[webinar] the art & value of bug bounty programs
TRANSCRIPT
![Page 1: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/1.jpg)
May 20 2015
![Page 2: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/2.jpg)
Agenda
Introductions
Bug bounty program evolution
Common myths and misconceptions
Lessons from Barracuda’s Bug Bounty program
How businesses and technology derive value from bug
bounty programs
The art of running a successful & effective bug bounty
program
![Page 4: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/4.jpg)
@k3r3n3
http://k3r3n3.com
Industry Analyst &
Author
![Page 5: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/5.jpg)
![Page 6: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/6.jpg)
Source : “25 Years Of Vulnerabilities: 1988-2012 Sourcefire Research Report”
![Page 7: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/7.jpg)
![Page 8: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/8.jpg)
![Page 9: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/9.jpg)
![Page 10: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/10.jpg)
@K3r3n3
![Page 11: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/11.jpg)
Bug Bounty Programs
![Page 12: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/12.jpg)
Source : 1995 PR Newswire Association , The Free Library
![Page 13: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/13.jpg)
1995
2002
2004
2007
2010
2011
20122014
2013
20152005
History of Bug
Bounties
![Page 14: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/14.jpg)
Finifter, Matthew, Devdatta Akhawe, and David Wagner. "An Empirical Study of Vulnerability Rewards Programs." USENIX Security. Vol. 13. 2013.
![Page 15: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/15.jpg)
![Page 16: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/16.jpg)
Your Elastic Security Team.
![Page 17: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/17.jpg)
These brands (and others) trust Bugcrowd…
![Page 18: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/18.jpg)
Source: www.bugcrowd.com/list-of-bug-bounty-programs
Adoption Across Industries
Technology
Software
Hardware
Automotive & Air Travel
Consumer Electronics
Financial Services
![Page 19: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/19.jpg)
![Page 20: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/20.jpg)
Common Questions: What will we have to do, as a company?
Who else can see our vulnerability data?
Where’s the Value – and Is it worth it?
Who are these “Researchers”, anyway?
Can we hire them?
![Page 21: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/21.jpg)
Interactive Poll Question #1
What is the most common barrier for bug bounty adoption?
Organization is not mature enough to support a program
Not sure how to engage directly with hacker community
Concerns over control of security operations and
process
Perceived high operational cost vs uncertain business
value
![Page 22: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/22.jpg)
Initial Research Findings
Organizations can benefit from flexible security
testing by a large community, which is sometimes
a more time & cost effective approach
A trusted intermediary can help eliminate common
“control” issues
Value isn’t just in security : it’s reputation,
business process, & hiring
![Page 23: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/23.jpg)
![Page 24: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/24.jpg)
Finding Value
Business, technology and organizational values
Security : Finding bugs that everyone else missed
The “Ouch! an outsider just pwned your code”
effect
Financial & Cost Effectiveness
Better Security Reputation In The Marketplace
Business , R&D process , talent pool/vetting
![Page 25: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/25.jpg)
Case Study:
History:
Barracuda created their own bug bounty program
4.5 years ago after receiving a few submissions
from outsiders
They recognized the value of more eyes and
incentivizing them correctly
Built out a team to manage the program from end-
end
![Page 26: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/26.jpg)
Problem: Too many team members having to
spend time sifting through email
submissions to find the quality
reports
Too much overhead in working with
finance to get a $50 (or any
amount) PO created to send to a
researcher
Spent a lot of resources
engineering and maintaining their
own report database on the
backend
Solution: Bugcrowd's crowd control platform
maintains submission history
across the board
Crowdcontrol handles all payment
logistics, so a single check is cut to
Bugcrowd, we handle the rest
Bugcrowd's management services
handle the noise of the
submissions so barracudas team
can focus solely on the valid,
serious reports
Case Study:
![Page 27: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/27.jpg)
How to Run Successful &
Effective Program
Tips from Bugcrowd
Quality of Bugs, Types, Quantity and
Severity
Finding bugs that others missed?
Attract Great Research Talent
![Page 28: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/28.jpg)
Security Researcher POV
Is it worth it?
Am I breaking the law (globally, or in
my country?)
Can I get a job?
Who is a “Researcher”, anyway?
![Page 29: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/29.jpg)
Continue the Conversation
What Benefit Do You Value The Most From a
Bug bounty / Vulnerability Discovery
program?
![Page 30: [Webinar] The Art & Value of Bug Bounty Programs](https://reader034.vdocument.in/reader034/viewer/2022050808/55c3b26cbb61eb723f8b465d/html5/thumbnails/30.jpg)
Go Find Some Bugs…
Thank You!
@k3r3n3
@caseyjohnellis
@bugcrowd