Katie Moussouris on bug bounties, gender equity, and the myth of cybersecurity’s 'pipeline problem'

Katie Moussouris may not have invented bug bounties, but she has done for them what Domino’s accomplished for Cheesy Bread: She refined a messy practice into a fine art—and now everyone wants a piece. 

Over her pioneering career, Moussouris has shaped the organizations, policies, and processes at the heart of the bug bounty ecosystem. She helped Microsoft and the Department of Defense launch their first bug bounty programs. At HackerOne, she grew a platform to connect white hat hackers with organizations ready to let outsiders probe their software and computer systems. And in 2016, Moussouris started her own consultancy, Luta Security, to advise companies how to build vulnerability management programs from the ground up.

Outside her day jobs, Moussouris has also tallied an impressive slew of side projects. She helped draft the international standards that guide corporate practices for bug disclosure and vulnerability management. She has testified before Congress (twice) and advised the signatories of the Wassenaar Arrangement, an export control regime governing cross-border transfers of dual-use technologies. In recent years, she conducted policy research for New America, the MIT Sloan School of Management, and Harvard University’s Belfer Center. 

But Moussouris isn’t just on a mission to fix the bugs buried in binary. After leaving Microsoft in 2014, Moussouris filed a lawsuit alleging that the technology giant’s pay, promotion, and performance evaluation practices discriminated against women. Moussouris dropped the suit last November, but she has since carried the fight for a better workplace beyond Microsoft.

Last year, Moussouris started the Pay Equity Now Foundation, a non-profit that promotes gender and racial pay equity in the workforce. To support those efforts, she donated $1 million dollars to establish a research and litigation center at Penn State Law, which Moussouris named after her mother. 

Earlier this month, The Record interviewed Moussouris about her crusade against both types of bugs. We spoke about her career, why bug bounty programs don’t offer a quick fix for the ransomware threat, and where she thinks the Biden administration’s new executive order misses the mark. We also discussed her continued frustrations with Microsoft, how the myth of cybersecurity’s ‘pipeline problem’ obscures the industry’s deeper gender equity failures, and what it means for Moussouris to ‘walk the walk’ of pay equity at her own firm, Luta Security. 

Readers may be interested to know that the conversation, which has been lightly edited for length and clarity, took place over a Microsoft Teams video conference. And, yes, it was buggy. 

The Record: Early in your career, you worked as a systems administrator and then a Linux developer. How did those experiences prepare you for the bug hunting and vulnerability disclosure work you've since built your name on?

Katie Moussouris: The early part of my career provided me with the ground-up technical knowledge that I needed to empathize with enterprise systems administrators and developers. I think that my background—specifically, having to be the technical, hands-on person to defend an entire network and then being a developer responsible for security for commercial software—gave me more than just the benefit of technical experience. It also gave me an understanding of the tradeoffs that need to happen when you're working on the defensive side of security. 

TR: The topic on everyone’s mind right now is ransomware. What would you say to an organization that came to you and said, “Hey, we want to stand up a vulnerability disclosure or bug bounty program because we heard those offer quick ways to cut down on our threat surface.” Is that a good idea? 

KM: When prospective customers come to us with these types of requests, we first ask them a series of questions. What are your security investments right now? What are you currently doing to prevent these types of attacks? How long does it take you to fix critical bugs? What we are trying to assess is whether organizations have invested in their internal security. They need to do that before they try to open up the floodgates and accept security support from outside the organization. 

Ransomware exploits the same underlying vulnerabilities that other cyber threats do. So, whatever you were doing before ransomware, you should also be doing that in this increased threat environment. 

Does that mean running out and starting a bug bounty program to make it look like you're taking security very seriously? No. Unless you have made those internal security investments first, unless you can already find and fix bugs quickly, then inviting outside hackers in is just going to create more work for an already overtaxed internal security team. 

"At Luta, we employ a 32-hour full-time work week. Everyone is paid for 40-hours, but Fridays are off. That takes a lot of adjustment for people, but I believe it is important for employees to have time for themselves, for their lives, and for their creativity."

— Katie Moussouris

TR: You went to Capitol Hill last month to testify about the Biden administration's new executive order on supply chain security. In your testimony, you suggested that the EO focuses too much on solutions in the post-breach section of the cyber kill chain. Where do you think the government can get a better ROI on its security investment?

KR: I think that the executive order throws a bunch of really good practices into high gear. However, some of these (for example, the software bill of materials) represent a heavy lift without necessarily giving a proportionate return on investment for effort that they would take. 

Across the workforce, there is a shortage of security labor and resources. The problem is particularly acute in the federal government. As a result, we simply don't have the time to put a lot of effort into things that might help us far down the road. We need to focus on the highest impact initiatives first. 

The government, or any organization, needs to ask itself: What are the staff and tools that we have right now? What are the gaps and problems we most urgently need to address? There are a lot of organizations that want to comply with everything as soon as humanly possible. While that's admirable, it's not a practical rollout plan. It's not something that is going to get them that ROI that they want. 

TR: You pointed to similar labor supply issues in your 2016 Congressional testimony. At the time, you cited two overlapping problems: first, that there is a small pool of technical talent available. Second, that most of that talent tends to pursue what you call ‘bug catching’ as opposed to ‘bug fixing.’ Why is that a problem and how can we fix it?

KM: I think there are plenty of people who could work on the defensive side of security if they had a path to acquire the requisite skills. I mean, a lot of the cybersecurity jobs that you have out there are not jobs for hackers or bug hunters. Why? Because we already have plenty of bugs to fix. Meanwhile, the jobs for bug fixers sit unfilled because a lot of cybersecurity jobs are written as if the organization will only hire a rock star with a decade of experience in the industry. 

Obviously, that doesn't lend itself well to different levels of the workforce. But because security spending is so small, many organizations feel that they can only afford one or maybe two individuals. So, they want to make their resources count by hiring experts.

To rebalance the cyber workforce, I think we need to start by building a better pipeline with more realistic expectations for filling in junior and intermediate cybersecurity roles. We can make a lot of headway if we empower more junior level cybersecurity folks and tap into the resources within organizations. There are plenty of internal people who don't have a cybersecurity background but who want to move into security. I’ve often found it is easier to teach them security than it is to teach security people about the business side of the equation. 

TR: Earlier this year, Google's Project Zero came out with a report indicating that a quarter of 0-day exploits they detected in 2020 could have been prevented had the vendors issued proper patches for the underlying security flaws. The companies implementing those flawed patches represent some of the largest and most well-resourced technology vendors in the world. How common is that type of problem elsewhere in the cybersecurity ecosystem and how can firms do a better job addressing it?

KM: I think that points to one of the key concepts that I would love for the federal government to understand, which is that a point-in-time assessment of how well an organization is doing is just that: it is an assessment of how effective they are at security at one time.

Often, organizations that have been well resourced try to get to a point where they are operating as efficiently as possible. They may slow down their investment in preventative cybersecurity or make cuts thinking that they are doing well. And while looking for efficiencies and ways to cut spending may make sense from a business perspective, it can overlook the fact that maturity can decline over time. 

Overall, I would say that this boils down to a flawed idea about security. You cannot check a bunch of boxes and implement a bunch of best-practices and then consider yourself done. Security is not a destination—it is a journey. And it's a journey with ebbs and flows of resources. That is the piece I think we're missing. 

TR: Last year, you started the Pay Equity Now Foundation, a non-profit dedicated to promoting gender and racial pay equity in the workplace. At risk of forcing a metaphor, what has your experience in the bug bounty world taught you about shining a light on the things that organizations are doing wrong, and provoking change from the outside?

KM: I have tried to apply the same exact principles to Microsoft in pointing out their flaws in pay and promotion practices as I did when I was working in their bug bounty program. But the problem is that Microsoft resisted—and the court system was set up to enable them to get away with it. 

The courts made it exceptionally difficult to receive class certification, despite all the evidence to the contrary. They cited certain technicalities, like the fact that only a few hundred of the more than 8,000 women in our suit came forward with an affidavit. That should not be one of the criteria by which you are denied class certification. I mean, did we need an affidavit from every single woman? Was there a percentage we needed to hit to prove the flaw existed? 

Honestly, it's ironic to me. Microsoft was one of the first companies to embrace the security research community. Microsoft concluded nearly 20 years ago that the most efficient way to deal with issues wasn't to play whack-a-bug. They would take the bugs researchers flagged, check for some systemic problem, and then fix the underlying issue. 

Unfortunately, they haven’t taken the same approach to pay and promotion inequity at the company. In my suit, I highlighted data describing a flaw in their system. But I was not just asking that they correct it for me. What was important was that they correct it across the board and further improve their processes such that they never generate this bug of underpayment and under-promotion against women and minorities again. 

"The industry thinks that the problem is a pipeline problem. In reality, it hasn't done enough to support, promote, and mentor the women and the minorities who are already in this industry."

— Katie Moussouris

TR: You founded Luta Security in 2016. What does it mean to you to be in a position to build the culture and actualize the values you fought for at Microsoft?

KM: It has been a tremendous honor to create a company that not only treats workers fairly, but also walks the walk of pay equity. Even in our small company history, we've had opportunities to make pay equity adjustments based on one contractor coming in asking for a certain amount, and then the next contractor coming in and asking for a significantly higher amount for similar work. To ensure contractors are treated fairly, we even have made retroactive pay adjustments. 

At Luta, we employ a 32-hour full-time work week. Everyone is paid for 40-hours, but Fridays are off. That takes a lot of adjustment for people, but I believe it is important for employees to have time for themselves, for their lives, and for their creativity. Whether it goes back into the work you do on Monday or whether it's just an investment in yourself, I don’t care. I believe that people are happier and more productive if they have that respect and dignity. 

TR: How do you think the cybersecurity industry is doing when it comes to gender and racial equity? Are we in a better place than we were five years ago?

KM: Honestly, it’s been frustrating. The industry does a lot of complaining and asking me for advice on how to get more women and minorities interested in tech. And I always reply, "We're born interested." There is an equal distribution across all human beings of intellectual curiosity and capability. It is just a matter of distributing the opportunities and making things more accessible to entry-level folks that may be coming from different backgrounds. 

The industry thinks that the problem is a pipeline problem. In reality, it hasn't done enough to support, promote, and mentor the women and the minorities who are already in this industry. I have seen men with very little experience coming in and commanding salaries that exceeded my salary when I left Microsoft. And similarly, I see women who have tons of certifications and formal training and they cannot get an interview for an entry-level or mid-level cybersecurity role.

My own career was no different. I didn't necessarily feel discriminated against when I was more junior or even in the mid-level technical times of my career. Everything changed as soon as I wanted to enter more management- and executive-level positions. That was where I started getting feedback that my male colleagues were not getting. Unlike with me, none of their rough edges were ever considered deal-killers. Really, nothing seemed to impede the progression of white males in the cybersecurity industry. 

TR: Last question. It is kind of crazy to say this, but the SolarWinds campaign may now be the third or fourth most significant cybersecurity event of the last six months. You are an unofficial steward of cyber history. I’m curious: have we ever lived through a period like this before?

KM: We’ve seen individual attacks of equivalent scale, similar sophistication levels, and even parallel methodologies. The difference, I think, is the pace and significance of these events. That is visible in the media coverage of the industry and the tone the public uses to describe certain attacks. 

I think that the SolarWinds attack was as good as any wake-up call the federal government has ever had. A second trigger for this shift was the direct and abrupt stoppage of businesses occasioned by ransomware, which has absolutely been on the increase over the past year and a half. 

Last of all, we now have an administration that wants to take cybersecurity seriously and correct some of the underinvestment that we've been suffering from, not just in the past four years, but over the last 20-plus years since the internet took off.