Lawrence Livermore National Laboratory



Government, the Private Sector, and Zero-Day Vulnerabilities
Katie Moussouris

August 2, 2017

Software “vulnerabilities” are security flaws that can be exploited to launch cyberattacks. Normally the vendors of IT products seek to patch such bugs soon after they are discovered. This makes some “zero-day vulnerabilities” – the ones that vendors still do not know about – particularly valuable to a variety of actors, including the companies, national governments, and criminals. While some national governments retain zero-days without reporting them to vendors in cases where the vulnerabilities appear particularly valuable for national intelligence or military objectives, some corporations use “bug bounty programs” to encourage hackers and security researchers to report bugs they discover to the vendor. Export controls have also sought to limit the international trade of vulnerabilities and exploits, though such efforts have led to unintended consequences such as the disruption of international cybersecurity research collaborations. Katie Moussouris will discuss her extensive work at the cutting edge of cybersecurity policy innovation relating to the handling of zero-day vulnerabilities in the private sector, government, and international trade.

Katie Moussouris is the founder and CEO of Luta Security, Inc. and a noted authority on vulnerability disclosure & bug bounties. Katie is a hacker - first hacking computers, now hacking policy & regulations. She was instrumental in helping the US Department of Defense start the government's first bug bounty program, "Hack the Pentagon," which was followed by "Hack the Army." Her earlier Microsoft work encompassed industry-leading initiatives such as Microsoft Vulnerability Research and its bug bounty programs. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market. She is also a New America Foundation Fellow and a Harvard Belfer Affiliate. She is on the CFP review board for the RSA Conference, O'Reilly Security Conference, and Shakacon, and is an adviser to the Center for Democracy and Technology.



Government, the Private Sector and Zero-Day Vulnerabilities

Software “vulnerabilities” are security flaws that can be exploited to launch cyberattacks. Normally the vendors of IT products seek to patch such bugs soon after they are discovered. This makes some “zero-day vulnerabilities” – the ones that vendors still do not know about –particularly valuable to a variety of actors, including the companies, national governments, and criminals. While some national governments retain zero-days without reporting them to vendors in cases where the vulnerabilities appear particularly valuable for national intelligence or military objectives, some corporations use “bug bounty programs” to encourage hackers and security researchers to report bugs they discover to the vendor. Export controls have also sought to limit the international trade of vulnerabilities and exploits, though such efforts have led to unintended consequences such as the disruption of international cybersecurity research collaborations. Katie Moussouris will discuss her extensive work at the cutting edge of cybersecurity policy innovation relating to the handling of zero-day vulnerabilities in the private sector, government, and international trade.

LLNL-VIDEO-739577