Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
2. Agenda
Introductions
Bug bounty program evolution
Common myths and misconceptions
Lessons from Barracuda’s Bug Bounty program
How businesses and technology derive value from bug
bounty programs
The art of running a successful & effective bug bounty
program
20. Common Questions:
What will we have to do, as a company?
Who else can see our vulnerability data?
Where’s the Value – and Is it worth it?
Who are these “Researchers”, anyway?
Can we hire them?
21. Interactive Poll Question #1
What is the most common barrier for bug
bounty adoption?
Organization is not mature enough to support a program
Not sure how to engage directly with hacker community
Concerns over control of security operations and
process
Perceived high operational cost vs uncertain business
value
22. Initial Research Findings
Organizations can benefit from flexible security
testing by a large community, which is sometimes
a more time & cost effective approach
A trusted intermediary can help eliminate common
“control” issues
Value isn’t just in security : it’s reputation,
business process, & hiring
23.
24. Finding Value
Business, technology and organizational values
Security : Finding bugs that everyone else missed
The “Ouch! an outsider just pwned your code”
effect
Financial & Cost Effectiveness
Better Security Reputation In The Marketplace
Business , R&D process , talent pool/vetting
25. Case Study:
History:
Barracuda created their own bug bounty program
4.5 years ago after receiving a few submissions
from outsiders
They recognized the value of more eyes and
incentivizing them correctly
Built out a team to manage the program from end-
end
26. Problem:
Too many team members having to
spend time sifting through email
submissions to find the quality
reports
Too much overhead in working with
finance to get a $50 (or any
amount) PO created to send to a
researcher
Spent a lot of resources
engineering and maintaining their
own report database on the
backend
Solution:
Bugcrowd's crowd control platform
maintains submission history
across the board
Crowdcontrol handles all payment
logistics, so a single check is cut to
Bugcrowd, we handle the rest
Bugcrowd's management services
handle the noise of the
submissions so barracudas team
can focus solely on the valid,
serious reports
Case Study:
27. How to Run Successful &
Effective Program
Tips from Bugcrowd
Quality of Bugs, Types, Quantity and
Severity
Finding bugs that others missed?
Attract Great Research Talent
28. Security Researcher POV
Is it worth it?
Am I breaking the law (globally, or in
my country?)
Can I get a job?
Who is a “Researcher”, anyway?