Bug bounty programs were a major topic of discussion during a panel I moderated on risk management at the Money20/20 finance and tech conference in Las Vegas a couple weeks ago. These programs compensate hackers for poking holes in a company’s products and finding and reporting any vulnerabilities to the people who can fix them. Ideally, they help companies root out flaws in their code and hardware, making the world safer for businesses and consumers.
My panelists were Philip Martin, head of security at Coinbase, the cryptocurrency exchange privately valued at $8 billion, and Mårten Mickos, CEO of HackerOne, a startup that helps companies set up and manage bug bounty programs. (Coinbase has had a bug bounty program in place since its founding in 2012; it’s a customer of HackerOne.)
Here are some of the session’s highlights.
- Citing research by Katie Moussouris, former chief policy officer of HackerOne, I noted that the rewards offered by the “good guys” can never compete with those offered by black market brokers, who will pay a premium for severe vulnerabilities. Mickos pushed back against this assertion, arguing that while some ultra-bad bugs can reap up to a million…
