Katie Moussouris, former hacker-for-hire and pioneer of Microsoft’s own bug bounty program, has had her concerns, not just about Hack the Pentagon, but about the ways the bug bounty field was changing. “They chose to start with a cash reward program right out of the gate, and that was against my advice,” said Moussouis, who served as an advisor for the Hack the Pentagon program. “You need to crawl before you walk and run.”
For Moussoris, bug bounties were an optional add-on to an entire system that she felt the Pentagon did not yet have in place. While it’s one thing to report a bug, Moussouris felt that the actual investigative work of finding the technical root of an issue, patching it, and testing that patch is something organizations should focus on before whipping out the checkbook to freelancers. She has been sounding the alarm about bug bounties for a long time, and about what she calls the exploitative labor practices in the industry.
Today, when you hear news about a hacker finding a software vulnerability and then receiving an award, that’s the modern-day bug bounty program at work. Here’s what to know about the system—and what some experts say are its problems.