How to run a kick ass bug bounty program - Node Summit 2013

22
How to run a kick-ass bug bounty program Casey Ellis – CEO Chris Raethke – CTO Bugcrowd Inc

TAGS:

description

Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.

Transcript of How to run a kick ass bug bounty program - Node Summit 2013

Page 1: How to run a kick ass bug bounty program - Node Summit 2013

How to run a kick-ass bug bounty program

Casey Ellis – CEO Chris Raethke – CTO

Bugcrowd Inc

Page 2: How to run a kick ass bug bounty program - Node Summit 2013
Page 3: How to run a kick ass bug bounty program - Node Summit 2013

AGILE SCRUM

PAIRING TDD

CI

BEST PRACTICE...

Page 4: How to run a kick ass bug bounty program - Node Summit 2013

all apps have security bugs

...REALITY

Page 5: How to run a kick ass bug bounty program - Node Summit 2013
Page 6: How to run a kick ass bug bounty program - Node Summit 2013

Current Approach

Page 7: How to run a kick ass bug bounty program - Node Summit 2013

Bad Guys Good Guys

...help!

ARRRGGGH!

Page 8: How to run a kick ass bug bounty program - Node Summit 2013

A Better Approach

Page 9: How to run a kick ass bug bounty program - Node Summit 2013

Bad Guys Moar’ Good Guys

...arrrrrgh?

Page 10: How to run a kick ass bug bounty program - Node Summit 2013

What is a bug bounty program?

Page 11: How to run a kick ass bug bounty program - Node Summit 2013

Bug bounties are awesome…

Page 12: How to run a kick ass bug bounty program - Node Summit 2013

…but hard.

Page 13: How to run a kick ass bug bounty program - Node Summit 2013

The mistake *everyone* makes

DATA PEOPLE

Page 14: How to run a kick ass bug bounty program - Node Summit 2013

The Golden Rules

Page 15: How to run a kick ass bug bounty program - Node Summit 2013

Respect the researcher

Page 16: How to run a kick ass bug bounty program - Node Summit 2013

If you touch code, pay it.

Page 17: How to run a kick ass bug bounty program - Node Summit 2013

Manage expectations

Page 18: How to run a kick ass bug bounty program - Node Summit 2013

Normalize inputs

Page 19: How to run a kick ass bug bounty program - Node Summit 2013

Pay quickly

Page 20: How to run a kick ass bug bounty program - Node Summit 2013

Fix problems quickly

Page 21: How to run a kick ass bug bounty program - Node Summit 2013

Be open about duplicates

Page 22: How to run a kick ass bug bounty program - Node Summit 2013

Questions?

Casey Ellis – CEO Chris Raethke – CTO

Bugcrowd Inc


Bug Bounty #Defconlucknow2016

Bug Bounty #Defconlucknow2016

Bug Bounty Programs : Good for Government

Bug Bounty Programs : Good for Government

IDA Vulnerabilities and Bug Bounty  by Masaaki Chida

IDA Vulnerabilities and Bug Bounty  by Masaaki Chida

Bug Bounty - Play For Money

Bug Bounty - Play For Money

State of Bug Bounty Report

State of Bug Bounty Report

Penetration Testing of Web Applications in a Bug Bounty ...

Penetration Testing of Web Applications in a Bug Bounty ...

The History of Bug Bounty Programs

The History of Bug Bounty Programs

The #1 Hacker Powered Pentest & Bug Bounty Platform PENTEST · The #1 Hacker Powered Pentest & Bug Bounty Platform PENTEST / sales@hackerone.com / +1 (415) 891-0777 KEY BENEFITS Satisfy

The #1 Hacker Powered Pentest & Bug Bounty Platform PENTEST · The #1 Hacker Powered Pentest & Bug Bounty Platform PENTEST / [email protected] / +1 (415) 891-0777 KEY BENEFITS Satisfy

Bug Bounty @ Swisscom

Bug Bounty @ Swisscom

Bug Bounty Logistics and Legalities: Your Questions Answered

Bug Bounty Logistics and Legalities: Your Questions Answered

9 Top Bug Bounty Programs

9 Top Bug Bounty Programs

Bug Bounty

Bug Bounty

THE STATE OF BUG BOUNTY - Founder Shield...Bug bounty platforms manage the operational end of the programs, bringing the research community together and handling the payment process,

THE STATE OF BUG BOUNTY - Founder Shield...Bug bounty platforms manage the operational end of the programs, bringing the research community together and handling the payment process,

MMNOG 2020 - 2020 MMNOG Understanding... · A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Disclosure Program (VDP) could be simply defined as an

MMNOG 2020 - 2020 MMNOG Understanding... · A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Disclosure Program (VDP) could be simply defined as an

MMNOG 2020 Understanding... · A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Disclosure Program (VDP) could be simply defined as an organizational

MMNOG 2020 Understanding... · A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Disclosure Program (VDP) could be simply defined as an organizational

The Bug Bounty Growth Hack

The Bug Bounty Growth Hack

Find Blue Oceans - Through the Competitive World of Bug Bounty

Find Blue Oceans - Through the Competitive World of Bug Bounty

Bug Bounty Hunter L - redteamacademy.comOverview of Bug Bounty Hunter A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards

Bug Bounty Hunter L - redteamacademy.comOverview of Bug Bounty Hunter A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards

THE STATE OF BUG BOUNTY - HubSpot

THE STATE OF BUG BOUNTY - HubSpot

5 Keys to Successfully Running a Bug Bounty Program

5 Keys to Successfully Running a Bug Bounty Program