Nearly one year after the exclusive app Clubhouse launched on the iOS store, its popularity skyrocketed. The app, which is now out of beta, lets users drop into spontaneous audio conversations that, once they are over, are over. With COVID lockdown procedures separating many people around the world last year, Clubhouse offered its users immediate, unplanned, conversational magic that maybe they lost in shifting to a work from home environment.
At the time, it was perhaps an app to find a feeling.
And in 2021, Luta Security CEO and founder Katie Moussouris found a crucial vulnerability in it. But when she tried to tell Clubhouse about the flaw—which let her hide her presence inside a listening “room” so she could eavesdrop on conversations—the company failed to listen to her for weeks. Her emails went unanswered, and the vulnerability that she discovered could be exploited with a simple trick. Perhaps most frustratingly of all was that Clubhouse had actually set up what’s called a “bug bounty” program, in which the companies pay independent researchers to come forward with evidence and reporting of vulnerabilities in their products.
With a bug bounty program in effect, why then did Clubhouse delay on fixing its flaw?
“[Clubhouse] is too large, too popular, and too well-funded to be in the denial stage of the five stages of vulnerability response grief,” Moussouris said on the most recent episode of Lock and Code, with host David Ruiz.
Tune in to learn about the vulnerability itself, how Moussouris discovered it, how Clubhouse delayed in moving forward, and whether bug bounty programs are actually the right tool for developing secure software.