She Convinced the Pentagon to Let Hackers In. Legally. With Katie Moussouris | 35

In this episode, Ciaran and James sit down with Katie Moussouris, Founder of Luta Security and one of the pioneers of vulnerability research and bug bounties, to discuss how the industry has changed over time. Katie shares her expertise on vulnerability disclosure programmes, researcher protection and equity, and why she still bets on people in an AI-driven world.

Highlights:

From hacker culture to vulnerability research

How the early hacker scene shaped vulnerability research, disclosure norms, and how security research first took form.

• Cult of the Dead Cow
• Cybersecurity: When Hackers Went to the Hill — Revisiting the L0pht Hearings of 1998
• Bugtraq: RFPolicy for vulnerability disclosure
• The new security disclosure landscape

The DNS flaw that changed everything

• Black Ops 2008: It’s The End Of The Cache As We Know It | Kaminsky on How He Discovered DNS Flaw and More
• cvd | MS08-037: Description of the security update for DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server (DNS server-side): July 8, 2008 - Microsoft Support

Bug bounties: where they work (and where they don’t)

A closer look at how bug bounties reshaped security research

• Microsoft Launches $100K Bug Bounty Program
• Google Chrome bug bounty ups Mozilla's ante
• Curl shutters bug bounty program to stop AI slop
• ISO/IEC 29147:2014 - Vulnerability disclosure | ISO/IEC 30111:2019 - Vulnerability handling processes
• Verizon 2025 Data Breach Investigations Report

How Hack the Pentagon actually happened

When bug bounty thinking made its way into government and led to the first legal hacking programme of its kind.

• ’Hack the Pentagon’ Pilot Program Opens for Registration | Hack The Pentagon: DoD Launches First-Ever Federal Bug Bounty Program
• DOD Announces Digital Vulnerability Disclosure Policy and “Hack the Army” Kick-Off

Why protection for researchers still matters

How policy has evolved (but not fully caught up).

• Computer Fraud and Abuse Act | Computer Misuse Act 1990
• The NCSC's Vulnerability Disclosure Toolkit | CISA Announces New Vulnerability Disclosure Policy (VDP) Platform
• You Need to Speak Up For Internet Security. Right Now.
• The Wassenaar Arrangement's latest language is making security researchers very happy

Pay equity and who gets to thrive in cyber

• Pay Equity in Our Lifetime
• Cybersecurity pioneer gives $1 million for Penn State Law gender equity lab | PSU Law Manglona Lab
• Two New Reports Say Microsoft Overwhelmingly Underpays Women and Stifles Their Career Advancement

AI, disruption, and betting on people

Changing vulnerability research, security work, and why human judgement still matters.

• Stop using AI to submit bug reports, says Google | AI slop and fake reports are coming for your bug bounty programs
• ICO tech futures: Agentic AI
• AI And The Vanishing Entry-Level Job: The Changing Future Of Work
• No pAIn, No gAIn: How AI Will Hurt Bug Bounty Hunters and How to Fix It – CyberThreat Keynote

Additional resources:

• Photo 
• That Time A Movie Drove Federal Policy

Subscribe & Follow:

• Subscribe to the podcast on Apple Podcasts, Spotify, or your favorite podcast platform.
• Follow us on X, Facebook, and LinkedIn for updates.

Contact:

• Have questions or comments? Email us at cyberleadersnetwork@sans.org