Vulnerabilities / Threats

5/28/2014
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft, Facebook Security Leaders Head Startup

The HackerOne project spins off into a new company aimed at facilitating vulnerability disclosure between researchers and software, web properties.

HackerOne, a bug bounty and vulnerability disclosure project originally funded in part by Facebook and Microsoft, has secured $9 million in Series A funding and spun off into a full-blown startup that will be led by former senior security leaders from the two companies.

Katie Moussouris -- the senior security strategy lead who spearheaded Microsoft's work with security researchers, as well as its BlueHat Prize and historic bug bounty program -- has left the software company and joined the HackerOne as chief policy offer. Former Facebook director of security Alex Rice, one of HackerOne's co-founders, has been named CTO. Merijn Terheggen, another HackerOne co-founder, has been named CEO. Facebook and Microsoft worked together on the formation of the original HackerOne project, a community bug bounty program launched in November to pay researchers for flaws they found in popular open-source software and Internet protocols.

"I had been running the vulnerability disclosure and white hat program at Facebook for the last couple of years. I have been completely blown away by how effective the disclosure programs have been there," Rice says. "I've been working the past year and a half helping other people... run a disclosure program. HackerOne helps [organizations] make a disclosure process and [facilitates] communicating back and forth with the researchers."

HackerOne, which received the cash infusion from Benchmark Capital (registration required), provides an online platform to automate the vulnerability disclosure process between the software vendor or website and the researchers who find the bugs. The platform itself is free for use, but HackerOne does charge a fee for bounty payment transactions.

Rice said the move to become a full-blown company was the next logical step after HackerOne's Internet Bug Bounty program, which Microsoft and Facebook helped sponsor, and supporting other companies' disclosure processes. HackerOne's platform is geared for companies of all sizes to work with researchers who find flaws in their software. "We branched out to help more traditional companies around their disclosure programs," including individual software developers, midsized software companies, and content web firms.

Several clients currently use HackerOne's vulnerability disclosure platform, including Yahoo, CloudFlare, Lookout Security, Python, Urban Dictionary, and open-source projects such as OpenSSL. Not all of its clients actually establish bug bounty programs; some just use the platform for coordinating their disclosure process.

"A researcher doesn't know if they're going to get a high five or have the FBI kick down their door" when they disclose a bug, Rice says. "First and foremost, it's getting companies to publish their disclosure policy around how they will treat researchers."

Terheggen says it's all about providing guidance in the process. "On the researcher side, it's how do I talk to a company? How do I disclose a vulnerability? For the company, it's how do you work with someone who knows your weakness?"

Most organizations handle disclosure coordination via email today, Rice says. "We think [HackerOne's] process is a lot better than the shared inbox [model] most companies have" for disclosure. "This automates the whole process," including "how you want funds distributed."

Another option for vulnerability disclosure coordination is Bugcrowd, a crowdsourced bounty site that also helps organizations set up bug bounty programs online. Bugcrowd runs a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Bug disclosure is certainly not a new concept, but the process and business of doing so are still suffering some growing pains. "Miscommunication and mistakes happen all the time," Rice says. "It's common to see a botched disclosure."

Former Microsoft bug bounty manager Moussouris says Microsoft's joining the bug bounty game last year was "a major inflection point in the industry."

"Microsoft had been one of the major holdouts for a long time, not offering financial rewards for research. But once that happened, I think there was a big tipping point," Moussouris says.

Aside from Microsoft, Several major companies launched bug bounty programs in the past few years, including Facebook, Mozilla, and Google. "The industry realized that the vulnerability economy had changed. There are a lot for options for researchers to be directly compensated for their work," rather than just being thanked publicly, she says.

Moussouris, whose background includes Linux development, vulnerability research, and helping Symantec and Microsoft bridge the vulnerability research world, is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), secure development (27034), penetration testing in Common Criteria (20004-2) and Vulnerability Handling Processes (30111).

"A lot of the work I plan on doing with HackerOne is not just helping organizations handle vulns better and more efficiently, but also to work to influence policymakers and lawmakers around protecting vulnerability research," she says. "It does not just need to be tolerated, but supported. Vulnerability research is important to the safety of all of us."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2014 | 9:24:39 PM
Re: Researchers...external or internal?
Good q, @Ryan Sepe: Researchers who find vulns found in vendors' products who use HackerOne's system.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2014 | 2:04:20 PM
Researchers...external or internal?
Just to clarify, by researchers do they mean individuals within the HackerOne infrastructure or do they mean working with people externally searching for vulnerabilites within certain systems?

I feel that the second might provide a much larger research base and might be financially more plausible where a per vulnerability discovery payment could be established.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:29:19 PM
coup
Also, HackerOne getting Katie Moussouris from Microsoft, who spearheaded Microsoft's work with security researchers, its BlueHat Prize and bug bounty program, is a pretty big coup. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 8:23:48 AM
Re: Interesting development -- More to come?
Hard to say, but it is interesting that this market is really starting to heat up now. Operationalizing vulnerability disclosure just makes sense and the research realm is maturing such that it's naturally calling out for a more formal process for both the software vendor/web property and the researcher.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 8:12:37 AM
Interesting development -- More to come?
Bug bounty programs seems like a really positive development in cyber security. Kelly, do envision we will be hearing about more startups following the lead of HackerOne and Bugcrowd?
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.