Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday August 26 2019, @10:39AM   Printer-friendly
from the all-bugs-are-shallow dept.

Submitted via IRC for SoyCow3196

Relying on bug bounties 'not appropriate risk management': Katie Moussouris

If you expect a bug bounty to find and fix your organisation's hidden cybersecurity problems, you're wrong. To steal a line from the late John Clarke, you're a fool to yourself and a burden to others.

Bug bounties are certainly sexy. You'll look like you're engaging with the wider cybersecurity community, and you'll get great media coverage when a hacker strikes it rich.

There's also the belief that if your organisation doesn't pay to know about the bugs, then organised criminals and nation-states will.

But the reality? You may well be paying out big bucks to find generic, easy-to-find vulnerabilities, according to Katie Moussouris, founder and chief executive officer of Luta Security.

"Not all bugs are created equal," she told the Gartner Security and Risk Management Summit in Sydney on Monday.

The vast majority of bugs found via bug bounty programs are cross-site scripting [XSS] bugs, a known class of bugs that are easy to detect, and easy to fix.

"Why would organised crime or nation-states pay for simple classes of bugs that they can find themselves? They're not going to pay some random researcher to tell them about cross-site scripting bugs," Moussouris said.

"You should be finding those bugs easily yourselves too."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday August 26 2019, @03:27PM

    by Anonymous Coward on Monday August 26 2019, @03:27PM (#885669)

    They also get your name on a list of 'interesting people' who can be rounded up and disposed of once the police state is ready for the next step.

    Do you really buy the whole "we're the good guys hoax" ?