Katie Moussouris is an American

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of

@stake ATstake, Inc. was a computer security professional services company in Cambridge, Massachusetts, United States. It was founded in 1999 by Battery Ventures (Tom Crotty, Sunil Dhaliwal, and Scott Tobin) and Ted Julian. Its initial core team of techno ...

, she created the bug bounty program at

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

and was directly involved in creating the U.S.

Department of Defense Department of Defence or Department of Defense may refer to: Current departments of defence * Department of Defence (Australia) * Department of National Defence (Canada) * Department of Defence (Ireland) * Department of National Defense (Philipp ...

's first

bug bounty program A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabiliti ...

for

hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

. She previously served as Chief Policy Officer at

HackerOne HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sou ...

, a

vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...

disclosure company based in San Francisco, California, and currently is the founder and CEO of

Luta Security Luta may refer to: *The former name of a Chinese city formed by the agglomeration of Lushun and Dalian (Dairen); the city is now called Dalian (Dairen) *Chamoru name for Rota in the Mariana Islands * Luta, Lublin Voivodeship (east Poland) * Luta, ...

Biography

Moussouris was interested in computers at a young age and learned to program in

BASIC BASIC (Beginners' All-purpose Symbolic Instruction Code) is a family of general-purpose, high-level programming languages designed for ease of use. The original version was created by John G. Kemeny and Thomas E. Kurtz at Dartmouth College ...

on a

Commodore 64 The Commodore 64, also known as the C64, is an 8-bit home computer introduced in January 1982 by Commodore International (first shown at the Consumer Electronics Show, January 7–10, 1982, in Las Vegas). It has been listed in the Guinness ...

that her mother bought her in 3rd grade. She was the first girl to take

AP Computer Science In the United States, Advanced Placement Computer Science (commonly shortened to AP Comp Sci) is a suite of Advanced Placement courses and examinations covering areas of computer science. They are offered by the College Board to high school stud ...

at her high school. She attended

Simmons College Institutions of learning called Simmons College or Simmons University include: * Simmons University, a women's liberal arts college in Boston, Massachusetts * Simmons College of Kentucky, a historically black college in Louisville, Kentucky * Har ...

to study molecular biology and mathematics and simultaneously worked on the

Human Genome Project The Human Genome Project (HGP) was an international scientific research project with the goal of determining the base pairs that make up human DNA, and of identifying, mapping and sequencing all of the genes of the human genome from both a ...

at the MIT

Whitehead Institute Whitehead Institute for Biomedical Research is a non-profit research institute located in Cambridge, Massachusetts, United States that is dedicated to improving human health through basic biomedical research. It was founded as a fiscally indepen ...

. While at Whitehead she transitioned from a lab assistant to a systems administrator role, and after three years she became the

systems administrator A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to ensu ...

for the MIT Department of Aeronautics and Astronautics, where she helped design the computer system for a new lab that was to open in 2000. During this time she also worked as the systems administrator at the

Harvard School of Engineering and Applied Sciences The Harvard John A. Paulson School of Engineering and Applied Sciences (SEAS) is the engineering school within Harvard University's Faculty of Arts and Sciences, offering degrees in engineering and applied sciences to graduate students admitted ...

. She moved to California to work as a

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

developer at Turbolinux and started their computer security response program. She was active within the West Coast hacker scene and formally joined

as a

penetration tester A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...

in 2002 by invitation of

Chris Wysopal Chris Wysopal (also known as Weld Pond) is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher. Chris Wysopal was ...

Symantec

Moussouris joined Symantec in October 2004 when they acquired

. While there, she founded and managed Symantec Vulnerability Research in 2004, which was the first program to allow Symantec researchers to publish vulnerability research.

Microsoft

In May 2007, Moussouris left Symantec to join Microsoft as a security strategist. She founded the Microsoft Vulnerability Research (MSVR) program, announced at BlackHat 2008. The program has coordinated the response to several significant vulnerabilities, including

Dan Kaminsky Daniel Kaminsky (February 7, 1979 – April 23, 2021) was an American computer security researcher. He was a co-founder and chief scientist of WhiteOps, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where h ...

's DNS flaw, and has also actively looked for bugs in third-party software affecting Microsoft customers (subsequent examples of this include Google's Project Zero). From September 2010 until May 2014, Moussouris was the Senior Security Strategist Lead at Microsoft, where she ran the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team. She instigated the Microsoft BlueHat Prize for Advancement of Exploit Mitigations, which awarded over $260,000 in prizes to researchers at BlackHat USA 2012. The grand prize of $200,000 was at the time the largest cash payout being offered by a software vendor. She also created Microsoft's first bug bounty program, which paid over $253,000 and received 18 vulnerabilities over the course of her tenure.

ISO vulnerability disclosure standard

Moussouris has helped edit the ISO/IEC 29147 document since around 2008. In April 2016, ISO made the standard freely available at no charge after a request from Moussouris and the

CERT Coordination Center The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/C ...

's Art Manion.

HackerOne

In May 2014, Moussouris was named the Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California. In this role, Moussouris was responsible for the company's vulnerability disclosure philosophy, and worked to promote and legitimize security research among organizations, legislators and policy makers.

"Hack the ..." series

While still at Microsoft, Moussouris began discussing a

with the

federal government A federation (also known as a federal state) is a political entity characterized by a union of partially self-governing provinces, states, or other regions under a central federal government (federalism). In a federation, the self-governin ...

; she continued these talks when she moved to HackerOne. In March 2016, Moussouris was directly involved in creating the

's "Hack the Pentagon" pilot program, organized and vetted by HackerOne. It was the first bug bounty program in the history of the US federal government. Moussouris followed up the Pentagon program with "Hack the Air Force". HackerOne and Luta Security are partnering to deliver up to 20 bug bounty challenges over three years to the Defense Department.

Luta Security

In April 2016, Moussouris founded Luta Security, a consultancy to help organizations and governments work collaboratively with hackers through bug bounty programs.

New America fellow

During 2015-2016 and 2016-2017, Katie Moussouris served as a Cybersecurity Fellow at New America, a U.S.-based

think tank A think tank, or policy institute, is a research institute that performs research and advocacy concerning topics such as social policy, political strategy, economics, military, technology, and culture. Most think tanks are non-governmenta ...

Wassenaar Arrangement amendment

In 2013, the

Wassenaar Arrangement The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime (MECR) with 42 participating states including many former Comecon (Warsaw Pact) countries established ...

on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was amended to include "intrusion software". Moussouris wrote an

op-ed An op-ed, short for "opposite the editorial page", is a written prose piece, typically published by a North-American newspaper or magazine, which expresses the opinion of an author usually not affiliated with the publication's editorial board. O ...

Wired ''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquartered in San Fra ...

criticizing the move as harmful to the vulnerability disclosure industry due to the overly-broad definition and encouraged security experts to write in to help regulators understand how to make the right changes. She was invited as a technical expert to directly assist in the US Wassenaar Arrangement negotiations, and helped rewrite the amendment to adopt end-use decontrol exemptions based on the intent of the user.

Exploit labor market research

Moussouris was a visiting scholar at the

MIT Sloan School of Management The MIT Sloan School of Management (MIT Sloan or Sloan) is the business school of the Massachusetts Institute of Technology, a private university in Cambridge, Massachusetts. MIT Sloan offers bachelor's, master's, and doctoral degree programs, ...

and affiliate researcher at the Harvard

Belfer Center for Science and International Affairs The Robert and Renée Belfer Center for Science and International Affairs, also known as the Belfer Center, is a research center located within the Harvard Kennedy School at Harvard University, in the United States. From 2017 until his death in Oc ...

, where she conducted economic research on the labor market for security bugs. She coauthored a book chapter on the first

system dynamics System dynamics (SD) is an approach to understanding the nonlinear behaviour of complex systems over time using stocks, flows, internal feedback loops, table functions and time delays. Overview System dynamics is a methodology and mathematical ...

model of the vulnerability economy and exploit market, published by MIT Press in 2017.

Congressional testimony

In 2018, Moussouris testified in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security about security research for defensive purposes. In 2021, Moussouris testified in front of the U.S. House Committee on Science, Space, & Technology about improving the cybersecurity of software supply chains.

Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity

In 2021, Moussouris donated $1 million dollars to found the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity, at

Penn State Law Penn State Law, located in University Park, Pennsylvania, is one of two separately accredited law schools of the Pennsylvania State University. Penn State Law offers J.D., LL.M., and S.J.D. degrees. The school also offers a joint J.D./M.B. ...

, named after her mother. The “Manglona Lab” will start with a gender equity litigation clinic intended to address workplace financial discrimination while promoting economic equity under the law.

Awards

In 2014,

SC Magazine Haymarket Media Group is a privately held media company headquartered in London. It has publications in the consumer, business and customer sectors, both print and online. It operates exhibitions allied to its own publications, and previously o ...

named Moussouris to its Women in IT Security list. She was also named as one of "10 Women in Information Security That Everyone Should Know," and the "One To Watch" among the 2011 Women of Influence awards. In 2018 she was featured among "America's Top 50 Women In Tech" by

Forbes ''Forbes'' () is an American business magazine owned by Integrated Whale Media Investments and the Forbes family. Published eight times a year, it features articles on finance, industry, investing, and marketing topics. ''Forbes'' also re ...

Presentations

* Night of the Living ISO Draft on Vulnerability Disclosure, Symposium 2010. * The Wolves of Vuln Street: The 1st Dynamic Systems Model of the 0day Market, RSA Conference 2015. * Panel: How the Wassenaar Arrangement's Export Control of "Intrusion Software" Affects the Security Industry
BlackHatUSA
2015 * Swinging From the Cyberlier: How to Hack Like Tomorrow Doesn't Exist Without Flying Sideways of Regulations, Kiwicon 2015

Publications and articles

* "Not All Hackers are Evil". ''Time''. Retrieved April 4, 2016. * "Vulnerability Disclosure Deja Vu: Prosecute Crime Not Research". ''Dark Reading''. Retrieved April 4, 2016. * "Mad World: The Truth About Bug Bounties". ''Dark Reading''. Retrieved April 4, 2016. * "How I Got Here: Katie Moussouris". ''Threat Post''. Retrieved April 6, 2016. * "Hackers Can Be Helpers". ''The New York Times''. Retrieved June 18, 2017. * "Administration should continue to seek changes to international cyber export controls". ''The Hill''. Retrieved June 18, 2017. * "The Time Has Come to Hack the Planet". ''Threatpost''. Retrieved September 24, 2017.

Microsoft lawsuit

In September 2015, Moussouris filed a discrimination class-action lawsuit against

in federal court in

Seattle Seattle ( ) is a seaport city on the West Coast of the United States. It is the seat of King County, Washington. With a 2020 population of 737,015, it is the largest city in both the state of Washington and the Pacific Northwest regio ...

. She alleged that Microsoft hiring practices upheld a practice of

sex discrimination Sexism is prejudice or discrimination based on one's sex or gender. Sexism can affect anyone, but it primarily affects women and girls.There is a clear and broad consensus among academic scholars in multiple fields that sexism refers primaril ...

against women in technical and engineering roles with respect to

performance evaluation A performance appraisal, also referred to as a performance review, performance evaluation,Muchinsky, P. M. (2012). ''Psychology Applied to Work'' (10th ed.). Summerfield, NC: Hypergraphic Press. (career) development discussion, or employee appr ...

s, pay, promotions, and other terms and conditions of employment.

References

External links

Luta Security

HackerOne
{{DEFAULTSORT:Moussouris, Katie Living people American technology writers People in information technology Women technology writers Microsoft people Gen Digital people 21st-century American non-fiction writers 21st-century American women writers American women non-fiction writers Year of birth missing (living people) Computer security specialists