Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
@k8em0
Dec 4, 2017 6 tweets 3 min read Twitter logo Read on Twitter
Excellent post re hunting #bugbounties . These stats show the researcher's persistence & skilling up, & also inadvertently highlights problems w the #bugbounty ecosystem. What other security job only pays for 57% of your work?
"13% reward rate for 1st month, then 25%, then 57%."
I'm a fan of creating incentives. What #bugbounties have turned into is a misinformed (on both hunted & hunter sides) replacement for other security activities. Thoughtful incentives (including but not limited to bounties) creates win-win. The 1st MS bounties had no duplicates.
I love that bug hunters & orgs running bug bounties are using the programs to learn. That's great news. But is it improving security over time, or just outsourcing QA, encouraging sloppier releases & deployments, which lead to more low-hanging fruit, & therefore more duplicates?
Important note: bug bounties were never meant to pay for work going into finding the bug. That would effectively make #bugbounties a violation of labor laws. They were supposed to be a means for hackers to earn $ & be able to disclose when fixed, instead of choosing $ for silence
$ for the bug+silence is a tool of offense markets for bugs & exploits, hence the much higher prices. #bugbounty $ for silence isn't worth the hunter's effort. NDAs are for pen tests & guaranteed fairly pre-agreed $ for labor. NDAs for the unsure labor of bounties is a bad deal.
The *original* MS bounties, even for the $100,000 mitigation bypass bounty, deliberately were created with no NDA, & no ownership of the IP (just a license to use it). I wanted no impediment to a hunter coming forward. I know that's changed now, after my departure.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie🌻Moussouris (she/her) is not coming to Vegas

Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @k8em0

Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
Sep 21, 2018
I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised?
Putting this at the top of the replies so that people can stop feeling like they need to correct my original tweet. :) Clarification is in my timeline, but not high enough in the replies to see that it is *even worse* than I initially thought:
Read 5 tweets
Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
Sep 21, 2018
I got 2 consecutive restraining orders against an MIT professor, the 1st of which he forced an evidentiary hearing w his own character witnesses & full cross examination of me on the stand, he wasn't disciplined at all.
I was 21. He was 34.
Why do that ever again
#WhyIDidntReport
I left my job at MIT, where I'd worked 4 years, moved across the country & became a Linux dev. I chose not to get a 3rd restraining order in San Francisco, so that he wouldn't know where I lived. To this day, now that I'm a public figure, I worry that he will snap & come hurt me.
It's been over 20 years. He was known to hit on undergrads. Known to MIT by complaints by students. Even when court found him to be a credible threat to me, his position at MIT remained unchanged. I spoke up loudly for myself & to stop him from hurting anyone else. MIT failed us.
Read 6 tweets
Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
Aug 29, 2018
Marketing can often get things wrong. So can media. I expect technical folk to use technical terms correctly.
"Integration in SDLC" which I've discussed extensively regarding vuln disclosure/bug bounties has little to do with nifty JIRA bug bounty integration (which is cool).
It sure makes for glossy marketing to say that it does - but that labels a feature erroneously. It is actually a process. The process can still be missing. Why does it matter so much?
It's like saying a bug bounty can make you more secure - which is a lie without back-end process
It's accurate to say that bug bouny platform-JIRA integration streamlines the vulnerability response process, because that is all that it does. This is quite useful without the marketing deception & complete misuse of the technical process term "SDLC". That's for preventing bugs.
Read 11 tweets
Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
Aug 13, 2018
Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room - like that really would prevent their security team screaming at me again). My last #DEFCON
The reporting out of this event so far has noted "privacy" concerns. The fact of the matter is, a male's chief concern is privacy. Women's includes that, but our high order bit is that this policy designed to keep people safe from gun attacks *increases* our chance of assault.
Threat models change, & we as security professionals know that. October 1 changed the threat model for Vegas hotels. That in no way changed the threat models for women traveling alone. Only @CaesarsPalace security did that. They are sacrificing women's safety for gun inspections.
Read 19 tweets
Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
Jul 26, 2018
TFW you're happy folks are celebrating others & you, yet there's still an annoying focus on your least significant bit, nothing to do with your work. I'm so fucking sick of the "women in" lists. The equality I crave is that professional lists have plenty of unscripted diversity.
Also annoying as hell: people coming to me, expecting me to be an expert in diversity & diversity hiring. What the fuck does hacking (my tech background) or policy work have to do with recruiting skills? To me, it's as offensive as expecting all women to know how to cook & clean.
For the record: I don't know anything about how to recruit more women. Please tax the men w fixing their own shitty hiring pipeline they created. We pay enough overhead just being recognized for our work. We aren't typically paid or promoted equally. I'm already fighting that.
Read 4 tweets
Katie🌻Moussouris (she/her) is not coming to Vegas Profile picture
Mar 19, 2018
What used to frustrate me as a young professional pen tester was needing to overprove myself each time, whereas junior males were assumed to be more technical than me. Now I get it on Twitter w people who know my work, yet still think dismissing my expertise counts as "debate".
Feed the pipeline, they say. Get more♀️interested in STEM. We don't have enough qualified candidates, or we'd totally hire them/have them speak. As a♀️who's done pro hacking, IT admin, development, & shifted major company bounty policy w data, I can tell you it's not worth it
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(