Tech
Why bug bounty schemes have not led to secure software | Computer Weekly
Governments should make software companies liable for developing insecure computer code. So says Katie Moussouris, the white hat hacker and security expert who first persuaded Microsoft and the Pentagon to offer financial rewards to security researchers who found and reported serious security vulnerabilities.
Bug bounty schemes have since proliferated and have now become the norm for software companies, with some, such as Apple, offering awards of $2m or more to those who find critical security vulnerabilities.
Moussouris likens security vulnerability research to working for Uber, only with lower pay and less job security. The catch is that people only get paid if they are the first to find and report a vulnerability. Those who put in the work but get results second or third get nothing.
“Intrinsically, it is exploitative of the labour market. You are asking them to do speculative labour, and you are getting something quite valuable out of them,” she says.
Some white hat hackers, motivated by helping people fix security problems, have managed to make a living by specialising in finding medium-risk vulnerabilities that may not pay as well as the high-risk bugs, but are easier to find.
But most security researchers struggle to make a living as bug bounty hunters.
“Very few researchers are capable of finding those elite-level vulnerabilities, and very few of the ones that are capable think it is worth their while to chase a bug bounty. They would rather have a nice contract or a full-time role,” she says.
Ethical hacking comes with legal risks
Its not just the lack of a steady income. Security researchers also face legal risks from anti-hacking laws, such as the UK’s Computer Misuse Act and the US’s draconian Computer Fraud and Abuse Act.
When Moussouris joined Microsoft in 2007, she persuaded the company to announce that it would not prosecute bounty hunters if they found online vulnerabilities in Microsoft products and reported them responsibly. Other software companies have since followed suit.
The UK government has now recognised the problem and promised to introduce a statutory defence for cyber security researchers who spot and share vulnerabilities to protect them from prosecution.
Another issue is that many software companies insist on security researchers signing a non-disclosure agreement (NDA) before paying them for their vulnerability disclosures.
This flies against the best practices for security disclosures, which Moussouris has championed through the International Standards Organisation (ISO).
When software companies pay the first person to discover a vulnerability a bounty in return for signing an NDA, that creates an incentive for those who find the same vulnerability to publicly disclose it, increasing the risk that a bad actor will exploit it for criminal purposes.
Worse, some companies use NDAs to keep vulnerabilities hidden but don’t take steps to fix them, says Moussouris, whose company, Luta Security, manages and advises on bug bounty and vulnerability disclosure programmes.
“We often see a big pile of unfixed bugs,” she says. “And some of these programmes are well funded by publicly traded companies that have plenty of cyber security employees, application security engineers and funding.”
Some companies appear to regard bug bounties as a replacement for secure coding and proper investment in software testing.
“We are using bug bounties as a stop-gap, as a way to potentially control the public disclosure of bugs, and we are not using them to identify symptoms that can diagnose our deeper lack of security controls,” she adds.
Ultimately, Moussouris says, governments will have to step in and change laws to make software companies liable for errors in their software, in much the same way car manufacturers are responsible for safety flaws in their vehicles.
“All governments have pretty much held off on holding software companies responsible and legally liable, because they wanted to encourage the growth of their industry,” she says. “But that has to change at a certain point, like automobiles were not highly regulated, and then seatbelts were required by law.”
AI could lead to less secure code
The rise of artificial intelligence (AI) could make white hat hackers redundant altogether, but perhaps not in a way that leads to better software security.
All of the major bug bounty platforms in the US are using AI to help with the triage of vulnerabilities and to augment penetration testing.
An AI-powered penetration testing platform, XBow, recently topped the bug bounty leaderboard by using AI to focus on relatively easy-to-find vulnerabilities and testing likely candidates in a systematic way to harvest security bugs.
“Once we create the tools to train AI to make it appear to be as good, or better in a lot of cases, than humans, you are pulling the rug out of the market. And then where are we going to get the next bug bounty expert?” she asks.
The current generation of experts with the skills to spot when AI systems are missing something important is in danger of disappearing.
“Bug bounty platforms are moving towards an automated, driverless version of bug bounties, where AI agents are going to take the place of human bug hunters,” she says.
Unfortunately, it’s far easier for AI to find software bugs than it is to use AI to fix them. And companies are not investing as much as they should in using AI to mitigate security risks.
“We have to figure out how to change that equation very quickly. It is easier to find and report a bug than it is for AI to write and test a patch,” she says.
Bug bounties have failed
Moussouris, a passionate and enthusiastic advocate of bug bounty schemes, is the first to acknowledge that bug bounty schemes have, in one sense, failed.
Some things have improved. Software developers have shifted to better programming languages and frameworks that make it harder to introduce particular classes of vulnerability, such as cross-site scripting errors.
But there is, she suggests, too much security theatre. Companies still address faults because they are visible, but hold off fixing things that the public can’t see, or use non-disclosure agreements to buy silence from researchers to keep vulnerabilities from the public.
Moussouris believes that AI will ultimately take over from human bug researchers, but says the loss of expertise will damage security.
The world is on the verge of another industrial revolution, but it will be bigger and faster than the last industrial revolution. In the 19th century, people left agriculture to work long hours in factories, often in dangerous conditions for poor wages.
As AI takes over more tasks currently carried out by people, unemployment will rise, incomes will fall and economies risk stagnation, Moussouris predicts.
The only answer, she believes, is for governments to tax AI companies and use the proceeds to provide the population with a universal basic income (UBI). “I think it has to, or literally there will be no way for capitalism to survive,” she says. “The good news is that human engineering ingenuity is still intact for now. I still believe in our ability to hack our way out of this problem.”
Growing tensions between governments and bug bounty hunters
The work of bug bounty hunters has also been impacted by moves to require software technology companies to report vulnerabilities to governments before they fix them.
It began with China in 2021, which required tech companies to disclose new vulnerabilities within 48 hours of discovery.
“It was very clear that they were going to evaluate whether or not they were going to use vulnerabilities for offensive purposes,” says Moussouris.
In 2020, the European Union (EU) introduced the Cyber Resilience Act (CRA), which introduced similar disclosure obligations, ostensibly to allow European government to prepare their cyber defences.
Moussouris is a co-author of the ISO standard on vulnerability disclosure. One of its principles is to limit the knowledge of security bugs to the smallest number of people before they are fixed.
The EU argues that its approach will be safe because it is not asking for a deep technical explanation of the vulnerabilities, nor is it asking for proof-of-concept code to show how vulnerabilities can be exploited.
But that misses the point, says Moussouris. Widening the pool of people with access to information about vulnerabilities will make leaks more likely and raises the risk that criminal hackers or hostile nation-states will exploit them for crime or espionage.
Risk from hostile nations
Moussouris does not doubt that hostile nations will exploit the weakest links in government bug notification schemes to learn new security exploits. If they are already using those vulnerabilities for offensive hacking, they will be able to cover their tracks.
“I anticipate there will be an upheaval in the threat intelligence landscape because our adversaries absolutely know this law is going to take effect. They are certainly positioning themselves to learn about these things through the leakiest party that gets notified,” she says.
“And they will either start targeting that particular software, if they weren’t already, or start pulling back their operations or hiding their tracks if they were the ones using it. It’s counterproductive,” she adds.
Moussouris is concerned that the US will likely follow the EU by introducing its own bug reporting scheme. “I am just holding my breath, anticipating that the US is going to follow, but I have been warning them against it.”
The UK’s equities programme
In the UK, GCHQ regulates government use of security vulnerabilities for spying through a process known as the equities scheme.
That involves security experts weighing up whether the UK would place its own critical systems at risk if it failed to notify software suppliers of potential exploits against the potential value of the exploit for gathering intelligence.
The process has a veneer of rationality, but it falls down because, in practice, government experts can have no idea how widespread vulnerabilities are in the critical national infrastructure. Even large suppliers like Microsoft have trouble tracking where their own products are used.
“When I was working at Microsoft, it was very clear that while Microsoft had a lot of visibility into what was deployed in the world, there were tonnes of things out there that they wouldn’t know about until they were exploited,” she says.
“The fact that Microsoft, with all its telemetry ability to know where its customers are, struggled means there is absolutely no way to gauge in a reliable way how vulnerable we are,” she adds.
Kate Moussouris spoke to Computer Weekly at the SANS CyberThreat Summit.
Same as the Five Senses deck above, this scratch-off card set happens in sequence, with optional “level up” cards to really push intimacy, and separate cards for each partner with secret directions. For this date, you’ll both bring a red item that you show at certain points to signify that you’re open to physical touch. Then you’ll go out to dinner and have intentional conversation, and every time a partner pulls out the red item, you’ll follow the prompts to initiate increasingly intimate physical acts, ranging from hand holding to neck kisses. So there we were, at Illegal Taqueria, edging each other over al pastor tacos (I kid).
Many of the cards urged a partner not to interrupt or solve problems, but ask questions and talk dirty. My date said, “I think this may be for couples who hate each other.” I had to agree. The second part of the date involved driving and stoplights, but since we were in Brooklyn, we walked down the trash-filled sidewalk and pretended to be a suburban couple on the fritz instead.
The rest of the date included buying things for sexy time, like whipped cream and blindfolds. I’m vegan and had no desire to lick cream from chest hair, so we came home, stripped, and did our best to keep our eyes closed (in lieu of a blindfold). It was overall a strange experience for us both, I think. If you and your partner need a lot of prompting to connect, compliment, and be physical, this set is for you.
Date: Greg, 10/10 (Note: I didn’t find this man on Hinge; I met him the old-fashioned way, in a bar at 2 am.)
Box: 6/10
Valentine’s Day is a sneaky one. It’s easy to let grabbing fun and unique Valentine’s Day gifts fall to the wayside while you recover from the Christmas holidays, but it’s not one to miss if you have a partner you want to shower with a little extra love.
If you’re feeling too wiped to shop, good news: I’ve got you covered. I’ve rounded up some of our favorite ideas for the year’s most romantic holiday, from Lego sets you can build as a date and date boxes filled with ideas to last you all year long to gorgeous flowers you can get delivered in a snap and cozy robes you’ll want to lounge in together. This guide all the Valentine’s Day gifts we’re excited to give this year.
Curious about what else we recommend? Don’t miss our Gifts for Lovers, Gifts for Moms, Gifts for Plant Lovers, Gifts for People Who Work from Home, and Best Blind Boxes for more gifts and shopping ideas.
Table of Contents
For a Gift That’s a Date
My husband and I are planning our fourth or fifth year of our favorite Valentine’s Day Date: building Lego sets together. We’ve done this for years, and then we get to enjoy the fruits (well, flowers) of our labor around the home forevermore. These sets serve as both the gift and the activity. Building the dried-flower centerpiece together was probably my all-time favorite, since you can each simultaneously work on one half and then click it together at the end, followed by each building a different-color bonsai tree.
For a Daytime Adventure
Retrospec
Weekender Crew Multi-Person Inflatable Paddle Board
Building on the idea of date activities that involve gifts, this multi-person paddleboard is a fun way to spend time outdoors while staying together the entire time. It’s massive, almost raftlike, so that it can support the weight of up to three adults, but once we got the hang of the size, it wasn’t hard to maneuver. Sometimes we’d both row together, sometimes I’d let my husband do all the work. It made for a lovely daytime adventure together, and I can’t wait for the next warm day for my husband and me to take this out on our local harbor again. It’s big enough that we could bring our son, though it’s much more peaceful as a date activity. It’s inflatable, and I’d recommend grabbing an electric filler since it takes a lot of manual pumping otherwise.
For Flowers on Demand
Photograph: Boutayna Chokrane
The classic go-to for Valentine’s Day is, of course, flowers. WIRED reviewer Boutayna Chokrane tested several flower delivery services to find the best one to get sent to your home, and her favorite is the Ode à la Rose, specifically the Edith arrangements. The business was created by two former French bankers, and the arrangements’ design choices feel distinctly chic in a way only French romance can. The Edith bouquet is entirely Columbus double tulips from Holland, and come hand-tied in a travel vase a fun pink box. The flowers ship nationwide, and there’s same-day shipping in New York, Chicago, Los Angeles, Austin, Miami, and Washington, DC.
For a Jewelry Upgrade
Maybe you’ve already exchanged rings, or maybe you’re looking for your first set without committing to I do. Either way, the most popular fitness tracker to get these days is a smart ring, and Oura is the ruler of the space. The latest model is the Ring 4, and it comes in both metallic and ceramic finishes. Many of my friends love theirs. I wish I had one, but they don’t make sense for my husband and me since we’re an aerialist and rock climber duo. Live my dreams for me and get this for your valentine (and yourself)!
For Your Fave Photographer
If your romantic partner loves to capture photos, a digital photo frame is the perfect gift (and you’ll benefit, too, as likely the number one fan of their photography!). I’m the photographer of our house, and our Aura frame is my husband’s favorite gadget because it showcases photos I’ve captured of our son and life together over the years. Our wedding photos can be found on there too, as well as the occasional good photo of me that he’s captured. It’s a monthly ritual for me to go through my camera roll and add my latest favorites. Aura’s my favorite because the range of frames is beautiful, and the storage is unlimited with no fees or subscriptions.
For the Cozy Couple
One of my favorite souvenirs I have around the house is a matching robe set that my husband and I bought on our honeymoon. Our all-cotton robes are from the Ten Thousand Waves Japanese spa in New Mexico (the final destination of a Southwestern US road trip) and are great for taking to the pool or using after a shower on a hot day. But I still love a good fluffy robe during the colder season, especially since it can double as a towel. Get your partner one of these cozy robes to give them something luxurious to use after their next everything shower or quick rinse-off. Cozy Earth’s robe is crazy-soft thanks to its blend of cotton and bamboo viscose, while this flannel robe from L.L.Bean is one of our favorites for anyone who works from home.
For Your Inner Theater Kids
If your partner loves to sing along to the Wicked soundtrack and is regularly suggesting karaoke as a group activity, then give them the gift of making karaoke happen anywhere with these gadgets. The Bonaok Karaoke Microphone is one of our favorite karaoke microphones, letting you sing anywhere without lugging bulky equipment. The Ikarao Shell S2 is a portable device with two mics, a built-in screen, and support for streaming services, so you can sing along to your favorite songs on Spotify.
For the Fitness Couple
After the Christmas season, I saw a video on my For You page that roasted how every mom had clearly gotten a matching workout outfit set for Christmas and was out wearing it on Boxing Day. As a mom myself, all I could think of was how much I would love another matching workout set. I’m serious. They’re great for workouts, quick errands, and day care or school drop-off. My latest favorite set is from Bombshell Sportswear. The set is both super soft and fits securely without any annoying squeezing. It’s getting the most compliments of all my sets. I wish I’d sized up with the bolero, but as an aerialist, my lat muscles are a little bulkier than an everyday person’s.
Have a partner who doesn’t need a matching set? Try some fantastic running shoes instead, which are even more useful for both workouts and daily life. WIRED reviewer Adrienne So says these R.A.D. shoes are fantastic for a range of uses, as they’re designed for gym, HIIT, CrossFit, and hybrid workouts and are soft enough for treadmill running. They look fantastic, too.
For the Beloved Bookworms
A Kindle is always a great gift for anyone who reads in any format. Funny enough, my siblings and I are about to buy one for my dad for his birthday (two weeks before Valentine’s Day), and I recommended my favorite pick, the Kindle Paperwhite, since the standard Kindle is a little too small for his 6-foot-4 frame to hunch down over, and he doesn’t read enough illustrated books to make the Colorsoft the right jump for him. If they already have a Kindle, I’m still in love with my matching PopSockets Kindle case and grip, and they’ve since launched a new Bookish collection with beautiful designs.
For Some Bedroom Spice
Looking to spice things up? These adventure boxes can add more fun to the bedroom without creating additional mental work for you and your partner. An offshoot from the Adventure Challenge, “The Adventure Challenge … In Bed” scratch-off date book has 50 date ideas designed specifically to help facilitate fun and connection in the bedroom. The dates are categorized by activity type in sections like food, dancing, “sexploration,” and more. Each date is covered by a black box, with only icons indicating required fields such as duration, cost, and more. Meanwhile, the Fantasy Box is a date-night box service offering a range of themes, from sexy wine tasting to a kinky poker night, all designed to help couples communicate and connect more intimately. Before opening the box, each partner will fill out a questionnaire of potential intimate acts, and this box comes with everything needed for a truly kinky night in: a satin blindfold, pleather paddle, lingerie, lube, massage gel, feather wand, mini vibrator, and silky wrist restraints. —Molly Higgins
Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.
In the early morning hours of Saturday, January 3, the roar of bombs dropping from the sky announced the US military attack on Venezuela, waking the sleeping residents of La Carlota, in Caracas, a neighborhood adjacent to the air base that was a target of Operation Absolute Resolve.
Marina G.’s first thought, as the floors, walls, and windows of her second-story apartment shook, was that it was an earthquake. Her cat scrambled and hid for hours, while the neighbors’ dogs began to bark incessantly. But the persistence of the strange hum of engines (military aircraft flying low over the city, she would later learn), as well as seeing a group of cadets in T-shirts and shorts fleeing the Army headquarters, were signs that this was not an earthquake.
Marina couldn’t rely on the typical media outlets that are easily accessible in most other countries to learn more. She didn’t bother to turn on the television or radio in search of information about the attacks that began simultaneously at 11 military installations in Caracas and three other states. The government-run television station Venezolana de Televisión (VTV) was broadcasting a report on the minister of culture’s visit to Russia as the attack was taking place. Her cell phone, however, still had a signal and she began to receive dozens of messages on WhatsApp: “They’re bombing Caracas!”
During the darkest moments of that confusing morning, there was no team of independent reporters able to go out and record what was happening on the streets. After years of harassment, censorship, and imprisonment of journalists by the government, there were instead only empty newsrooms, decimated resources, and a complete lack of security, which made it impossible to keep the public informed as the crisis was unfolding.
The fears felt by journalists were shared by many Venezuelans: the fears of arbitrary detention, of being imprisoned without cause, tortured, and extorted. These are fears that have led citizens in Venezuela to adopt some digital safeguards in order to survive. They have learned to restrict chats, move sensitive material to hidden folders, and automatically delete any “compromising” messages. Whenever possible, they leave their cell phones at home. If they have to take their phones with them, then before going out, they delete all photos, stickers, and memes that could possibly be interpreted as subversive. This state of collective paranoia has also, however, allowed Venezuelans to stay informed and not succumb to the dictatorship.
It is, largely, ordinary citizens who have created this information network. Soon after the bombs fell on January 3, the first videos began to circulate, recorded by people who had witnessed the explosions from their windows and balconies, or from the beach, where some were still celebrating the New Year. Even hikers camping at the summit of Cerro Ávila, in Waraira Repano National Park, managed to capture panoramic shots of the bombs exploding over the Caracas Valley. Shortly afterwards, international networks confirmed the news.
In the interior of the country, connectivity is even more complicated. In San Rafael de Mucuchíes, a peaceful village in the Andes in the state of Mérida, a group of hikers tried to keep up with the frantic pace of events with intermittent internet access at 10,300 feet above sea level. They learned the news from telephone calls via operators such as Movistar (Telefónica) and Digitel, not from the instant messaging app WhatsApp. They also overcame the challenges of the information desert they were in by using a portable Starlink satellite internet antenna that one of the travelers had in their luggage. During the crisis, the service developed by SpaceX was provided free to Venezuelans.
The best- and worst-case trade scenarios for Giannis Antetokounmpo’s fantasy value
Netflix’s exciting February line up revealed
Netherlands’ goods exports to US fall 4.7% in Jan-Oct 2025
-
Sports5 days agoPSL 11: Local players’ category renewals unveiled ahead of auction
-
Tech1 week agoStrap One of Our Favorite Action Cameras to Your Helmet or a Floaty
-
Sports1 week agoWanted Olympian-turned-fugitive Ryan Wedding in custody, sources say
-
Entertainment1 week agoThree dead after suicide blast targets peace committee leader’s home in DI Khan
-
Tech1 week agoThis Mega Snowstorm Will Be a Test for the US Supply Chain
-
Sports1 week agoStorylines shaping the 2025-26 men’s college basketball season
-
Fashion1 week agoSpain’s apparel imports up 7.10% in Jan-Oct as sourcing realigns
-
Entertainment1 week agoUFC Head Dana White credits Trump for putting UFC ‘on the map’