Ally Skills Workshop – Vegas Edition 2016

A couple of years ago I wrote a call-to-arms about fighting sexism at Security Summer Camp. While there’s been some progress since then, recent conversations on really basic safety stuff at Defcon remind us of how far we have to go as a community.

Las Vegas 89
Yup, it’s happening again.
This summer, I’ll be teaching another Ally Skills Workshop on Saturday, August 6th from 2-4PM. It will be near the Defcon venue, but it is not an official Defcon event – nor will I be attending the con myself.

If you’re interested in attending, please sign up here. I’ll send additional details closer to the date of the workshop.

I’m not charging for the workshop, but if you appreciate the work I do please consider donating to Sexual Health Innovations. SHI is a great non-profit that is working to end sexual violence on US college campuses through improved reporting technology – I’m a volunteer advisor to that project, called Callisto.

The Geek Guide to Watching “The Good Wife”

The Good Wife is my favorite TV show of all time. It passes the Bechdel-Wallace Test before the title credits virtually every episode; the women on the show have complex relationships and friendships, the legal drama is thrillingly ripped from often recent headlines, the political intrigue is complex and nefarious…

And the tech. The tech is just perfect.

But I tell people about the show and they watch the first few episodes and are all meh. Things got off to a bit of a slow start – the first few seasons focus on the politics, both within the law firm and Chicago’s legendarily complex (and corrupt) city apparatus. While I like those parts of the show, having been raised in a political town by lawyer parents, the thing that I really love about The Good Wife is how it handles the nuanced ways that technology interacts with the court system. It also shines in later seasons in showing the fundamental unfairness of the American legal system, but I’ll leave that stuff to you to see once you’re hooked.

So as the show’s seventh and final season comes to an end, I present to you: the Geek Guide to Watching “The Good Wife”. Below, I have summarized the cast and plot of each season, and listed the episodes of particular geek interest in seasons 2 and 3. Beware, there are spoilers for the first 3 seasons! Season 4 is where the show hits it’s stride – I recommend just watching the whole thing from season 4 episode 1 and on.

Thanks to my pal and The Good Wife watching buddy Valerie Aurora of Frame Shift Consulting for helping with the season descriptions and general encouragement. This had been sitting in my drafts for months, and there was no episode this week so we finished this instead!

Season 1

No really, there are spoilers ahead. Don’t say I didn’t warn you 🙂

The starting point for The Good Wife was this question: What does it feel like to be the good, loving, forgiving wife, standing on stage next to her politician husband as he confesses to having sex with other women? Alicia Florrick (the titular Good Wife) is married to Peter Florrick (played by Chris “Mr. Big” Noth), who kicks off the series by confessing to sleeping with prostitutes while he was the Cook County State’s Attorney of Illinois.

Alicia Florrick, The Good Wife Season 5.jpg
Alicia Florrick, in one of her more ice-queen moments

Fast-forward 6 months, and Peter is in prison for corruption and Alicia is getting her first job as a lawyer after being a stay-at-home mom for over a decade. She joins the law firm of Stern, Lockhart, and Gardner. Will Gardner is an old law school buddy who seems to have fond feelings for Alicia. Diane Lockhart is a Hillary Clinton fan and old school feminist who wants to give Alicia a chance. Stern is getting weirder and more unpredictable as he ages. But the real star of the firm is Kalinda Sharma, the badass investigator. Cary Agos is another first-year associate, competing with Alicia for a permanent position at the firm (a little eyeroll-y but tolerable). Outside the firm, Eli Gold is Peter’s hilariously intense and ruthless campaign manager, and Zach and Grace are Peter and Alicia’s teenage kids.

This season follows Alicia’s education as a lawyer in the hard-knocks school of the Chicago court system, the progress of Peter’s attempts to get out of prison and redeem himself politically, Alicia’s ambivalence towards her husband, the beginning of a never-ending series of political machinations at Alicia’s law firm, the growth of Alicia and Kalinda’s working relationship and friendship, and Will and Alicia’s on-again, off-again flirtation with each other. An amusing running theme throughout the whole series is the enormous technical facility of Alicia’s teen kids Zach and Grace with computers, the Internet, and phones, compared to all of the adults. Episode 10 is particularly noteworthy for a ripped-from-the-headlines plot involving a judicial scandal with enormous consequences for young Black boys – exactly the kind of real-world courtroom drama you’ll never see in most lawyer shows.

Season 2

Peter Florrick is out of prison and running for Cook County State’s Attorney again. Eli sets back Will and Alicia’s budding romantic relationship to protect Peter’s political campaign. In this season, Alicia’s law firm starts to pick up clients who are obvious pastiches of Google, Facebook, and Apple. Alicia discovers Kalinda had an affair with her husband Peter. The season ends with Will and Alicia getting a hotel room together, which is when you realize that the on-going unresolved romantic tension running through the entire show (a la the Scully-Mulder X-Files dynamic) is actually between Alicia and Peter (will they stay married or get divorced?), not between Alicia and Will.

Chumhum: is it Google? Apple? Facebook? HP? Yes. All of them.

The geeky episodes this season are:

Episode 14: “Net Worth” – A meta-version of “The Social Network.”
Episode 16: “Great Firewall” – The tech company Chumhum hands over a Chinese dissident’s information, resulting in his imprisonment and torture. He sues.
Episode 22: “Getting Off” – An Ashley Madison-like site results in a murder.

Season 3

Peter ponders running for Governor of Illinois. Will and Alicia are having an affair. Alicia is on the partner track at the firm. Alicia and Kalinda slowly start to rebuild their friendship. Will is under investigation for briefly stealing a client’s money to pay a gambling debt. Alicia decides to end her affair with Will. Will ends up with a 6-month suspension from practicing law. Peter decides to run for governor.

The geeky episodes this season are:

Episode 13: “Bitcoin For Dummies” – I feel like this episode needs no introduction, except perhaps to say that this is only the first of several episodes about the more intricate details of Bitcoin and the Bitcoin community.
Episode 15: “Live from Damascus” – Chumhum is sued for selling software to Syria.

Season 4 and Onwards

Season 4 is where the show really hits its stride, tech-wise. We see repeat business from Chumhum (the Google/Facebook analog), and the government starts digging around in the firm’s and Alicia’s business, with dramatic results (including a demonstration of the real-world implications of the NSA’s three-hop wiretapping rule). Just watch all the episodes from here on out, you won’t regret it!

I hope you enjoy this show as much as I have. With four episodes to go in the seventh and final season, you’ve got some catching up to do!

#EqualPayDay, “impostor syndrome”, and flipping tables

Equal Pay Day was yesterday, and for the second year in a row Microsoft published their pay equity data:

Like last year, they neglected to include any data about the relative promotion velocities[1] and retention numbers of various demographics. This got me thinking.

Frits Vilhelm Holm 1916.jpg
An actual impostor, from Wikipedia’s List of Impostors

Impostor syndrome” is an entirely rational behavior for folks who do get called impostors (ie. many underrepresented people). It’s part coping mechanism, part just listening to the feedback you’re getting.

But there’s another side to it: it’s more painful to know that you’re good enough and then get passed over despite that than it is to feel like you’re not good enough. To have done all that work to get over the subtle and not-so-subtle voices saying that you’re not qualified, that you’re a charlatan, that you don’t “have enough personal experience to evaluate” (that one I got last year, ten years into working in my field 💅). All of the implicit and explicit bias, all of the socialization. To know that you are good enough, and for that to not be enough.

“I’m good enough” is fixable. It puts you in some small measure of control. Just work harder, speak up more, but make sure you’re not “abrasive”… Lean in so goddamn hard you sprain something, and you’ll eventually get there.

Sadly, that’s not what the research shows. I’m most familiar with the research on why women leave tech, but I believe this point is broadly applicable to underrepresented people. It’s clear that women leave tech because they get fed up with their careers stalling out. With going full steam ahead and running into things like the maternal wall and other deeply-held biases.

So they flip a table[2] and leave. Or they have a plan in place to do so, when the day comes.

We call it “impostor syndrome”, but we’re not sick. The real sickness is an industry that calls itself a meritocracy but over and over and over fails to actually reward merit.

This is fixable. It will take doing the work of rooting out bias in all its forms, at all levels – and critically, in who gets chosen to level up. So let’s get to work.

[1] Promotion velocity is a bit of a jargony HR term, but it’s an easy metric to quantify in companies like Microsoft where there are set career ladders – it’s the speed at which people move up through the ranks.

[2] A year ago today I published a bit of a rant at There were some nice articles written about it, and you can of course follow it on Twitter, though I’ve not been very good at keeping it up to date. I didn’t exactly end up tableflipping (immigration got in the way of the whole starting-a-company thing, a story for another time) but I did do a heck of a lot of research before deciding where to go.

Turkey Soup

Lots of folks will be roasting turkeys tomorrow, and while there are a zillion recipes out there for turkey soup, this is the one I grew up with. My mum always said that it was better than the turkey itself, and while I’m a big fan of her perfectly brined birds, this soup really is sublime.



Save the bones if you’ve eaten the drumsticks etc. Once the pandemonium of the main meal is over, take all the leftover meat off the carcass and put it to one side – you’ll use some of it later.

Cover the carcass in water in a big pot. Add:

  • a couple of onions, peeled and cut in quarters
  • some celery (mainly the leaves for the stock-making process, you’ll use the stems later)
  • salt, pepper
  • a couple of tablespoons of thyme

Simmer for 2-3 hours. While it’s simmering, cook up about 3 cups of rice (more or less depending on how big a bird you’re working with). Mum uses plain white rice but last year I used 2 cups of basmati and one cup of wild rice and it was delicious, so be adventurous! Put the rice aside for later.

Once the stock has simmered adequately, strain it – carefully! Toss the bones and other solid parts.

There are two ways to de-fat your stock: chill the strained stock and skim the fat off the top of the gelled stock, or use a fat separator (I love my OXO Good Grips 4-Cup Fat Separator, which looks like a weirdly shaped measuring cup). You can skip this step but the soup will be a little greasier. It will still be delicious, don’t worry.

If you did the chilling step, bring soup back to boil. Either way, add:

  • the cooked rice
  • chopped celery
  • chopped turkey
  • salt and pepper to taste

Simmer for about another half an hour, then enjoy with rustic crackers, French bread, or other delicious carbs. A bit of Tabasco goes nicely too.

The soup freezes really well, so don’t be afraid to make lots!

If you enjoyed this recipe, you may also enjoy my mother’s English Bread Sauce recipe, which I posted a few years back.

Happy holidays!

Bingo and Beyond

TL;DR: I was the instigator of the bingo card at 2014’s Grace Hopper conference. For more on how to not have me make a bingo card making fun of you at some point in the future, skip to the resources at the end. But for a fun story, read on…

2015’s Grace Hopper Celebration of Women and Computing is coming up in a few weeks. I’ll be attending as well as speaking on Friday on security and open source software, alongside some brilliant and fabulous women.


I first attended GHC in 2011, when I drove down from Seattle to Portland to attend the Open Source Day on Saturday of the nearly week-long event. I remember my initial shock at the number of makeup mirrors and lip balms in my swag bag being replaced by joy at getting to hang out with so many amazing women.

Last year, in 2014, I participated in a panel at GHC for the first time, and it was a fantastic experience. My co-panelists were well-prepared and the discussion was great; the audience was enthusiastic and I had wonderful conversations afterwards.

And Downs

My panel came at the end of a very, very long week. On Wednesday, the “Male Allies” panel was, as I suspected it would be, a disaster. Thursday, Microsoft CEO Satya Nadella stuck his foot in his mouth fairly epically on the topic of salary negotiations. It was so bad that PC Magazine and ReadWriteWeb wrote about it, and even quoted one of my tweets:

Prior to the 2014 event, people far more patient than me had tried to engage with the Anita Borg Institute, the $7+ million-dollar-per-year-budget non-profit that puts on the Grace Hopper conference, explaining seriously and respectfully that the Wednesday “Male Allies” plenary panel was not a good use of 8,000 women’s time. They’d even tweeted in good faith at the new (non-elephant-murdering) CEO of GoDaddy after he wrote a smarmy blog reply to a critic that was inflammatory and disrespectful.

But the show went on.


In the Ally Skills Workshop I’ve taught many times, we caution that humour is an advanced-level ally skill and often backfires. Sometimes, though, a joke is the best way to make a point, especially when a straightforward approach isn’t working.

I’ve long found bingo cards to be a particularly hilarious form of social commentary. Bingo cards are a way to point out commonly used weak arguments by people who don’t understand a social justice cause. You put common bad arguments or key phrases in each square and mark them off you listen to people speak; if the speaker makes enough bad arguments in a row, someone will get bingo.

A week before GHC2014 I started collecting the frustrating phrases and concepts I expected to hear on the panel.

That’s right. You heard it first right here on hypatia dot ca: I was the primary voice behind the “Union of Concerned Feminists,” and instigator of last year’s bingo card shenanigans.

The bingo card (pdf) was more than a stress-relieving in-joke – it was important enough that the New York Times mentioned it in their story about the panel a mention in the New York Times:

This year attendees also created a Bingo game involving tone-deaf things men in tech said to women, like name-dropping Ms. Sandberg, or saying, “That would never happen in my company.”

I wanted to share the story of its production for the first time, as well as some lessons learned and ways forward.


There is a particular kind of powerlessness to being in the audience at an event like this allies panel. Women who reported harassment to HR and were fired for it have to listen to well-meaning powerful people on stage tell them that HR is their friend. Women who worked twice as hard as their male peers and watched them get promoted over their heads have to hear someone tell them to “just” work harder. Each cringeworthy “Lean In”-style platitude is a reminder that the system is rigged; that those running the show either aren’t paying attention, or that they are and that they know that those platitudes keep them where they are. It’s a reminder of how much we over-value confidence in leadership, and the way that systematically pushes men up beyond their abilities, and keeps women below our full potential.

The bingo card was an attempt to flip that script (and that table). It allowed many in the audience to own the truth of their experiences while they were being denied, to reclaim their time, to clear away the nagging voice saying that they weren’t enough.

It was written in solidarity with all the women who’d heard the platitudes written in the squares on the card before, and wanted to say: “Not in this space, not to this audience. Not now.”


Thanks to the magic of Google Spreadsheets, I can see that the first thing I wrote down was “We’re all in this together” – as a potential center square (traditionally the space for the most common platitude). Over the next few days, a number of friends (who may choose to claim credit in the comments, or not, as they wish) descended upon the doc, adding funny burns and frustrating truths.

The morning before the panel, I not terribly surreptitiously went to the UPS Store right in the convention centre and printed up 500 copies of the final bingo card. As I ran into women I knew throughout the day, I told a select few the details of my plan and asked them to meet before the panel. When the time came, we divided up the bingo cards and moved quickly through the room, passing a small number down each row.

It was a big room — did I mention that this was a plenary session? — but managed to achieve pretty good coverage before a staffer noticed what was happening. We discreetly tucked away our remaining bingo cards and sat down to watch the panel. We’d given out almost all of the bingo cards — probably 450 total copies. I later learned that several women had printed out bingo cards at home and played while watching the livestream of the panel.

The centre square had eventually been replaced with ~PIPELINE~, leading to this hilarious Vine from my friend Haley:


Things were off to a trainwreck start, with Barb Gee praising the ally work of this dude as she framed the context of the panel.

As the panel went on, every few minutes a panelist would say something trite, and there would be giggles from the audience and a rustling of papers as hundreds of women circled a bingo square together. About two-thirds of the way through an excruciating hour, one brave woman near the very back of the venue yelled “bingo,” causing ripples of laughter through the audience. The panelists on the stage were a bit confused, but decided to interpret it as cheering and resumed their conversation, which you can read a transcript of here thanks to Julie Pagano’s patient work. I would later get to meet the bingo-caller, Alex, when about 14 people convened at a nearby restaurant afterwards:

Out of the laughs and frustration, one immediate positive outcome was thanks to Alan Eustace, who arranged to have a “reverse” allies panel the following day.

There, he and two of the other three panelists (Blake from GoDaddy and Mike Schroepfer from Facebook) listened quietly as a number of women told stories that showed just how useless the previous day’s “advice” had been. It was heart-rending to hear story after story of women’s achievements being ignored, careers stalling out, harassment reports being mishandled or leading to further retaliation — but none of it was surprising, except, it seemed, to the men at the front of the room listening.

Lessons learned

One of the all-too-frequent complaints about efforts to encourage women in tech is the bogeyman of “affirmative action” — the idea that qualified men will be displaced by less-qualified women, despite evidence to the contrary.

For all their good intentions, the panelists were woefully underprepared for any kind of substantial discussion. Instead, their trite, predictable, and PR-approved answers served to reinforce the status quo and, in effect, justify existing systems of discrimination.

That day, I saw bingo cards which were almost full. The men who appeared on the plenary stage were not qualified to speak on this topic in front of a room full of 8,000 women, most of whom knew more on the topic than they did. The bar has been lowered — but for men.

Moving forward

GHC 2015 draws near. When I checked Twitter yesterday evening, I was greeted by this:

Kelly was referring to this glowing press release. It made me worry that ABI learned very little from last year’s events — and got me to finally finish writing this post. Reading the press release, I saw that Brian Nosek’s work on Project Implicit makes him more qualified to speak on topics related to gender diversity than any of last year’s panelists, and I look forward to hearing what he has to say. On the other hand, GoDaddy’s CEO is speaking again, this time as a plenary keynote about “transforming their organization.” While I’ve heard through the grapevine (sometimes known as the “creepvine”) that GoDaddy has gotten better as a workplace for women in recent years — it seems unlikely that the women in the audience will learn anything worth an entire plenary keynote. What this looks like is that ABI is playing along with GoDaddy’s long-term plan to pinkwash their organization into shape for an upcoming IPO, which is currently not possible thanks to years of sexist advertising by their founder, former CEO, board member, and largest shareholder, Bob Parsons. And I’m curious what senior IBMer Grady Booch brings to the conversation that a woman from IBM of similar seniority wouldn’t have.

Whatever the men on last year’s male allies panel may have learned about what women at GHC are eager to hear – and what we never want to hear again – it doesn’t seem to have gotten through to leadership at the Anita Borg Institute, who chooses the plenary speakers and panels. I wonder why companies continue to sponsor ABI and GHC when they continue to ignore the clearly expressed demands of the people they claim to serve – including the thousands of women who attend GHC each year.

Further reading and things you can do

For any guys reading this and feeling like bad allies or whatever, remember that it’s a process, not an identity, as @FeministGriote said. Keep learning, keep doing. You can chip away at the shitty parts of the world and make things better for the women in your life and around you. Here are some specific suggestions:

“Courage my friends, ’tis not too late to build a better world” said Tommy Douglas, who Canadians know as “that dude who made healthcare happen.” As my first bingo square said, we are all in this together — so let’s get to work.

Up the creek without attribution

While discussing hilarious and terrible canoeing anecdotes with some friends, a famous line popped into my head: “A Canadian is someone who knows how to make love in a canoe.” I initially thought it was Pierre Elliot Trudeau, but a quick search revealed two things: that the usual attribution is to Pierre Berton, and also that it’s “the most famous line [he] never spoke.”

Radio host Peter Gzowski, whose interviews I was raised listening to, wrote in his book The Private Voice (quoted here):

Pierre says he didn’t say it, or if he did he took it from someone else, but whoever the authority is, if that’s the test, I fail. I do know how to gunwale a canoe…, portage it, right it without getting out of the water, and sail it home with my hockey sweater tied to a paddle. But make love? You got me.

Who knows who wrote it? ¯\_(ツ)_/¯ It is a 👻 ~mystery~ 👻. As Brit Mandelo says in an essay on Joanna Russ’s How to Suppress Women’s Writing, “the history of women writers as friends, as colleagues, as individuals, as a group — is written on sand.” And yet, we know who said this. Berton’s biographer tells the story:

At that moment it was likely the woman and not the moon or the music or the canoe that drew him to her. Yet in the hourglass of memory it was the canoe and the country to which he gave credit. “A Canadian,” Berton is believed to have proclaimed, “is somebody who knows how to make love in a canoe.” […]

Ma Murray
Ma Murray, from Library and Archives Canada

The legendary observation concerning the canoe first appeared in 1973, when the writer Dick Brown attributed it to Berton. Berton did nothing to dispel the notion. Janet [Berton’s wife], however, came to hold another view. She acknowledged the first kiss at Cultus Lake, and that it may have taken place in a canoe, but as far as she knew, the author of the “love in a canoe” quip was not Pierre but Ma Murray, the outspoken British Columbia newspaperwoman people variously dubbed “the Rebel Queen of the Northwest” or “the Salty Scourge of Lillooet.” Her daughter, Georgina, worked for a time at the CBC – and this, Janet thought, helped the quotation circulate.

Margaret Lally “Ma” Murray seems like she was pretty cool lady. It’s a funny line – as she would say, “that’s fur damshur” – so I’m damshur happy to be able to point to its rightful author.

The Life-Changing Magic of Six Months

Earlier this year, I read Marie Kondo‘s bestselling book, “The Life-Changing Magic of Tidying Up” after reading a review in the New York Times. Her fantastic “KonMari” decluttering / home organization methodology was, for me and many others I know who’ve read it, life-changing. Asking yourself whether an item “sparks joy” and then thanking it for its service if you choose to discard it has had a transformative effect on how I think about the stuff in my space, and has been particularly useful as I whittle down my 1-bedroom-apartment’s worth of stuff into a more reasonable amount for my current studio.

Throughout the book, she directs the reader to embark on their tidying effort “all at once” and “in one go.” I found this extremely intimidating! I have a lot of crap from a decade of mostly living on my own, and there are many ~feels~ associated with said crap. Processing those feels is a lot of work – as Kondo puts it, “The question of what you want to own is actually the question of how you want to live your life.” So “all at once” felt, at times, super overwhelming to read.

Except that when she says “all at once,” she means six months. She only says this once in the whole book:

To achieve a sudden change like this, you need to use the most efficient method of tidying. Otherwise, before you know it, the day will be gone and you will have made no headway. The more time it takes, the more tired you feel, and the more likely you are to give up when you’re only halfway through. When things pile up again, you will be caught in a downward spiral. From my experience with private individual lessons, “quickly” means about half a year. That may seem like a long time, but it is only six months out of your entire life. Once the process is complete and you’ve experienced what it’s like to be perfectly tidy, you will have been freed forever from the mistaken assumption that you’re no good at tidying. (kindle link)

When I got to this passage I breathed a sigh of relief, and I wanted to share it in the hopes that it will encourage others to read her book and go a little easier on themselves in doing so. Here’s to sparking joy!

Bounty Launch Lessons

Cross-posted from Ryan over on Medium.

@magoo and @hypatiadotca

You’re thinking of launching a security bug bounty program where you pay researchers cold hard cash to report their security bugs directly to you.


But before you write your shiny announcement blog post and collect the precious retweets, let’s do some thinking and build a launch plan so you don’t drown yourself.

You Get What You Ask For

The root cause of many bounty problems is launching too fast. Bug bounties aren’t going to be the right move for every organization when there’s a lot of work that could be spent on the fundamentals. While you should always have security in mind developing software, bounty programs require particular ways of prioritizing work and allocating staff that may not be right for your team right now. Let’s walk through each burden a bug bounty program will bring, and then you’ll be ready.

Before the Bounty

Before you even consider a program, your engineering house should be in reasonable order. A bounty program will always give you more engineering work. It is not a development framework, firewall, network appliance, or other magic security product. It is a program of “exercise and vegetables” that will succeed with care and attention.

Here are the attributes we’ve seen make for successful programs:

  • Reality Check: Do you already have extensive security debt — known vulnerabilities and creaky infrastructure?
  • Triage: Are bugs centralized, tagged, prioritized, and do they generally find an ultimate owner? Are security bugs reasonably prioritized versus their owner’s other work?
  • Culture: Is there an appetite from your engineers to fix security bugs? Do you have leadership buy-in to prioritize externally reported issues, and executive air cover for the PR noise that will come out of a bounty program?
  • Backstop: Who will be fixing bugs with no clear owner, or project manage systemic issues requiring substantial engineering effort?

If you aren’t already treating security issues like you would treat scale issues, you risk creating a new problem. Some teams have used bounties as an instigator to fix these issues, but that’s your own call — it can be a risky move. Having the above items in place is your best chance for success.

Starting Slow

Don’t make the mistake of launching a bounty program in one fell swoop. You do not want public commitments and press haunting you while running headlong into signal versus noise issues and internal engineering drag.

Instead, design your launch properly.

Minimize the scope so that you’re only receiving reports for areas you are confident are more robust, have lots of room to mitigate issues, or are under active development and able to make changes with the most agility. Grow the scope as you become confident until your program has broad coverage.

Start with lower bounty amounts to keep things lower-stakes. Increase the amounts as you become confident, until you’re competing with going rates in your industry.

Invite high quality researchers in a private program so you’re not suddenly following up with a horde of mixed quality researchers. As your spikes become lulls, start inviting more researchers until the program is public.

Having a project manager onboard to attach milestones to your program rollout can be very helpful, for example “Full scope within 3 months” or “$1k bounties by EOY”. It’s all a matter of your own pace.

Running Smoothly

The bulk of the work of running a bounty program can be broken down into the following parts: triage, engineering fixes, and public communications.

Incoming bugs will need initial triage for signal. Submissions will include product misunderstandings, disagreements on risk trade offs and best practices, and your standard OWASP Top Ten bugs. Reputation systems can be an important tool to keep noise under control, and give the folks running triage a good metric for how much to dig into a particular bug.

Having security and non-security engineers collaborate on first level triage can be a great way to promote awareness and empathy towards the security mission. As your security team grows and specializes, you’ll likely move from an all-hands-on-deck rotation to dedicated triage, with higher level triage going to engineers who are closer to mitigation.

Contracting can also make sense for initial triage. Budget 2–5 hours per week for first level triage for a startup with a small attack surface, or work out a per-bug fee with a reputable vendor.

Be wary of burnout when it comes to triage, particularly if one person ends up handling most or all of it. However you handle triage — collaborating with non-security engineers, sharing a rotation, or contracting it out, it becomes easier to involve others if your culture can appreciate a nasty bug. The folks interfacing with researchers will spend a lot less time crafting the perfect “sorry but not a bug” message if they know that their company has their back.

Engineering fixes for bounty bugs will range from changing one line in a config to substantial coordination between multiple teams, outside vendors, or upstream open source projects. Treat this like you would any systemic problem within your engineering organization and have project management capability in place to shepherd the complex bugs.

When it comes to public communication, don’t let your submission threads turn into typical internet debate. Some researchers will permanently disagree on the severity of bugs, submit low quality bugs, or threaten hostile blog posts. It’s important to expect this and involve level headed teammates who are well practiced in empathy. Try to be payout-lenient and encourage good research (even when off the mark), but have clear policies for what constitutes a bug and what you’ll pay out for when you find research that is way off the mark. If there’s a conflict over the severity of a bug and you’re certain it’s low risk… disclose the details. With the specifics out in public, misrepresentation can’t happen.

Bounties Forever!

Once you’re paying public bounties under a wide scope, you should have plans to track the interaction of your bounty program with the engineering team on a regular basis.

Here’s some basic questions to ask regularly:

  • Budget: How much are we paying weekly / quarterly / annually?
  • Risk: What are our top five bugs in severity this quarter?
  • Regression: What issues keep recurring? What tools or practices can we deploy to prevent them in the future?
  • Hiring: Which researchers should we recruit?
  • Atrophy: What bugs took too long to fix?
  • Happiness: Are researchers happy?

We should all aspire for a million dollar bounty. It should be so hard to score a bug in a product that we’ll someday be willing to put a million dollars behind it.

Someday, your security program could be described by expensive bugs.

Good luck.


I’m a security guy, former Director at Facebook, Coinbase, and currently a HackerOne founder / advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.


I’m a security engineer at Slack. Prior to Slack, I worked at, Microsoft, and Symantec. I care a lot about building sustainable, healthy security cultures that help developers ship code with confidence.

Take action to fight white supremacy

Emanuel African Methodist Episcopal (AME) Church
“Emanuel African Methodist Episcopal (AME) Church” by Cal Sr, CC-BY-SA

I’ve often said that guilt is not a useful emotion, and in particular I’ve always thought that “white guilt” was whiny self-serving bullshit. White people can choose to leave the status quo as it is, with all the institutional, unconscious, and direct ways that white people are privileged in American and other cultures. Or we can choose to take action to support equality – to stand in solidarity with people of colour and recognize their full humanity. Acts like the white supremacist terrorist assault on the Emanuel African Methodist Episcopal Church in Charleston last week are stark reminders that there are white people who most definitely do not recognize that humanity. In the wake of such violence, doing nothing says that you are ok with the world as it is.

Inspired in part by my friend Val’s earlier donations, but in particular by Zoé S.’s tweet:

I have donated $250 each to each of these organizations:

The American Civil Liberties Union, which works on the fight for voting rights, against the infuriating school-to-prison pipeline, and on many other racial justice issues. Follow @aclu on Twitter, and donate here. Donations to the ACLU are not tax-deductible or employer-matchable; if that matters to you, donate to the ACLU Foundation here.

We the Protesters works to “fulfill the democratic promise of our union, establish true and lasting justice, accord dignity and standing to everyone, center the humanity of oppressed people, promote the brightest future for our children, and secure the blessings of freedom for all black lives.” Follow the amazing activists behind this movement on Twitter, or donate via the PayPal button at the end of their homepage. Donations are not tax-deductible.

Black Women’s Blueprint works “to develop a culture where women of African descent are fully empowered and where gender, race and other disparities are erased” through research, historical documentation, and movement-building. Follow @BlackWomensBP on Twitter, and donate here. Donations are tax-deductible and eligible for employer matching – you’ll need to get the match by looking up JustGive (EIN 94-3331010) in your employer’s matching system and designating the donation towards BWB.

The Equal Justice Initiative works “to reform the criminal justice system, challenge poverty and the legacy of racial injustice, educate the public and policymakers, and create hope in marginalized communities.” Follow @eji_org on Twitter, and donate here. Donations are tax-deductible and eligible for employer matching.

Giving to any (or all!) of these four organizations is a direct way to fight racism and white supremacy in the United States. Guilt is useless. Take action.

Please feel free to leave comments with links to other organizations which fight for racial justice in the US and around the world.

If You’re Going to Hang Pictures in San Francisco

I grew up pretty much smack dab on the middle of the Canadian Shield, one of the more seismically stable places on the planet. Now that I live in San Francisco, I’m basically always thinking about how to survive an earthquake. When I went to hang some pictures, this ended up being a major research project, so for all my Canadian friends in the Bay Area or just other paranoid types, here’s what you need to have pictures hung as well as these:

1) OOK Tremor Hangers – these babies have a clip to keep your cable from jumping out of the hook, and come with OOK’s excellent hardened picture-hanging nails. The kit I linked to is the best deal for a bunch of them; if you need fewer, check out Home Depot. One alternative which some friends speak highly of but which I haven’t tried are the Quakehold “maze” style hangers – these might be easier to find at your hardware store, too.

2) Quakehold Putty – it’s like the blue sticky tacky stuff used to put posters up in camp and university dorms, except it doesn’t stain everything that nasty greasy blue. There’s even a clear version for sticking glassware to shelves etc.

3) 3M Picture Hanging Strips – I could write a whole blog post about how much I freaking love 3M Command Adhesive stuff. It’s the best. The picture strips are this weird velcro-like stuff that is great for hanging lightweight stuff on its own, or also are great at stabilizing and load-balancing in conjunction with the OOK hangers.

Those will do you right for drywall walls. If you’re a renter and nervous about your landlord noticing your hasty post-move-out spackle job, I highly recommend the 3M Sticky Nails. They don’t have clips like the OOKs, but if you’ve got quake putty and the hanging strips you’ll be alright up to a point. There’s a version for sawtooth type picture frames (which I hate), or wire-backed.

I had one concrete wall at my first SF apartment (the one that jacked up my rent by $500/mo when the lease was up for renewal… needless to say I don’t live there any more) and this taught me the joys of hard wall hangers. These are plastic hooks with small nails embedded in them, which will get just enough grip on a concrete wall to hold up a pretty large picture. I was nervous about the cable “jumping” out of the anchor, so I fashioned a complicated arrangement where I sandwiched the cable between the anchor hook on the bottom and a 3M Command “sticky nail” on top to keep the wire from jumping. And earthquake putty on both the anchor hook itself as well as a couple places on the frame. And 3M picture strips on the sides. This was a real belt and suspenders kinda operation…

Which is good, because four days after I finished hanging those pictures, there was a minor earthquake. All of my stuff stayed securely on my walls. Victory!

I’ve linked to products on Amazon, but Home Depot carries all of these as well, and the Container Store has quake putty and the full assortment of 3M Command delights. Cole Fox, which is a wonderful local hardware chain in SF, carries putty, 3M stuff, and hard wall hangers, the “maze” hangers, and some safety/tremor hangers that look similar to the OOK ones.

Happy picture hanging!