informa
News

Microsoft, Facebook Security Leaders Head Startup

The HackerOne project spins off into a new company aimed at facilitating vulnerability disclosure between researchers and software, web properties.

HackerOne, a bug bounty and vulnerability disclosure project originally funded in part by Facebook and Microsoft, has secured $9 million in Series A funding and spun off into a full-blown startup that will be led by former senior security leaders from the two companies.

Katie Moussouris -- the senior security strategy lead who spearheaded Microsoft's work with security researchers, as well as its BlueHat Prize and historic bug bounty program -- has left the software company and joined the HackerOne as chief policy offer. Former Facebook director of security Alex Rice, one of HackerOne's co-founders, has been named CTO. Merijn Terheggen, another HackerOne co-founder, has been named CEO. Facebook and Microsoft worked together on the formation of the original HackerOne project, a community bug bounty program launched in November to pay researchers for flaws they found in popular open-source software and Internet protocols.

"I had been running the vulnerability disclosure and white hat program at Facebook for the last couple of years. I have been completely blown away by how effective the disclosure programs have been there," Rice says. "I've been working the past year and a half helping other people... run a disclosure program. HackerOne helps [organizations] make a disclosure process and [facilitates] communicating back and forth with the researchers."

HackerOne, which received the cash infusion from Benchmark Capital (registration required), provides an online platform to automate the vulnerability disclosure process between the software vendor or website and the researchers who find the bugs. The platform itself is free for use, but HackerOne does charge a fee for bounty payment transactions.

Rice said the move to become a full-blown company was the next logical step after HackerOne's Internet Bug Bounty program, which Microsoft and Facebook helped sponsor, and supporting other companies' disclosure processes. HackerOne's platform is geared for companies of all sizes to work with researchers who find flaws in their software. "We branched out to help more traditional companies around their disclosure programs," including individual software developers, midsized software companies, and content web firms.

Several clients currently use HackerOne's vulnerability disclosure platform, including Yahoo, CloudFlare, Lookout Security, Python, Urban Dictionary, and open-source projects such as OpenSSL. Not all of its clients actually establish bug bounty programs; some just use the platform for coordinating their disclosure process.

"A researcher doesn't know if they're going to get a high five or have the FBI kick down their door" when they disclose a bug, Rice says. "First and foremost, it's getting companies to publish their disclosure policy around how they will treat researchers."

Terheggen says it's all about providing guidance in the process. "On the researcher side, it's how do I talk to a company? How do I disclose a vulnerability? For the company, it's how do you work with someone who knows your weakness?"

Most organizations handle disclosure coordination via email today, Rice says. "We think [HackerOne's] process is a lot better than the shared inbox [model] most companies have" for disclosure. "This automates the whole process," including "how you want funds distributed."

Another option for vulnerability disclosure coordination is Bugcrowd, a crowdsourced bounty site that also helps organizations set up bug bounty programs online. Bugcrowd runs a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Bug disclosure is certainly not a new concept, but the process and business of doing so are still suffering some growing pains. "Miscommunication and mistakes happen all the time," Rice says. "It's common to see a botched disclosure."

Former Microsoft bug bounty manager Moussouris says Microsoft's joining the bug bounty game last year was "a major inflection point in the industry."

"Microsoft had been one of the major holdouts for a long time, not offering financial rewards for research. But once that happened, I think there was a big tipping point," Moussouris says.

Aside from Microsoft, Several major companies launched bug bounty programs in the past few years, including Facebook, Mozilla, and Google. "The industry realized that the vulnerability economy had changed. There are a lot for options for researchers to be directly compensated for their work," rather than just being thanked publicly, she says.

Moussouris, whose background includes Linux development, vulnerability research, and helping Symantec and Microsoft bridge the vulnerability research world, is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), secure development (27034), penetration testing in Common Criteria (20004-2) and Vulnerability Handling Processes (30111).

"A lot of the work I plan on doing with HackerOne is not just helping organizations handle vulns better and more efficiently, but also to work to influence policymakers and lawmakers around protecting vulnerability research," she says. "It does not just need to be tolerated, but supported. Vulnerability research is important to the safety of all of us."

Recommended Reading: