Bug bounty programs were a major topic of discussion during a panel I moderated on risk management at the Money20/20 finance and tech conference in Las Vegas a couple weeks ago. These programs compensate hackers for poking holes in a company’s products and finding and reporting any vulnerabilities to the people who can fix them. Ideally, they help companies root out flaws in their code and hardware, making the world safer for businesses and consumers.
My panelists were Philip Martin, head of security at Coinbase, the cryptocurrency exchange privately valued at $8 billion, and Mårten Mickos, CEO of HackerOne, a startup that helps companies set up and manage bug bounty programs. (Coinbase has had a bug bounty program in place since its founding in 2012; it’s a customer of HackerOne.)
Here are some of the session’s highlights.
- Citing research by Katie Moussouris, former chief policy officer of HackerOne, I noted that the rewards offered by the “good guys” can never compete with those offered by black market brokers, who will pay a premium for severe vulnerabilities. Mickos pushed back against this assertion, arguing that while some ultra-bad bugs can reap up to a million dollars or more, the vast majority of bugs are more trivial and fetch far less.
- Martin poopooed artificial intelligence as a cure-all for the world’s cybersecurity ills. There are certain things that computers are good at and certain things that humans are good at; the worst bugs demand human ingenuity to uncover and, he said, security professionals should teach these skills through apprenticeship.
- One reason why Coinbase chooses to release the majority of its bug reports to the public is to provide other researchers an invaluable resource for learning. Transparency becomes a way to give back to the community and foster talent.
- The credit and recognition afforded by public reports also helps incentivize hackers to report vulnerabilities to companies, rather than sell their findings to shadier brokers. Bug hunters can use the reputations they build on platforms like HackerOne to land jobs, Mickos said.
- Companies should only put bug bounty programs in place once they have the basics down—meaning after they’ve attained maturity in their vulnerability management process, Martin said. How does one know when one has reached that point? His answer: When there are no longer emergencies.
By the way, Martin helps run the custodial program that Coinbase uses to secure its customers’ crypto wealth. It involves using a pop-up, metal-lined tent as a Faraday cage within which to perform secret cryptographic operations. I recommend reading Wired’s detailed write-up of the ceremony. The procedure is wacky and delightful—and Martin told me it’s one of his favorite parts of his job.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
You’re outta here! Facebook said it removed 115 accounts suspected of engaging in “coordinated inauthentic behavior” from its flagship site as well as Instagram in the lead-up to the midterm elections in the U.S. Nathaniel Gleicher, Facebook’s cybersecurity policy leader, said the company had been tipped off about the allegedly bogus accounts by law enforcement last weekend. Meanwhile, trolls have been struggling to spread their misinformation on Twitter, NBC News reports.
Doctor, doctor, give me the news. The White House appeared to share a doctored video as justification for its ban of CNN reporter Jim Acosta. The video in question, which sped up Acosta’s arm movement to make it appear as though he were karate chopping a White House intern, was first shared online by a known conspiracy theorist.
Iran so far away. Banks are on high alert for attacks by Iranian hackers in the wake of the U.S.’s reinstatement of economic sanctions on Iran. The middle eastern nation “might lash out,” as one top cybersecurity executive put it to CNN, which got a glimpse of a major bank’s cybersecurity defense center.
Cylance of the lambs. BlackBerry is reportedly in talks to gobble up cybersecurity firm Cylance for as much as $1.5 billion, Business Insider reported. The business news site’s sources said the deal could happen as soon as next week—although it could just as easily fall apart.
Fun in the sun. U.S. Cyber Command, a hacking-focused division of the military, began releasing unclassified malware samples to the public as part of a cybersecurity information sharing initiative on Friday. The command posted two code samples to the Google-owned malware research repository VirusTotal, including one sample that it said originated from the suspected Russian espionage group nicknamed “fancy bear,” which was best known for digitally infiltrating the Democratic National Committee in 2016.
Share today’s Cyber Saturday with a friend:
Looking for previous Data Sheets? Click here
All quiet on the western front? Facebook HQ was relatively calm on the day of the U.S. midterm elections, despite fears that trolls would promote viral misinformation to influence voters. A lot of work went into making this so: a constantly staffed “war room,” investigative journalists and other good samaritans regularly reporting fake news to the company, regulator scrutiny, and more. Kevin Roose at the New York Times took the opportunity to urge people to continue to hold the company accountable, or else the media giant may lapse into its old bad habits.
Credit Card Chips Fail to Halt Fraud, Survey Says by Jeff John Roberts
ONE MORE THING