Bug bounty programs were a major topic of discussion during a panel I moderated on risk management at the Money20/20 finance and tech conference in Las Vegas a couple weeks ago. These programs compensate hackers for poking holes in a company’s products and finding and reporting any vulnerabilities to the people who can fix them. Ideally, they help companies root out flaws in their code and hardware, making the world safer for businesses and consumers.
My panelists were Philip Martin, head of security at Coinbase, the cryptocurrency exchange privately valued at $8 billion, and Mårten Mickos, CEO of HackerOne, a startup that helps companies set up and manage bug bounty programs. (Coinbase has had a bug bounty program in place since its founding in 2012; it’s a customer of HackerOne.)
Here are some of the session’s highlights.
- Citing research by Katie Moussouris, former chief policy officer of HackerOne, I noted that the rewards offered by the “good guys” can never compete with those offered by black market brokers, who will pay a premium for severe vulnerabilities. Mickos pushed back against this assertion, arguing that while some ultra-bad bugs can reap up to a million dollars or more, the vast majority of bugs are more trivial and fetch far less.
- Martin poopooed artificial intelligence as a cure-all for the world’s cybersecurity ills. There are certain things that computers are good at and certain things that humans are good at; the worst bugs demand human ingenuity to uncover and, he said, security professionals should teach these skills through apprenticeship.
- One reason why Coinbase chooses to release the majority of its bug reports to the public is to provide other researchers an invaluable resource for learning. Transparency becomes a way to give back to the community and foster talent.
- The credit and recognition afforded by public reports also helps incentivize hackers to report vulnerabilities to companies, rather than sell their findings to shadier brokers. Bug hunters can use the reputations they build on platforms like HackerOne to land jobs, Mickos said.
- Companies should only put bug bounty programs in place once they have the basics down—meaning after they’ve attained maturity in their vulnerability management process, Martin said. How does one know when one has reached that point? His answer: When there are no longer emergencies.
By the way, Martin helps run the custodial program that Coinbase uses to secure its customers’ crypto wealth. It involves using a pop-up, metal-lined tent as a Faraday cage within which to perform secret cryptographic operations. I recommend reading Wired’s detailed write-up of the ceremony. The procedure is wacky and delightful—and Martin told me it’s one of his favorite parts of his job.
Have a great weekend.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
You're outta here! Facebook said it removed 115 accounts suspected of engaging in "coordinated inauthentic behavior" from its flagship site as well as Instagram in the lead-up to the midterm elections in the U.S. Nathaniel Gleicher, Facebook's cybersecurity policy leader, said the company had been tipped off about the allegedly bogus accounts by law enforcement last weekend. Meanwhile, trolls have been struggling to spread their misinformation on Twitter, NBC News reports.
Doctor, doctor, give me the news. The White House appeared to share a doctored video as justification for its ban of CNN reporter Jim Acosta. The video in question, which sped up Acosta's arm movement to make it appear as though he were karate chopping a White House intern, was first shared online by a known conspiracy theorist.
Iran so far away. Banks are on high alert for attacks by Iranian hackers in the wake of the U.S.'s reinstatement of economic sanctions on Iran. The middle eastern nation "might lash out," as one top cybersecurity executive put it to CNN, which got a glimpse of a major bank's cybersecurity defense center.
Cylance of the lambs. BlackBerry is reportedly in talks to gobble up cybersecurity firm Cylance for as much as $1.5 billion, Business Insider reported. The business news site's sources said the deal could happen as soon as next week—although it could just as easily fall apart.
Fun in the sun. U.S. Cyber Command, a hacking-focused division of the military, began releasing unclassified malware samples to the public as part of a cybersecurity information sharing initiative on Friday. The command posted two code samples to the Google-owned malware research repository VirusTotal, including one sample that it said originated from the suspected Russian espionage group nicknamed "fancy bear," which was best known for digitally infiltrating the Democratic National Committee in 2016.
Share today's Cyber Saturday with a friend:
http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here
ACCESS GRANTED
All quiet on the western front? Facebook HQ was relatively calm on the day of the U.S. midterm elections, despite fears that trolls would promote viral misinformation to influence voters. A lot of work went into making this so: a constantly staffed "war room," investigative journalists and other good samaritans regularly reporting fake news to the company, regulator scrutiny, and more. Kevin Roose at the New York Times took the opportunity to urge people to continue to hold the company accountable, or else the media giant may lapse into its old bad habits.
After an Election Day largely free of viral social media misinformation, and with little trace of the kind of Russian troll stampede that hit its platform in 2016, executives at Facebook may be tempted to take a victory lap. That would be a mistake.
It’s true that Facebook and other social media companies have made strides toward cleaning up their services in the last two years. The relative calm we saw on social media on Tuesday is evidence that, at least for one day, in one country, the forces of chaos on these platforms can be contained. But more than anything, this year’s midterm election cycle has exposed just how fragile Facebook remains.
FORTUNE RECON
Austrian Government Says Colonel May Have Been Russian Spy For Decades by David Meyer
White House Press Secretary Shares Fake Infowars Video to Justify Banning CNN Reporter by Erin Corbett
Facebook Is the Least Trusted Major Tech Company When it Comes to Safeguarding Personal Data, Poll Finds by Jonathan Vanian
Privacy Activists Take On Oracle and Equifax Over Shadowy Profiling by David Meyer
Legal Sports Gambling Could Attract Criminals. Here’s How to Stop Them by Rick McDonell
Here's What Mastercard's Chief Privacy Officer Thinks About GDPR by Erika Fry
Credit Card Chips Fail to Halt Fraud, Survey Says by Jeff John Roberts
Microsoft Will Not Use Personal Data For Profit, Says Satya Nadella by Grace Dobush
ONE MORE THING
Tear here. A Swedish national named Jermu Michael Salonen, 43, is reported to have sent a homemade bomb to employees of a Bitcoin company in London. Last year Salonen had demanded that the company, Cryptopay, send him a new password—a demand the company refused, saying this action would breach its privacy policy. One law enforcement officer quoted by the BBC said the only reason no one was harmed was because of how the package was opened: "It was due to sheer luck that the recipient ripped opened the package in the middle rather than using the envelope flap which would have activated the device."
