This post is part of Mashable’s ongoing series The Women Fixing STEM, which highlights trailblazing women in science, tech, engineering, and math, as well as initiatives and organizations working to close the industries’ gender gaps.
It had taken a month of work, but Jesse Kinser had finally hit the jackpot. The security researcher had managed to pull off quite a feat — stealing the source code for more than 10,000 different websites, including a big four consulting company — and the ramifications of her find were staggering.
But contrary to many people’s perceptions of shadowy hackers, her next move wasn’t trading the data on the dark web, or crafting exploits to sell to the highest bidder. Rather, she was faced with a different sort of daunting task: developing a responsible disclosure process to notify the thousands of vulnerable companies she’d just pwned. That’s right, after accessing all that code, her next job was to let the victims know exactly how she’d done it — and how they could stop someone with a different set of moral guideposts from doing the same.
It’s all in a day’s work for the researchers who, driven by curiosity, a common sense of purpose, and the real possibility of financial reward, spend their time hunting bugs online. Welcome to the world of bug bounties, where the hackers are the good guys — or, just as often, the good gals.
Though, perhaps not as frequently as one might hope. A 2017 report from The Center for Cyber Safety and Education, a nonprofit “committed to making the cyber world a safer place for everyone,” investigated the gender gap in the field of cybersecurity and information security and the findings weren’t pretty.
“Women are globally underrepresented in the cybersecurity profession at 11 percent, much lower than the representation of women in the overall global workforce,” read the study’s key findings. “In 2016 women in cybersecurity earned less than men at every level.”
To make matters worse, a 2017 survey by endpoint security company Endgame found that “85 percent of non-male respondents experienced some level of discrimination at professional conferences, and over half have experienced harassment at those events.”
Clearly, much needs to change.
We spoke to three women absolutely crushing the bug bounty field, who explained how they got started, why they do what they do, and some of their most memorable discoveries. They also shared their thoughts on how to encourage more women to join them in their quest to make the internet a safer place.
But first, a little background.
As long as there has been publicly released software, there have been enthusiasts poking into it. Those people, often viewed with suspicion by corporate execs or government officials, sometimes discover bugs — unintentional holes, or glitches, built into a system that allow it to be manipulated in ways its designers hadn’t intended.
This, the security community has come to understand, can be a very good thing.
The term bug bounty appears to have first been used by Netscape in 1995 press release regarding its beta Navigator 2.0 software. The idea itself had been tried before, and notably involved an actual VW Bug, but Netscape’s program was one of the first attempts by a major software company to codify the practice and lay out clear rules for anyone poking around the company’s products in his or her spare time.
Netscape referred to its program as a “bugs bounty” contest and structured rewards — from cash prizes to merch — based on the type and severity of the bugs reported.
This program, and later bug bounty programs like it, killed two birds with one stone. First, reported bugs would allow the company to make its software more secure. Second, and here’s the real game changer, it created a legal alternative for hackers hoping to financially benefit from their hard work.
With the implementation of bug bounty programs, embraced by the likes of Google, Microsoft, Facebook, and shepherded by companies like HackerOne and Bugcrowd, hacking could make you rich (or, at the very least, pay your bills) without the drawback of having to look over your shoulder for police in the process.
“I was a really strange, lonely child with a computer,” recounted Katie Moussouris over the phone one sunny October afternoon. “I think that’s the origin story of many of us, especially in the pre-internet days of computing.”
Moussouris, an internationally renowned security researcher and founder of the bug bounty program at Microsoft, was always interested in computers. Growing up in the Boston area, she first got her hands on one at eight, and quickly learned how to program Basic on a Commodore 64. Before long, she was dialing into the same bulletin board systems (BBS) frequented by members of the notorious L0pht hacking crew.
She carried this interest into her professional life, and her early work included a systems administration job at MIT’s Whitehead Institute for Biomedical Research Genome Center, and later a role as MIT’s Department of Aeronautics and Astronautics sys admin.
“MIT, up until very recently, was on purpose a very open network,” she said over the phone. “You had students and grad students and professors all putting their unpatched, brand new installed boxes up on the raw internet with IP address. It was my job as systems administrator to make sure that they didn’t get hacked too often, and if they were hacked that I could go in and clean up and restore their services.”
Moussouris’s next professional step involved a move to San Francisco to work as a Linux developer with a focus on security.
The dot-com bust of the early 2000s changed things for many in the Bay Area, including Moussouris, who used the upheaval as an excuse to become an independent penetration tester — a “hacker for hire,” as she explained.
Skip ahead a few years, and Moussouris was employed at Microsoft in her first non-hacking role in roughly a decade. She was working as a strategist, but found Microsoft’s vision for her work — “part technical recruiter, part influencer of the hacker community” — to be “a little bit thin.” So, she did what any hacker would do: She found how to make the larger corporate system work for her.
Moussouris launched Microsoft Security Vulnerability Research — a program that consisted of Microsoft employees searching for vulnerabilities in third-party products — giving her the chance to help coordinate the discovery and reporting of bugs that affected the larger security ecosystem.
In early 2010, she was offered a Director-level position at a company in San Francisco and was all set to leave Microsoft when her employer made her an offer she couldn’t refuse. Specifically, the chance to start a bug bounty program at the company, helmed by her.
Three years later, after a lot of work, the Microsoft Bug Bounty program launched. Moussouris had secured the full support of the Internet Explorer team, the Windows team, and the Office 365 team was itching to get on board.
And the project was a success. She still remembers the first $100,000 bounty that Microsoft paid out. The recipient was her friend James Forshaw, now with Google Project Zero. Moussouris happened to be in England at the time — Forshaw lived in London — and so she took him out for beers in an attempt to convince him to participate in the program.
“He found four different sandbox escapes in the 30 days of the IE bounty,” Moussouris recalled with more than a touch of pleasant surprise. “That was astounding to us.”
“Our threat models as women are different from men.”
So, knowing a good thing when she saw it, she went back to Forshaw and asked him to try again. He did, and at the end of a three-week “research bender,” he discovered a reliable exploit and handed over a full technical writeup that was, in Microsoft’s eyes, well worth a $100,000 payout.
“My favorite moment was calling my friend James on the phone, and I was standing outside of a Microsoft cafeteria, and I said, ‘James, you’ve made history.'”
But Moussouris wasn’t done there. She later went on to help create the U.S. Department of Defense’s first bug bounty program, known as Hack the Pentagon.
Still, despite her work launching foundational bug bounty programs, Moussouris offered a word of caution. She explained that if the security community isn’t careful, bug bounty programs will turn into a sort of virtue signaling that doesn’t address real security problems.
“What I see in the couple of years of bug bounty popularity is a huge diversion from the original purpose of focusing eyes on areas you want to look at, to ‘a bug bounty is a replacement for a [penetration test]’— which is absolutely wrong,” she explained. “Unfortunately it’s creating a very damaging ecosystem for both bug hunters and companies who want to start bug bounties.”
And that’s not her only critique of the bug bounty space. Moussouris, who founded and currently runs the security company Luta Security, sees industry-wide pay disparities as something that must be fixed if more women are going to find longterm success in the field.
“It’s not about getting more women interested in tech, we already are, we’re born ready.”
“This is a result of valuing women’s work less than men, and it’s an endemic problem,” she noted. “So, I look at this as more of a societal issue. It’s not about getting more women interested in tech, we already are, we’re born ready.”
Moussouris was quick to identify one of the tangible problems that comes with having a homogenous security community. “Our threat models as women are different from men,” she observed. “We should be participating.”
Still, Moussouris thinks the tide is changing — albeit slowly.
“I’m holding out for my hacker Hidden Figures LEGO box set figure of myself in like 50 years,” she joked toward the end of our conversation. “I’ll be 93, at that point, and I think that’s about right — that’s probably when we’ll see the broader recognition of women’s contributions to computing.”
Jesse Kinser was interested in security research, and wasn’t going to let the fact that Indiana University Bloomington — where she was studying for her undergraduate degree — didn’t at the time have a dedicated program stop her from pursing it.
So, with some guidance from professor of informatics Jean Camp, she got to work on her own.
“[I] started research on malware and digital forensics,” she explained over the phone, “and started writing these random research papers which actually ended getting picked up by [the U.S. government].”
Essentially, like so many hackers before her, she made her own way into the community.
She graduated in 2010, and, after college, worked with the U.S. intelligence community for five years — eventually getting her masters degree in computer science at Capitol Technology University.
Fast forward to three or four years ago, and Kinser found herself interested in expanding her work past secure development and into so-called “red teaming.” You know, the actual breaking into stuff part of hacking.
That’s where the bug bounties came in.
“I really wanted to get a more hands on, technical skill set,” she recounted. “I started doing bug bounties because I could do that on the side to really perfect my skills, and then I had a chance to legally hack against all these random third-party companies that encouraged it. So that was really cool.”
One of those cool things? That aforementioned stolen source code from over 10,000 websites.
“I actually put a down payment on a Tesla with my bug bounty money.”
“There was a big four consulting company that I was able to pull all their database passwords down and steal their entire source code for their site,” she recalled. “There was 10,000 different websites that I did this for, right, and so then I had to come up with a responsible disclosure process to let them all know ‘hey you’ve got this misconfiguration.'”
“So that was a barrel of fun,” she laughed.
Kinser presented her findings at DEF CON 25 in 2017 as part of the non-recorded track. That track is typically reserved for sensitive findings, of which this clearly counted. Especially considering the number of websites affected.
“The vulnerability disclosure work took longer than actually finding and exploiting the vulnerability because of the number of impacted sites and people to notify,” she explained. “The source code was exposed at the root of the website for more than 10,000 sites, some of which were U.S. federal and state government owned.”
This research, while incredibly valuable, didn’t exactly make her rich. And it even pissed a few people off. At least some of the vulnerable companies didn’t want to believe that someone was able to pull off what she had done. But, of course, Kinser was.
Some companies straight up ignored her attempts to notify them of her findings, while a few responded more reasonably.
“Some of the impacted people sent me money via Paypal or random swag as a token of appreciation but most did not,” she recalled. “It was mostly a few hundred dollars here and there. One company sent me this strangely shaped umbrella which everyone looks at me weird when I use here in the midwest.”
But that was then.
Kinser currently works at LifeOmic, a software company in the healthcare space, and puts her expertise to use as the company’s Director of Product Security. She is exactly the kind of person you want protecting sensitive medical data from attackers — after all, as a bug bounty researcher, she (legally) is an attacker herself.
Plus, she gets to run LifeOmic’s bug bounty program. In other words, she’s on both sides of the coin — paying her bills with her full-time security job and earning her “fun money” by finding holes in others’ software.
“I actually put a down payment on a Tesla with my bug bounty money,” she noted.
Kinser emphasized that you don’t need to have an academic background researching malware to become a bug bounty hunter. The field, she insisted, is open to all comers.
“I think the thing that women need to know is that it’s OK if you know nothing about this industry, you can always get into it.” She explained that a career in security “really is [obtainable] if you just spend time and start doing it, and these bug bounty programs are a great way to do that.”
Kinser added that bug bounties, specifically, offer the flexibility needed to get into the hacking scene.
Not that it’s without its challenges. “A lot of us are parents,” she said, “[and] once my son is in bed, I work on bounties sometimes until 2:00 a.m. in the morning.”
Kinser hopes to see a wider understanding of the difficulties presented by being a parent and a security professional at the same time. Specifically, traveling the world to attend security conferences becomes a lot more difficult when you need to find child care.
“It’s a unique balance,” she observed, “and I’ve noticed a lot more women in the security industry starting to talk about that, and how they balance it and some of the challenges [that come] with that.”
Like many who’ve chosen a life in security work, Alyssa Herrera got her start hacking early — 16, to be exact. She was quickly hooked.
Her discovery of bug bounty programs, and the real possibility of making cash doing what she loved, changed the course of her life.
“It was a small turning point for me when I found out about bug bounty programs and it being a possible legitimate outlet for something I knew how to do,” she explained over email. “It was so much of a decision for me that I actually didn’t go to college because I wanted to spend time learning about information security and everything about the legal side of doing security work for companies.”
Now, four years later, she does well enough that finding and reporting bugs via platforms like HackerOne is her sole source of income.
“It’s like solving a hard riddle or a puzzle.”
“It’s been quite a journey,” she observed. Which, well, based on some of her findings, sounds like an understatement.
When asked about the more memorable bugs she’s discovered and reported, Herrera shared two of particular note. The first of which just so happened to involve hacking the U.S. Department of Defense.
“I was able to find a novel way to access their internal non-classified networks,” she explained. “It was quite a rush to demonstrate how a malicious state actor could compromise and gain access to sensitive military servers.”
A rush indeed. Working as a bug bounty researcher, Herrera was allowed to legally hack the U.S. government. But she targeted private companies, as well — with their permission, of course.
“The other vulnerability would be for a private insurance company in which I was able to demonstrate basic command injection that gave full access to their servers,” she recalled, “which could [have] led to [a] massive data leak.”
“The experiences were both quite euphoric,” added Herrera, “it’s like solving a hard riddle or a puzzle. It’s one of the things that keeps me working toward finding more vulnerabilities.”
Herrera sees plenty of room for more people to get into the bug bounty scene, noting that organizations like Women In Tech Fund and WISP work to provide resources and funding for women in the hacking community.
However, she noted curiosity and drive go a long way on their own.
“Honestly anyone can learn about bug bounties and web application security,” she explained. “The community for information security as a whole is quite welcoming, and there’s various resources freely available.”
As for what keeps her going? “There’s always a new challenge around the corner, especially with bug bounties.”