Why Bug-Bounty Programs Are Failing Everyone
In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes.
Explore the latest in cyber threats, hacker techniques, and security defenses on our Black Hat tag page at the forefront of infosec news.
Search across headline titles and summaries.
Background for this topic.
Black hat describes hackers or techniques used to gain unauthorized access, steal information, deploy malware, commit fraud, or disrupt systems. In security news, it usually means malicious activity rather than a legitimate security test; context may instead point to the Black Hat security conference and its research disclosures.
For practitioners, black-hat activity matters because attackers may exploit unpatched vulnerabilities, stolen credentials, exposed services, or insecure applications. Vulnerability management should prioritize flaws that are actively exploited or accessible from the internet, while controls such as strong authentication, least privilege, secure configuration, and detailed logging can limit abuse and support detection. Threat intelligence can help map observed indicators and techniques to defensive actions. When an incident occurs, rapid containment, credential reset, evidence preservation, and assessment of affected data help determine the scope and any privacy or regulatory obligations.
In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes.
Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.