Meet the hackers powering the world's best bug bounty programs
Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty
-
Upload
bugcrowd -
Category
Technology
-
view
71 -
download
0
Transcript of Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty
AGENDA
• Vulnerability Blindness
• 3 Reasons to Reconsider a Bug Bounty
1. How a security expert changed his mind about bug bounties
2. Why no bug bounty means missed vulnerabilities
3. How Bugcrowd finds a P1 bug every 13 hours*
1/25/173
*Increase from 1 every 27 hours earlier in 2016
WHY IS THERE AN ISSUE TO ADDRESS?
1/25/174
Ballooning attack surface
Cybersecurity resource shortage
Broken status-quo
Active, efficient adversaries
Breaking The Vulnerability Cycle
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING
1/25/177
Zone of Vulnerability
Blindness
Zone of Vulnerability
Blindness
Code Release
Code Release
Vul
nera
bilit
y A
war
enes
s
Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology
Automotive Security Technology Other
2/3rd of Programs are
Private
WIDE ADOPTION OF CROWDSOURCED SECURITY
INTRODUCING INVISIONAward-winning product design collaboration platform
• Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products.
• Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors.
1/25/1712
INVISION SECURITY PROGRAM BEFORE BUG BOUNTY• Monthly internal vulnerability scans
• Monthly external vulnerability scans
• Annual Third-Party Penetration Test
• 30-day patch cycle
• Web Application Firewall
• DDoS Protection
1/25/1713
‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS
WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO
STOP WORKING’
— JOHNATHAN HUNT
1/25/1714
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING
1/25/1716
Zone of Vulnerability
Blindness
Zone of Vulnerability
Blindness
Code Release
Code Release
Vul
nera
bilit
y A
war
enes
s
BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT
1/25/1717
Code Release
Code Release
Vul
nera
bilit
y A
war
enes
s
A RADICAL CYBER SECURITY ADVANTAGE:
Enterprise Bug Bounty Solutions & Hackers On-Demand
• 300+ Programs run
• Every program is managed by Bugcrowd
• Deep researcher engagement and support
• No confusing pricing models and no bounty commissions
• 45,000+ researchers
1/25/1719
Curated Crowd that Thinks like an
Adversary but acts as an ally to Find Vulnerabilities
A Platform That Simplifies Connecting
Researchers to Organizations, Saving You Time and Money
Security Expertise To Design, Support, and
Manage Crowd Security Programs
TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM
1/25/1720
Launches private bounty program
Receives first P1 submission
Receives 100th Submission Runs On-Demand program
Adds 100 additional researchers
Receives 500th submission
CONCLUSION
Avoiding Vulnerability Blindness
• Reality of modern development pipeline dictates a new approach
• Continuous vulnerability assessment is real and
achievable through bug bounty model
• Bugcrowd delivers the radical cybersecurity advantage of the crowd
1/25/1721
Curated Crowd Simple-to-use
platformExpertise to
ensure success
NEXT STEPS
TALK WITH A BUG BOUNTY EXPERT
HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT
1/25/17 | ESCAPE VELOCITY22