2014 Women in IT Security
2014 Women in IT Security

As chief policy officer of HackerOne, Katie Moussouris oversees the company's philosophy and approach to vulnerability disclosure, advises customers and researchers, and as she puts it, "works toward the public good to legitimize and promote security research to help make the internet safer for everyone."

What's unique about Moussouris is how she entered the industry. It began at age 8 when she got her start with a Commodore 64 computer and learned BASIC after becoming bored with Pac-Man, and that spark ignited her interest. She cast aside Barbies for the techno-cool thrill of programming for the Commodore 64 and tinkering with data and makeshift applications. 

Katie Moussouris
Chief policy officer, HackerOne

Although it began as a hobby, it quickly evolved into more. She joined the computer team at her high school in Arlington, Mass., and participated in competitions. She then entered her new avocation: hacking. She also studied molecular biology and math and later worked at MIT on the Human Genome Project. 

Prior to joining HackerOne, she worked at Microsoft and Symantec, where her work encompassed industry-leading initiatives, such as Microsoft's bounty programs, BlueHat conference content chair, security researcher outreach, Vulnerability Disclosure Policies and MSVR (Microsoft Vulnerability Research). She also founded Symantec Vulnerability Research (SVR). She now serves as a subject matter expert for the U.S. National Body of the International Standards Organization (ISO) in vulnerability disclosure, secure development, penetration testing as it applies to common criteria and vulnerability handling processes.

Moussouris has served in all three major roles in vulnerability disclosure: researcher, vulnerability coordinator, and vendor for both open and closed source products. In addition, she earned the reputation as a hacker artist, being formerly known as @stake. She has performed dozens of software penetration tests, security code audits and design reviews for major companies. 

"Vulnerabilities exist in all products and services," says Moussouris. "The maturity of an organization and the commitment of its leadership to managing security are reflected in the way it responds to security researchers or hackers who find and report those vulnerabilities," she says. And, every organization can benefit from a simpler way to manage the disclosure process, and now there are published ISO standards that can be used as guides and vulnerability disclosure platforms to help them do just that.

"I have had the pleasure of working with Katie for much of my career, and she has earned both my trust and admiration on countless occasions," says Alex Rice, founder and CTO of HackerOne. "I have frequently turned to her for advice and guidance on precarious vulnerability disclosure situations and to proactively engage the security research community."

In their most recent public collaboration, he adds, her leadership was instrumental in establishing the Internet Bug Bounty and bringing crucial incentives to open source security research. "She once likened her work to the task of steering an aircraft carrier – an apt analogy. Her unique ability to effect impossible change in large organizations has served as a recurring point of inspiration for me."