AppSecUSA 2016: 'Your License for Bug Hunting Season

Your License for Bug Hunting SeasonJames Denaro & Casey Ellis

05/01/2023 Your License for Bug Hunting Season

Speakers

James DenaroAttorney, Founder of Cipher Law

Casey EllisFounder & CEO, Bugcrowd

05/01/2023 Your License for Bug Hunting Season

AgendaRisk & Reward of Bug BountiesAddressing Two Main Areas of Concern:

1. Uncertainty2. Liability

Questions

05/01/2023 Your License for Bug Hunting Season

Is it safe in the water?

05/01/2023 Your License for Bug Hunting Season

What are we really talking about?

By W.carter - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=34979655

Uncertainty

05/01/2023 Your License for Bug Hunting Season

Uncertainty FAQs• How do I budget for a bug bounty?• How do I know good hackers will test my apps?• How do I know I’ll get good results?

Top concerns for individuals looking into running a bug bounty program in next few years

05/01/2023 Your License for Bug Hunting Season

Uncertainty: Results & Talent• Crafting your Program:– Program Type• Public vs. Private• Ongoing vs. On-Demand

How are researchers invited to private programs? measured by accuracy, activity, impact and trust

05/01/2023 Your License for Bug Hunting Season

Uncertainty: Results & Talent• Crafting your Program:– Bounty Brief• In-Scope & Out-of-Scope• Rewards• Rules

05/01/2023 Your License for Bug Hunting Season

Additional Uncertainties• Budgeting• Processes• Getting internal buy-in• Legal questions

Liability

05/01/2023 Your License for Bug Hunting Season

#1 Most Frequently Asked QuestionWhat happens if a hacker goes rogue?• Logical• Procedural• Emotional• Legal

By YBS 999 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

05/01/2023 Your License for Bug Hunting Season

Additional Liability/Legal Concerns• Contracts & NDAs• Who has liability for loss of data/business assets?• Personal liability?• Who has jurisdiction?

Questions?