14 DAY TRIAL // A security agent at Charles de Gaulle airport in Paris requested Katie Moussouris, Chief Policy Officer at HackerOne, to fully unlock her computer as part of an additional security check.
HackerOne is a well-known platform for bug bounty programs that is used by numerous companies and organizations, such as Dropbox, Twitter, Yahoo, OpenSSL, Perl, Nginx, Apache, PHP, Square, and Sucuri.
Basically, the platform is used by entities to receive vulnerability reports from security researchers, who receive monetary compensation in return.
Security officer did not touch the computer device
Generally, when going through an airport security check, travelers are asked to power on their electronic devices to prove that they are not just a case hiding something illegal inside.
In the case of encrypted computers, however, unlocking them by entering the password is not required, unless there are other reasons for the request.
Given the profile of the company she works for, the extra security requirement Moussouris was demanded in order to be allowed to board her flight piqued the interest of many, giving rise to speculations that the real purpose of the verification was to examine the vulnerabilities or exploits she had stored on the computer.
However, Moussouris lifted the haze and published a blog post on Monday, saying that the officer who carried out the check asked for the extra step did not touch the computer and let her board the plane as soon as a browser window appeared on the desktop screen.
No sensitive client information is available to HackerOne employees
When the officer was asked why unlocking the laptop was necessary, the answer given was “regulation.” Moussouris complied with the request because otherwise she would have missed the flight or would have subjected herself to other consequences from airport security.
“The speculation on Twitter that I was targeted due to my work at a company that hosts vulnerability coordination and bug bounty programs was amusing. At HackerOne we provide organizations with the tools they need to successfully run their own vulnerability coordination program,” she wrote in the blog post.
However, HackerOne employees do not have access to the confidential information received by the organizations through the platform.
The impression Moussouris got was that of an overzealous officer, but the happening should trigger an alarm signal as far as privacy is concerned. Her recommendation is to travel with multiple encrypted drives or with clean devices. Alternatively, one could set up a guest account on the computer, with restricted access to the data belonging to other users.