Vulnerabilities / Threats
5/28/2014
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft, Facebook Security Leaders Head Startup

The HackerOne project spins off into a new company aimed at facilitating vulnerability disclosure between researchers and software, web properties.

HackerOne, a bug bounty and vulnerability disclosure project originally funded in part by Facebook and Microsoft, has secured $9 million in Series A funding and spun off into a full-blown startup that will be led by former senior security leaders from the two companies.

Katie Moussouris -- the senior security strategy lead who spearheaded Microsoft's work with security researchers, as well as its BlueHat Prize and historic bug bounty program -- has left the software company and joined the HackerOne as chief policy offer. Former Facebook director of security Alex Rice, one of HackerOne's co-founders, has been named CTO. Merijn Terheggen, another HackerOne co-founder, has been named CEO. Facebook and Microsoft worked together on the formation of the original HackerOne project, a community bug bounty program launched in November to pay researchers for flaws they found in popular open-source software and Internet protocols.

"I had been running the vulnerability disclosure and white hat program at Facebook for the last couple of years. I have been completely blown away by how effective the disclosure programs have been there," Rice says. "I've been working the past year and a half helping other people... run a disclosure program. HackerOne helps [organizations] make a disclosure process and [facilitates] communicating back and forth with the researchers."

HackerOne, which received the cash infusion from Benchmark Capital (registration required), provides an online platform to automate the vulnerability disclosure process between the software vendor or website and the researchers who find the bugs. The platform itself is free for use, but HackerOne does charge a fee for bounty payment transactions.

Rice said the move to become a full-blown company was the next logical step after HackerOne's Internet Bug Bounty program, which Microsoft and Facebook helped sponsor, and supporting other companies' disclosure processes. HackerOne's platform is geared for companies of all sizes to work with researchers who find flaws in their software. "We branched out to help more traditional companies around their disclosure programs," including individual software developers, midsized software companies, and content web firms.

Several clients currently use HackerOne's vulnerability disclosure platform, including Yahoo, CloudFlare, Lookout Security, Python, Urban Dictionary, and open-source projects such as OpenSSL. Not all of its clients actually establish bug bounty programs; some just use the platform for coordinating their disclosure process.

"A researcher doesn't know if they're going to get a high five or have the FBI kick down their door" when they disclose a bug, Rice says. "First and foremost, it's getting companies to publish their disclosure policy around how they will treat researchers."

Terheggen says it's all about providing guidance in the process. "On the researcher side, it's how do I talk to a company? How do I disclose a vulnerability? For the company, it's how do you work with someone who knows your weakness?"

Most organizations handle disclosure coordination via email today, Rice says. "We think [HackerOne's] process is a lot better than the shared inbox [model] most companies have" for disclosure. "This automates the whole process," including "how you want funds distributed."

Another option for vulnerability disclosure coordination is Bugcrowd, a crowdsourced bounty site that also helps organizations set up bug bounty programs online. Bugcrowd runs a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Bug disclosure is certainly not a new concept, but the process and business of doing so are still suffering some growing pains. "Miscommunication and mistakes happen all the time," Rice says. "It's common to see a botched disclosure."

Former Microsoft bug bounty manager Moussouris says Microsoft's joining the bug bounty game last year was "a major inflection point in the industry."

"Microsoft had been one of the major holdouts for a long time, not offering financial rewards for research. But once that happened, I think there was a big tipping point," Moussouris says.

Aside from Microsoft, Several major companies launched bug bounty programs in the past few years, including Facebook, Mozilla, and Google. "The industry realized that the vulnerability economy had changed. There are a lot for options for researchers to be directly compensated for their work," rather than just being thanked publicly, she says.

Moussouris, whose background includes Linux development, vulnerability research, and helping Symantec and Microsoft bridge the vulnerability research world, is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), secure development (27034), penetration testing in Common Criteria (20004-2) and Vulnerability Handling Processes (30111).

"A lot of the work I plan on doing with HackerOne is not just helping organizations handle vulns better and more efficiently, but also to work to influence policymakers and lawmakers around protecting vulnerability research," she says. "It does not just need to be tolerated, but supported. Vulnerability research is important to the safety of all of us."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2014 | 9:24:39 PM
Re: Researchers...external or internal?
Good q, @Ryan Sepe: Researchers who find vulns found in vendors' products who use HackerOne's system.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2014 | 2:04:20 PM
Researchers...external or internal?
Just to clarify, by researchers do they mean individuals within the HackerOne infrastructure or do they mean working with people externally searching for vulnerabilites within certain systems?

I feel that the second might provide a much larger research base and might be financially more plausible where a per vulnerability discovery payment could be established.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:29:19 PM
coup
Also, HackerOne getting Katie Moussouris from Microsoft, who spearheaded Microsoft's work with security researchers, its BlueHat Prize and bug bounty program, is a pretty big coup. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 8:23:48 AM
Re: Interesting development -- More to come?
Hard to say, but it is interesting that this market is really starting to heat up now. Operationalizing vulnerability disclosure just makes sense and the research realm is maturing such that it's naturally calling out for a more formal process for both the software vendor/web property and the researcher.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 8:12:37 AM
Interesting development -- More to come?
Bug bounty programs seems like a really positive development in cyber security. Kelly, do envision we will be hearing about more startups following the lead of HackerOne and Bugcrowd?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.