Lawfare Daily: Katie Moussouris on Bug Bounties
The Lawfare Podcast
The Lawfare Institute
4.7 • 6.4K Ratings
🗓️ 12 August 2024
⏱️ 49 minutes
🧾️ Download transcript
Summary
Lawfare Editor-in-Chief Benjamin Wittes sits down with Katie Moussouris of Luta Security to talk bug bounties. Where do they come from? What is their proper role in cybersecurity? What are they good for, and most importantly, what are they not good for? Moussouris was among the hackers who first did bug bounties at scale—for Microsoft, and then for the Pentagon. Now she helps companies set up bug bounty programs and is dismayed by how they are being used.
To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.
Support this show http://supporter.acast.com/lawfare.
Hosted on Acast. See acast.com/privacy for more information.
Transcript
Click on a timestamp to play from that location
| 0:00.0 | The following podcast contains advertising. |
| 0:04.0 | To access an ad-free version of the Lawfair Podcast, |
| 0:08.0 | become a material supporter of Lawfair at Patreon.com slash Lawfair. That's Patreon.com |
| 0:16.4 | slash Lawfair. Also check out Lawfair's other podcast offerings, rational security, chatter, lawfare no bull, and the aftermath. |
| 0:30.0 | What we're actually seeing is extremely small companies trying to do bug bounties and trying to use it to replace their own internal security processes and efforts. |
| 0:42.0 | So you're seeing, you know, basically a misalignment of investment in cybersecurity being |
| 0:50.0 | crowdsourced as opposed to being in-house. |
| 0:54.0 | It's the Lawfair Podcast. |
| 0:56.7 | I'm Benjamin Wittis, editor-in-chief of Lawfair, |
| 1:00.2 | with Katie Massuris of Lutz Security. |
| 1:04.0 | Where should you be in terms of your security maturity? |
| 1:08.0 | How many incidents or bugs of a certain type should you have, you know, as an organization if you're actually |
| 1:15.0 | handling yourself properly. Nobody expects zero bugs, but it's how you react to them and, you know, |
| 1:20.9 | your own internal resilience that's not really being measured right now. |
| 1:25.0 | Today we're talking about bug bounties, their history, what they're good for, |
| 1:32.0 | and what they're not good for. |
| 1:35.0 | So I want to start with a question that I think you probably get a lot, |
| 1:42.0 | which is how does somebody get into the field of bug |
| 1:49.0 | bounties? What was the what was the trajectory by which you went from not being a person who thought about |
| 1:58.7 | bug bounties to being a person who thought about bug bounties? Well I think for me it was you know was |
| 2:08.0 | fairly early days in the broader adoption of bug bounties. So think back to 2010 when Google |
| 2:17.6 | started their bug bounty and before that the only bug bounty of note that existed, you know, really was the Netscape bug bounty, which became the Mozilla bug bounty. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from The Lawfare Institute, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of The Lawfare Institute and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.