Tech
Why bug bounty schemes have not led to secure software | Computer Weekly
Governments should make software companies liable for developing insecure computer code. So says Katie Moussouris, the white hat hacker and security expert who first persuaded Microsoft and the Pentagon to offer financial rewards to security researchers who found and reported serious security vulnerabilities.
Bug bounty schemes have since proliferated and have now become the norm for software companies, with some, such as Apple, offering awards of $2m or more to those who find critical security vulnerabilities.
Moussouris likens security vulnerability research to working for Uber, only with lower pay and less job security. The catch is that people only get paid if they are the first to find and report a vulnerability. Those who put in the work but get results second or third get nothing.
“Intrinsically, it is exploitative of the labour market. You are asking them to do speculative labour, and you are getting something quite valuable out of them,” she says.
Some white hat hackers, motivated by helping people fix security problems, have managed to make a living by specialising in finding medium-risk vulnerabilities that may not pay as well as the high-risk bugs, but are easier to find.
But most security researchers struggle to make a living as bug bounty hunters.
“Very few researchers are capable of finding those elite-level vulnerabilities, and very few of the ones that are capable think it is worth their while to chase a bug bounty. They would rather have a nice contract or a full-time role,” she says.
Ethical hacking comes with legal risks
Its not just the lack of a steady income. Security researchers also face legal risks from anti-hacking laws, such as the UK’s Computer Misuse Act and the US’s draconian Computer Fraud and Abuse Act.
When Moussouris joined Microsoft in 2007, she persuaded the company to announce that it would not prosecute bounty hunters if they found online vulnerabilities in Microsoft products and reported them responsibly. Other software companies have since followed suit.
The UK government has now recognised the problem and promised to introduce a statutory defence for cyber security researchers who spot and share vulnerabilities to protect them from prosecution.
Another issue is that many software companies insist on security researchers signing a non-disclosure agreement (NDA) before paying them for their vulnerability disclosures.
This flies against the best practices for security disclosures, which Moussouris has championed through the International Standards Organisation (ISO).
When software companies pay the first person to discover a vulnerability a bounty in return for signing an NDA, that creates an incentive for those who find the same vulnerability to publicly disclose it, increasing the risk that a bad actor will exploit it for criminal purposes.
Worse, some companies use NDAs to keep vulnerabilities hidden but don’t take steps to fix them, says Moussouris, whose company, Luta Security, manages and advises on bug bounty and vulnerability disclosure programmes.
“We often see a big pile of unfixed bugs,” she says. “And some of these programmes are well funded by publicly traded companies that have plenty of cyber security employees, application security engineers and funding.”
Some companies appear to regard bug bounties as a replacement for secure coding and proper investment in software testing.
“We are using bug bounties as a stop-gap, as a way to potentially control the public disclosure of bugs, and we are not using them to identify symptoms that can diagnose our deeper lack of security controls,” she adds.
Ultimately, Moussouris says, governments will have to step in and change laws to make software companies liable for errors in their software, in much the same way car manufacturers are responsible for safety flaws in their vehicles.
“All governments have pretty much held off on holding software companies responsible and legally liable, because they wanted to encourage the growth of their industry,” she says. “But that has to change at a certain point, like automobiles were not highly regulated, and then seatbelts were required by law.”
AI could lead to less secure code
The rise of artificial intelligence (AI) could make white hat hackers redundant altogether, but perhaps not in a way that leads to better software security.
All of the major bug bounty platforms in the US are using AI to help with the triage of vulnerabilities and to augment penetration testing.
An AI-powered penetration testing platform, XBow, recently topped the bug bounty leaderboard by using AI to focus on relatively easy-to-find vulnerabilities and testing likely candidates in a systematic way to harvest security bugs.
“Once we create the tools to train AI to make it appear to be as good, or better in a lot of cases, than humans, you are pulling the rug out of the market. And then where are we going to get the next bug bounty expert?” she asks.
The current generation of experts with the skills to spot when AI systems are missing something important is in danger of disappearing.
“Bug bounty platforms are moving towards an automated, driverless version of bug bounties, where AI agents are going to take the place of human bug hunters,” she says.
Unfortunately, it’s far easier for AI to find software bugs than it is to use AI to fix them. And companies are not investing as much as they should in using AI to mitigate security risks.
“We have to figure out how to change that equation very quickly. It is easier to find and report a bug than it is for AI to write and test a patch,” she says.
Bug bounties have failed
Moussouris, a passionate and enthusiastic advocate of bug bounty schemes, is the first to acknowledge that bug bounty schemes have, in one sense, failed.
Some things have improved. Software developers have shifted to better programming languages and frameworks that make it harder to introduce particular classes of vulnerability, such as cross-site scripting errors.
But there is, she suggests, too much security theatre. Companies still address faults because they are visible, but hold off fixing things that the public can’t see, or use non-disclosure agreements to buy silence from researchers to keep vulnerabilities from the public.
Moussouris believes that AI will ultimately take over from human bug researchers, but says the loss of expertise will damage security.
The world is on the verge of another industrial revolution, but it will be bigger and faster than the last industrial revolution. In the 19th century, people left agriculture to work long hours in factories, often in dangerous conditions for poor wages.
As AI takes over more tasks currently carried out by people, unemployment will rise, incomes will fall and economies risk stagnation, Moussouris predicts.
The only answer, she believes, is for governments to tax AI companies and use the proceeds to provide the population with a universal basic income (UBI). “I think it has to, or literally there will be no way for capitalism to survive,” she says. “The good news is that human engineering ingenuity is still intact for now. I still believe in our ability to hack our way out of this problem.”
Growing tensions between governments and bug bounty hunters
The work of bug bounty hunters has also been impacted by moves to require software technology companies to report vulnerabilities to governments before they fix them.
It began with China in 2021, which required tech companies to disclose new vulnerabilities within 48 hours of discovery.
“It was very clear that they were going to evaluate whether or not they were going to use vulnerabilities for offensive purposes,” says Moussouris.
In 2020, the European Union (EU) introduced the Cyber Resilience Act (CRA), which introduced similar disclosure obligations, ostensibly to allow European government to prepare their cyber defences.
Moussouris is a co-author of the ISO standard on vulnerability disclosure. One of its principles is to limit the knowledge of security bugs to the smallest number of people before they are fixed.
The EU argues that its approach will be safe because it is not asking for a deep technical explanation of the vulnerabilities, nor is it asking for proof-of-concept code to show how vulnerabilities can be exploited.
But that misses the point, says Moussouris. Widening the pool of people with access to information about vulnerabilities will make leaks more likely and raises the risk that criminal hackers or hostile nation-states will exploit them for crime or espionage.
Risk from hostile nations
Moussouris does not doubt that hostile nations will exploit the weakest links in government bug notification schemes to learn new security exploits. If they are already using those vulnerabilities for offensive hacking, they will be able to cover their tracks.
“I anticipate there will be an upheaval in the threat intelligence landscape because our adversaries absolutely know this law is going to take effect. They are certainly positioning themselves to learn about these things through the leakiest party that gets notified,” she says.
“And they will either start targeting that particular software, if they weren’t already, or start pulling back their operations or hiding their tracks if they were the ones using it. It’s counterproductive,” she adds.
Moussouris is concerned that the US will likely follow the EU by introducing its own bug reporting scheme. “I am just holding my breath, anticipating that the US is going to follow, but I have been warning them against it.”
The UK’s equities programme
In the UK, GCHQ regulates government use of security vulnerabilities for spying through a process known as the equities scheme.
That involves security experts weighing up whether the UK would place its own critical systems at risk if it failed to notify software suppliers of potential exploits against the potential value of the exploit for gathering intelligence.
The process has a veneer of rationality, but it falls down because, in practice, government experts can have no idea how widespread vulnerabilities are in the critical national infrastructure. Even large suppliers like Microsoft have trouble tracking where their own products are used.
“When I was working at Microsoft, it was very clear that while Microsoft had a lot of visibility into what was deployed in the world, there were tonnes of things out there that they wouldn’t know about until they were exploited,” she says.
“The fact that Microsoft, with all its telemetry ability to know where its customers are, struggled means there is absolutely no way to gauge in a reliable way how vulnerable we are,” she adds.
Kate Moussouris spoke to Computer Weekly at the SANS CyberThreat Summit.
As of December 23, 2025, the US Federal Communications Commission barred Chinese-based drone maker DJI from importing any new drones into the United State. That might sound like you can’t buy a DJI drone right now, but that’s not true. Head over to Amazon and just about the whole DJI drone lineup is still for sale. So what gives? Are they banned or not?
The key word in the previous paragraph was any new drone. Nothing DJI has made in the past is banned. No one is taking your drone away. It’s still perfectly legal to fly a drone. And this isn’t just a DJI ban. It’s a ban on foreign-made drones, which includes those from companies such as DJI, Autel Robotics, HoverAir, and thers. That DJI is singled out in headlines has more to do with its market dominance than the way the rules are written.
I’d like to say that with the biggest competitor essentially removed from the market that US-based companies are swooping in with new drones. Actually we did say that once about Skydio, and we even liked the Skydio drone we tested, but since then Skydio has shifted away from the consumer market.
No New Drones
Courtesy of DJI
While it’s good news that the old stuff is still for sale, it’s unlikely that any new drones will arrive.
In order to sell in the United States, anything that uses radio frequency components has to be approved by the FCC. Drones use radio frequencies when flying, so they fall under FCC jurisdiction. Because none of the drone companies have had the security review they need by an approved US agency, they have all been placed on what’s called the Covered List. Companies on the Covered List do not have approval to import products into the US, effectively banning them.
There’s some evidence that wheels are turning somewhere, in a way that could spell good news for consumer drone flyers. Last week, the FCC amended its Covered List to exempt drones and components already approved by the Defense Contract Management Agency’s Blue UAS list. The FCC says in its public statement, “The DoW has determined that UAS and UAS critical components included on Defense Contract Management Agency’s (DCMA’s) Blue UAS list do not currently present unacceptable risks to the national security of the United States or to the safety and security of US persons.”
For the most part, this doesn’t really impact consumer drones, unless you were in the market for a $13.6k Parrot Anafi USA Gov edition thermal drone, but it’s better than silence, which has been the primary thing we’ve heard leading up to the December ban.
In a move described as underscoring the company’s strategic focus on pan-European connectivity amid rising data demands from artificial intelligence (AI), cloud and next-generation technologies, Zayo Europe has launched a “landmark” network in Iberia.
Operating across 13 countries and connecting 47 markets, Zayo already connects more than 600 datacentres with a “future-ready” network spanning over 2.7 million fibre kilometres and eight subsea systems. The company said its mission is to deliver the infrastructure that powers Europe’s digital economy, offering tailored connectivity solutions that enable telecom service providers, cloud platforms, datacentres, system integrators and enterprises to deliver the network performance they require from core to cloud to edge.
Following a recent expansion in the German Market, Iberia has become the next strategic link for Zayo, furthering the reach of its pan-European network. The new network will encompass the region’s leading cities including Madrid, Lisbon, Barcelona, Bilbao and Sines.
It is being delivered in partnership with Spanish dark fibre operator Reintel, which boasts more than 54,000km of interconnected fibre infrastructure across Spain. The company provides neutral and high-quality connectivity products through a network of sites linked to both the energy and railway sectors.
Zayo Europe sees the partnership marking a major milestone as brings its 400GE enabled wavelength network to the Iberian Peninsula, as well as expanding its Tier-1 IP offering to Portugal and to more Spanish cities.
The collaboration will look to deliver low-latency, high-capacity connectivity across Iberia, connecting the key business hubs. The partners see the new route as a way to enhance network diversity, reduce deployment times and strengthen connectivity options for businesses and carriers operating in the region.
Spanning over 3,500km of fibre across Iberia, Zayo Europe’s network will look to enable “seamless” datacentre-to-datacentre connectivity, faster cloud adoption and high-performance handling of data-intensive workloads. The move is set to strengthen Zayo Europe’s global reach, linking Iberia to international networks across the Mediterranean and Atlantic, and supporting the digital transformation of businesses across multiple continents.
“This partnership marks another important step in Zayo Europe’s journey to connect the continent’s most dynamic markets. Spain and Portugal are quickly emerging as major datacentre hubs, with a strong supply of renewable energy driving new investments to power AI and other cutting-edge technologies,” said Colman Deegan, Zayo Europe CEO.
“We’re delighted to partner with Reintel, who operate the highest quality, mission-critical fibre infrastructure in the region. By extending our network through their low latency, high availability fibre routes, we’re enabling enterprises, datacentres and carriers across Iberia to access our extensive high-performance connectivity that underpins Europe’s innovation economy. With the significant DC roll-out planned in 2026, Zayo Europe is poised to set connectivity trends for the decade ahead.”
Reintel CEO Francisco J. Blanca Patón added: “Zayo Europe’s expansion into Iberia aligns perfectly with our mission to accelerate Spain’s digital transformation. Combining our extensive dark fibre footprint with Zayo Europe’s international network and unparalleled service excellence creates powerful opportunities for customers across the region. This partnership will empower datacentres and businesses across Spain and Portugal to keep pace with rising data demands and, ultimately, strengthen Europe’s digital backbone. We look forward to what can be achieved together through 2026 and beyond.”
It can be tricky to figure out how to clean your Keurig, but it’s important work. If your household is like mine, your pod coffee maker runs anywhere from three to seven times per day. All of that use can cause buildup and gunk, which can affect the taste of your coffee and the lifespan of your machine. But with proper maintenance and a dedicated routine, cleaning is a breeze. Here’s everything you need to know about light daily cleaning as well as deeper cleans.
Be sure to check out our related buying guides, including the Best Pod Coffee Makers, the Best Coffee Machines, the Best Coffee Subscriptions, and the Best Milk Frothers.
Daily Maintenance
To clean the housing of your Keurig coffee maker or other pod machine, just take a damp cloth and wipe down the outside. You can clean the K-Cup holder and needle by brushing or vacuuming away any loose debris like coffee grounds—be careful near the needle part since, obviously, it’s sharp.
Some machines come with a needle cleaning tool that you insert into the top and bottom of the needle, and a few people on various forums have used a paper clip instead. Some machines have removable pod holders that can be soaked in hot water. It’s always a good idea to refer to your specific model’s user guide, and you’ll probably want to unplug your machine beforehand.
To clean your drip tray and water reservoir, remove them and wash them by hand with hot, soapy water (though avoid using too much dish soap to prevent buildup). If your machine came with a carafe, wash it by hand or pop it in the dishwasher if it’s dishwasher-safe. Let them air dry or wipe them down with a lint-free towel after rinsing them off. You should be replacing the fresh water in your reservoir often, especially if it’s been sitting for a while. If your machine has a water filter in its reservoir, replace it every two to three months. Most machines with these types of filters have maintenance reminders—heed them!
For cleaning out the internal bits and pieces, you can use something like a Keurig Rinse Pod, which helps to flush out any excess oils or flavors that might be lingering. They are especially handy after brewing with flavored K-Cups like hot cocoa or some coffee varieties. You can also just run a hot water cycle every so often, which is a particularly good idea if you haven’t used your machine for a few days.
Deeper Cleaning and Descaling
Some manufacturers recommend using filtered water or distilled water instead of tap water in your reservoirs, but I’ve always used tap water with the knowledge that I might have to clean my machine more frequently. You should deep-clean or descale your pod coffee maker every three to six months, or possibly more often if you notice hard water stains, calcium deposits, or mineral buildup, or your machine prompts you to deep-clean it.
You can do this a few ways. For the DIY method, fill your water tank with white vinegar and water (about half and half) and run large-capacity brew cycles until the reservoir is empty; Halfway through, consider letting the vinegar solution soak for a while, around 20 to 30 minutes. Follow up with a few rinsing cycles using clean water until the vinegar smell is gone. Alternatively, you can use a dedicated Keurig descaling solution according to the instructions on the bottle. That solution can be used on non-Keurig machines too. Make sure your machine is fully rinsed out before brewing your next cup of coffee.
It’s important to perform these deeper cleaning cycles on a regular basis to ensure your machine lasts as long as possible. And that your coffee tastes good, of course.
Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.
Hilary Duff excites fans as she revives hit songs during London gig: Watch
Budget should strengthen India’s textile & apparel industry: CITI
Afghanistan’s hunger crisis worsened by winter, aid cuts
-
Tech1 week agoNew Proposed Legislation Would Let Self-Driving Cars Operate in New York State
-
Entertainment7 days agoX (formerly Twitter) recovers after brief global outage affects thousands
-
Sports5 days agoPak-Australia T20 series tickets sale to begin tomorrow – SUCH TV
-
Fashion3 days agoBangladesh, Nepal agree to fast-track proposed PTA
-
Business4 days agoTrump’s proposed ban on buying single-family homes introduces uncertainty for family offices
-
Politics3 days agoSaudi King Salman leaves hospital after medical tests
-
Tech4 days agoMeta’s Layoffs Leave Supernatural Fitness Users in Mourning
-
Tech5 days agoTwo Thinking Machines Lab Cofounders Are Leaving to Rejoin OpenAI