Katie Moussouris

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

Biography
Moussouris had interest in computers at a young age and learned to program in BASIC on a Commodore 64 that her mother bought her in 3rd grade. She was the first girl to take AP Computer Science at her high school. She attended Simmons College to study molecular biology and mathematics and simultaneously worked on the Human Genome Project at the MIT Whitehead Institute. While at Whitehead she transitioned from a lab assistant to a systems administrator role, and after three years she became the systems administrator for the MIT Department of Aeronautics and Astronautics, where she helped design the computer system for a new lab that was to open in 2000. During this time she also worked as the systems administrator at the Harvard School of Engineering and Applied Sciences.

She moved to California to work as a Linux developer at Turbolinux and started their computer security response program. She was active within the West Coast hacker scene and formally joined @stake as a penetration tester in 2002 by invitation of Chris Wysopal.

Symantec
Moussouris joined Symantec in October 2004 when they acquired @stake. While there, she founded and managed Symantec Vulnerability Research in 2004, which was the first program to allow Symantec researchers to publish vulnerability research.

Microsoft
In May 2007, Moussouris left Symantec to join Microsoft as a security strategist. She founded the Microsoft Vulnerability Research (MSVR) program, announced at BlackHat 2008. The program has coordinated the response to several significant vulnerabilities, including Dan Kaminsky's DNS flaw, and has also actively looked for bugs in third-party software affecting Microsoft customers (subsequent examples of this include Google's Project Zero).

From September 2010 until May 2014, Moussouris was the Senior Security Strategist Lead at Microsoft, where she ran the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team. She instigated the Microsoft BlueHat Prize for Advancement of Exploit Mitigations, which awarded over $260,000 in prizes to researchers at BlackHat USA 2012. The grand prize of $200,000 was at the time the largest cash payout being offered by a software vendor. She also created Microsoft's first bug bounty program, which paid over $253,000 and received 18 vulnerabilities over the course of her tenure.

ISO vulnerability disclosure standard
Moussouris has helped edit the ISO/IEC 29147 document since around 2008. In April 2016, ISO made the standard freely available at no charge after a request from Moussouris and the CERT Coordination Center's Art Manion.

HackerOne
In May 2014, Moussouris was named the Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California. In this role, Moussouris was responsible for the company's vulnerability disclosure philosophy, and worked to promote and legitimize security research among organizations, legislators and policy makers.

"Hack the ..." series
While still at Microsoft, Moussouris began discussing a bug bounty program with the federal government; she continued these talks when she moved to HackerOne. In March 2016, Moussouris was directly involved in creating the Department of Defense's "Hack the Pentagon" pilot program, organized and vetted by HackerOne. It was the first bug bounty program in the history of the US federal government.

Moussouris followed up the Pentagon program with "Hack the Air Force". HackerOne and Luta Security are partnering to deliver up to 20 bug bounty challenges over three years to the Defense Department.

Luta Security
In April 2016, Moussouris founded Luta Security, a consultancy to help organizations and governments work collaboratively with hackers through bug bounty programs.

New America fellow
During 2015-2016 and 2016-2017, Katie Moussouris served as a Cybersecurity Fellow at New America, a U.S.-based think tank.

Wassenaar Arrangement amendment
In 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was amended to include "intrusion software". Moussouris wrote an op-ed in Wired criticizing the move as harmful to the vulnerability disclosure industry due to the overly-broad definition and encouraged security experts to write in to help regulators understand how to make the right changes. She was invited as a technical expert to directly assist in the US Wassenaar Arrangement negotiations, and helped rewrite the amendment to adopt end-use decontrol exemptions based on the intent of the user.

Exploit labor market research
Moussouris was a visiting scholar at the MIT Sloan School of Management and affiliate researcher at the Harvard Belfer Center for Science and International Affairs, where she conducted economic research on the labor market for security bugs. She coauthored a book chapter on the first system dynamics model of the vulnerability economy and exploit market, published by MIT Press in 2017.

Congressional testimony
In 2018, Moussouris testified in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security about security research for defensive purposes.

In 2021, Moussouris testified in front of the U.S. House Committee on Science, Space, & Technology about improving the cybersecurity of software supply chains.

Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity
In 2021, Moussouris donated $1 million to found the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity, at Penn State Law, named after her mother. The “Manglona Lab” will start with a gender equity litigation clinic intended to address workplace financial discrimination while promoting economic equity under the law.

Awards
In 2014, SC Magazine named Moussouris to its Women in IT Security list. She was also named as one of "10 Women in Information Security That Everyone Should Know," and the "One To Watch" among the 2011 Women of Influence awards. In 2018 she was featured among "America's Top 50 Women In Tech" by Forbes.

Presentations

 * Night of the Living ISO Draft on Vulnerability Disclosure, Symposium 2010.
 * The Wolves of Vuln Street: The 1st Dynamic Systems Model of the 0day Market, RSA Conference 2015.
 * Panel: How the Wassenaar Arrangement's Export Control of "Intrusion Software" Affects the Security Industry, BlackHatUSA 2015
 * Swinging From the Cyberlier: How to Hack Like Tomorrow Doesn't Exist Without Flying Sideways of Regulations, Kiwicon 2015

Publications and articles

 * "Not All Hackers are Evil". Time. Retrieved April 4, 2016.
 * "Vulnerability Disclosure Deja Vu: Prosecute Crime Not Research". Dark Reading. Retrieved April 4, 2016.
 * "Mad World: The Truth About Bug Bounties". Dark Reading. Retrieved April 4, 2016.
 * "How I Got Here: Katie Moussouris". Threat Post. Retrieved April 6, 2016.
 * "Hackers Can Be Helpers". The New York Times. Retrieved June 18, 2017.
 * "Administration should continue to seek changes to international cyber export controls". The Hill. Retrieved June 18, 2017.
 * "The Time Has Come to Hack the Planet". Threatpost. Retrieved September 24, 2017.

Microsoft lawsuit
In September 2015, Moussouris filed a discrimination class-action lawsuit against Microsoft in federal court in Seattle. She alleged that Microsoft hiring practices upheld a practice of sex discrimination against women in technical and engineering roles with respect to performance evaluations, pay, promotions, and other terms and conditions of employment.