By Robert Hackett
November 11, 2018

Bug bounty programs were a major topic of discussion during a panel I moderated on risk management at the Money20/20 finance and tech conference in Las Vegas a couple weeks ago. These programs compensate hackers for poking holes in a company’s products and finding and reporting any vulnerabilities to the people who can fix them. Ideally, they help companies root out flaws in their code and hardware, making the world safer for businesses and consumers.

My panelists were Philip Martin, head of security at Coinbase, the cryptocurrency exchange privately valued at $8 billion, and Mårten Mickos, CEO of HackerOne, a startup that helps companies set up and manage bug bounty programs. (Coinbase has had a bug bounty program in place since its founding in 2012; it’s a customer of HackerOne.)

Here are some of the session’s highlights.

  • Citing research by Katie Moussouris, former chief policy officer of HackerOne, I noted that the rewards offered by the “good guys” can never compete with those offered by black market brokers, who will pay a premium for severe vulnerabilities. Mickos pushed back against this assertion, arguing that while some ultra-bad bugs can reap up to a million dollars or more, the vast majority of bugs are more trivial and fetch far less.
  • Martin poopooed artificial intelligence as a cure-all for the world’s cybersecurity ills. There are certain things that computers are good at and certain things that humans are good at; the worst bugs demand human ingenuity to uncover and, he said, security professionals should teach these skills through apprenticeship.
  • One reason why Coinbase chooses to release the majority of its bug reports to the public is to provide other researchers an invaluable resource for learning. Transparency becomes a way to give back to the community and foster talent.
  • The credit and recognition afforded by public reports also helps incentivize hackers to report vulnerabilities to companies, rather than sell their findings to shadier brokers. Bug hunters can use the reputations they build on platforms like HackerOne to land jobs, Mickos said.
  • Companies should only put bug bounty programs in place once they have the basics down—meaning after they’ve attained maturity in their vulnerability management process, Martin said. How does one know when one has reached that point? His answer: When there are no longer emergencies.

By the way, Martin helps run the custodial program that Coinbase uses to secure its customers’ crypto wealth. It involves using a pop-up, metal-lined tent as a Faraday cage within which to perform secret cryptographic operations. I recommend reading Wired’s detailed write-up of the ceremony. The procedure is wacky and delightful—and Martin told me it’s one of his favorite parts of his job.

Have a great weekend.

Robert Hackett


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my, PGP encrypted email (see public key on my, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


You May Like