[Webinar] The Art & Value of Bug Bounty Programs

download [Webinar] The Art & Value of Bug Bounty Programs

of 30

  • date post

    07-Aug-2015
  • Category

    Internet

  • view

    199
  • download

    0

Embed Size (px)

Transcript of [Webinar] The Art & Value of Bug Bounty Programs

  1. 1. May 20 2015
  2. 2. Agenda Introductions Bug bounty program evolution Common myths and misconceptions Lessons from Barracudas Bug Bounty program How businesses and technology derive value from bug bounty programs The art of running a successful & effective bug bounty program
  3. 3. @caseyjohnellis https://bugcrowd.com casey@bugcrowd.com CEO & Co-Founder
  4. 4. @k3r3n3 http://k3r3n3.com Industry Analyst & Author
  5. 5. Source:25YearsOfVulnerabilities: 1988-2012SourcefireResearchReport
  6. 6. @K3r3n3
  7. 7. Bug Bounty Programs
  8. 8. Source : 1995 PR Newswire Association , The Free Library
  9. 9. 1995 2002 2004 2007 2010 2011 2012 2014 2013 2015 2005 History of Bug Bounties
  10. 10. Finifter, Matthew, Devdatta Akhawe, and David Wagner. "An Empirical Study of Vulnerability Rewards Programs." USENIX Security. Vol. 13. 2013.
  11. 11. Your Elastic Security Team.
  12. 12. These brands (and others) trust Bugcrowd
  13. 13. Source: www.bugcrowd.com/list-of-bug-bounty-programs Adoption Across Industries Technology Software Hardware Automotive & Air Travel Consumer Electronics Financial Services
  14. 14. Common Questions: What will we have to do, as a company? Who else can see our vulnerability data? Wheres the Value and Is it worth it? Who are these Researchers, anyway? Can we hire them?
  15. 15. Interactive Poll Question #1 What is the most common barrier for bug bounty adoption? Organization is not mature enough to support a program Not sure how to engage directly with hacker community Concerns over control of security operations and process Perceived high operational cost vs uncertain business value
  16. 16. Initial Research Findings Organizations can benefit from flexible security testing by a large community, which is sometimes a more time & cost effective approach A trusted intermediary can help eliminate common control issues Value isnt just in security : its reputation, business process, & hiring
  17. 17. Finding Value Business, technology and organizational values Security : Finding bugs that everyone else missed The Ouch! an outsider just pwned your code effect Financial & Cost Effectiveness Better Security Reputation In The Marketplace Business , R&D process , talent pool/vetting
  18. 18. Case Study: History: Barracuda created their own bug bounty program 4.5 years ago after receiving a few submissions from outsiders They recognized the value of more eyes and incentivizing them correctly Built out a team to manage the program from end- end
  19. 19. Problem: Too many team members having to spend time sifting through email submissions to find the quality reports Too much overhead in working with finance to get a $50 (or any amount) PO created to send to a researcher Spent a lot of resources engineering and maintaining their own report database on the backend Solution: Bugcrowd's crowd control platform maintains submission history across the board Crowdcontrol handles all payment logistics, so a single check is cut to Bugcrowd, we handle the rest Bugcrowd's management services handle the noise of the submissions so barracudas team can focus solely on the valid, serious reports Case Study:
  20. 20. How to Run Successful & Effective Program Tips from Bugcrowd Quality of Bugs, Types, Quantity and Severity Finding bugs that others missed? Attract Great Research Talent
  21. 21. Security Researcher POV Is it worth it? Am I breaking the law (globally, or in my country?) Can I get a job? Who is a Researcher, anyway?
  22. 22. Continue the Conversation What Benefit Do You Value The Most From a Bug bounty / Vulnerability Discovery program?
  23. 23. Go Find Some Bugs Thank You! @k3r3n3 @caseyjohnellis @bugcrowd