Katie Moussouris

Early Life and Education

Katie Moussouris developed an interest in computers at a young age, learning to program in BASIC on a Commodore 64 her mother purchased for her in third grade. She was the first girl to take AP Computer Science at her high school. She went on to attend Simmons College, where she studied molecular biology and mathematics, while simultaneously contributing to the Human Genome Project at the MIT Whitehead Institute. At Whitehead, she transitioned from a lab assistant into a systems administrator role. After three years, she became the systems administrator for the MIT Department of Aeronautics and Astronautics, helping design the computer system for a new lab slated to open in 2000. During this period she also served as systems administrator at the Harvard School of Engineering and Applied Sciences.

Early Career

Moussouris relocated to California to work as a Linux developer at Turbolinux, where she also started the company's computer security response program. Active within the West Coast hacker community, she was invited by Chris Wysopal to formally join @stake as a penetration tester in 2002. When Symantec acquired @stake in October 2004, she joined Symantec and founded Symantec Vulnerability Research — the first program to allow Symantec researchers to publish vulnerability research.

Microsoft

In May 2007, Moussouris joined Microsoft as a security strategist. She founded the Microsoft Vulnerability Research (MSVR) program, announced at Black Hat 2008, which coordinated responses to significant vulnerabilities including Dan Kaminsky's DNS flaw and proactively searched for bugs in third-party software affecting Microsoft customers. From September 2010 until May 2014, she served as Senior Security Strategist Lead, running the Security Community Outreach and Strategy team within the Microsoft Security Response Center (MSRC). She instigated the Microsoft BlueHat Prize for Advancement of Exploit Mitigations, which awarded over $260,000 in prizes at Black Hat USA 2012, including a $200,000 grand prize that was at the time the largest cash payout offered by a software vendor. She also created Microsoft's first bug bounty program, which paid out over $253,000 and received 18 vulnerabilities during her tenure.

HackerOne and Government Bug Bounty Programs

In May 2014, Moussouris was named Chief Policy Officer at HackerOne, a San Francisco-based vulnerability disclosure company. In that role she was responsible for the company's vulnerability disclosure philosophy and worked to promote and legitimize security research among organizations, legislators, and policymakers. While still at Microsoft, she had begun discussions with the federal government about bug bounty programs, and those efforts culminated in March 2016 when she was directly involved in creating the Department of Defense's "Hack the Pentagon" pilot — the first bug bounty program in U.S. federal government history, organized and vetted by HackerOne. She subsequently helped develop the "Hack the Air Force" program, with HackerOne and Luta Security partnering to deliver up to 20 bug bounty challenges to the Defense Department over three years.

Luta Security

In April 2016, Moussouris founded Luta Security, a consultancy focused on helping organizations and governments work collaboratively with hackers through structured bug bounty programs. She serves as its CEO.

Policy and Standards Work

Moussouris has contributed to the ISO/IEC 29147 vulnerability disclosure standard since approximately 2008. In April 2016, the ISO made the standard freely available following a request from Moussouris and the CERT Coordination Center's Art Manion. She also played a significant role in the debate over the Wassenaar Arrangement's 2013 amendment to include "intrusion software," writing an op-ed in Wired criticizing the overly broad definition and later serving as a technical expert in U.S. Wassenaar negotiations, helping rewrite the amendment to adopt end-use decontrol exemptions. She testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security in 2018, and before the U.S. House Committee on Science, Space, and Technology in 2021 on software supply chain cybersecurity.

Research and Academia

Moussouris served as a visiting scholar at the MIT Sloan School of Management and an affiliate researcher at the Harvard Belfer Center for Science and International Affairs, conducting economic research on the labor market for security vulnerabilities. She co-authored a book chapter presenting the first system dynamics model of the vulnerability economy and exploit market, published by MIT Press in 2017. She also served as a Cybersecurity Fellow at New America, a U.S.-based think tank, during 2015–2016 and 2016–2017.

Recognition

SC Magazine named Moussouris to its Women in IT Security list in 2014. She was also recognized as one of "10 Women in Information Security That Everyone Should Know" and received the "One To Watch" distinction among the 2011 Women of Influence awards. In 2018, Forbes featured her among "America's Top 50 Women In Tech."

Philanthropy

In 2021, Moussouris donated $1 million to establish the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity at Penn State Law, named after her mother. The lab launched with a gender equity litigation clinic aimed at addressing workplace financial discrimination and promoting economic equity under the law.