Upload
bugcrowd
View
210
Download
1
Embed Size (px)
Citation preview
May 20 2015
Agenda
Introductions
Bug bounty program evolution
Common myths and misconceptions
Lessons from Barracuda’s Bug Bounty program
How businesses and technology derive value from bug
bounty programs
The art of running a successful & effective bug bounty
program
@k3r3n3
http://k3r3n3.com
Industry Analyst &
Author
Source : “25 Years Of Vulnerabilities: 1988-2012 Sourcefire Research Report”
@K3r3n3
Bug Bounty Programs
Source : 1995 PR Newswire Association , The Free Library
1995
2002
2004
2007
2010
2011
20122014
2013
20152005
History of Bug
Bounties
Finifter, Matthew, Devdatta Akhawe, and David Wagner. "An Empirical Study of Vulnerability Rewards Programs." USENIX Security. Vol. 13. 2013.
Your Elastic Security Team.
These brands (and others) trust Bugcrowd…
Source: www.bugcrowd.com/list-of-bug-bounty-programs
Adoption Across Industries
Technology
Software
Hardware
Automotive & Air Travel
Consumer Electronics
Financial Services
Common Questions: What will we have to do, as a company?
Who else can see our vulnerability data?
Where’s the Value – and Is it worth it?
Who are these “Researchers”, anyway?
Can we hire them?
Interactive Poll Question #1
What is the most common barrier for bug bounty adoption?
Organization is not mature enough to support a program
Not sure how to engage directly with hacker community
Concerns over control of security operations and
process
Perceived high operational cost vs uncertain business
value
Initial Research Findings
Organizations can benefit from flexible security
testing by a large community, which is sometimes
a more time & cost effective approach
A trusted intermediary can help eliminate common
“control” issues
Value isn’t just in security : it’s reputation,
business process, & hiring
Finding Value
Business, technology and organizational values
Security : Finding bugs that everyone else missed
The “Ouch! an outsider just pwned your code”
effect
Financial & Cost Effectiveness
Better Security Reputation In The Marketplace
Business , R&D process , talent pool/vetting
Case Study:
History:
Barracuda created their own bug bounty program
4.5 years ago after receiving a few submissions
from outsiders
They recognized the value of more eyes and
incentivizing them correctly
Built out a team to manage the program from end-
end
Problem: Too many team members having to
spend time sifting through email
submissions to find the quality
reports
Too much overhead in working with
finance to get a $50 (or any
amount) PO created to send to a
researcher
Spent a lot of resources
engineering and maintaining their
own report database on the
backend
Solution: Bugcrowd's crowd control platform
maintains submission history
across the board
Crowdcontrol handles all payment
logistics, so a single check is cut to
Bugcrowd, we handle the rest
Bugcrowd's management services
handle the noise of the
submissions so barracudas team
can focus solely on the valid,
serious reports
Case Study:
How to Run Successful &
Effective Program
Tips from Bugcrowd
Quality of Bugs, Types, Quantity and
Severity
Finding bugs that others missed?
Attract Great Research Talent
Security Researcher POV
Is it worth it?
Am I breaking the law (globally, or in
my country?)
Can I get a job?
Who is a “Researcher”, anyway?
Continue the Conversation
What Benefit Do You Value The Most From a
Bug bounty / Vulnerability Discovery
program?
Go Find Some Bugs…
Thank You!
@k3r3n3
@caseyjohnellis
@bugcrowd