traditional companies around their disclosure programs," including individual software developers, midsized software companies, and content web firms.

Several clients currently use HackerOne's vulnerability disclosure platform, including Yahoo, CloudFlare, Lookout Security, Python, Urban Dictionary, and open-source projects such as OpenSSL. Not all of its clients actually establish bug bounty programs; some just use the platform for coordinating their disclosure process.

"A researcher doesn't know if they're going to get a high five or have the FBI kick down their door" when they disclose a bug, Rice says. "First and foremost, it's getting companies to publish their disclosure policy around how they will treat researchers."

Terheggen says it's all about providing guidance in the process. "On the researcher side, it's how do I talk to a company? How do I disclose a vulnerability? For the company, it's how do you work with someone who knows your weakness?"

Most organizations handle disclosure coordination via email today, Rice says. "We think [HackerOne's] process is a lot better than the shared inbox [model] most companies have" for disclosure. "This automates the whole process," including "how you want funds distributed."

Another option for vulnerability disclosure coordination is Bugcrowd, a crowdsourced bounty site that also helps organizations set up bug bounty programs online. Bugcrowd runs a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Bug disclosure is certainly not a new concept, but the process and business of doing so are still suffering some growing pains. "Miscommunication and mistakes happen all the time," Rice says. "It's common to see a botched disclosure."

Former Microsoft bug bounty manager Moussouris says Microsoft's joining the bug bounty game last year was "a major inflection point in the industry."

"Microsoft had been one of the major holdouts for a long time, not offering financial rewards for research. But once that happened, I think there was a big tipping point," Moussouris says.

Aside from Microsoft, Several major companies launched bug bounty programs in the past few years, including Facebook, Mozilla, and Google. "The industry realized that the vulnerability economy had changed. There are a lot for options for researchers to be directly compensated for their work," rather than just being thanked publicly, she says.

Moussouris, whose background includes Linux development, vulnerability research, and helping Symantec and Microsoft bridge the vulnerability research world, is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), secure development (27034), penetration testing in Common Criteria (20004-2) and Vulnerability Handling Processes (30111).

"A lot of the work I plan on doing with HackerOne is not just helping organizations handle vulns better and more efficiently, but also to work to influence policymakers and lawmakers around protecting vulnerability research," she says. "It does not just need to be tolerated, but supported. Vulnerability research is important to the safety of all of us."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2014 | 9:24:39 PM
Re: Researchers...external or internal?
Good q, @Ryan Sepe: Researchers who find vulns found in vendors' products who use HackerOne's system.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2014 | 2:04:20 PM
Researchers...external or internal?
Just to clarify, by researchers do they mean individuals within the HackerOne infrastructure or do they mean working with people externally searching for vulnerabilites within certain systems?

I feel that the second might provide a much larger research base and might be financially more plausible where a per vulnerability discovery payment could be established.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:29:19 PM
coup
Also, HackerOne getting Katie Moussouris from Microsoft, who spearheaded Microsoft's work with security researchers, its BlueHat Prize and bug bounty program, is a pretty big coup. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 8:23:48 AM
Re: Interesting development -- More to come?
Hard to say, but it is interesting that this market is really starting to heat up now. Operationalizing vulnerability disclosure just makes sense and the research realm is maturing such that it's naturally calling out for a more formal process for both the software vendor/web property and the researcher.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 8:12:37 AM
Interesting development -- More to come?
Bug bounty programs seems like a really positive development in cyber security. Kelly, do envision we will be hearing about more startups following the lead of HackerOne and Bugcrowd?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.