HI THIS IS URGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs

Presented at Black Hat USA 2015, Aug. 6, 2015, 3:50 p.m. (50 minutes)

No More Free Bugs led to Bug Bounties, but some people believe that bug bounty hunters are low quality script kiddies and the most talented researchers aren't participating. The emergence of bug bounty programs is increasing the volume of vulnerability submissions, but how many of those can be found by running an automated scanning tool? Are any really critical bugs being found in the sea of clickjacking and weak password policy reports? How do you separate the signal from the noise, and more importantly, how do you shift the balance of bug reports to greater signal/less noise overall? In this presentation we will discuss several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.

Presenters:

• Kymberlee Price - Bugcrowd
  With over 12 years experience in the information security industry, Kymberlee Price pioneered the first security researcher outreach program in the software industry. Price later was a principal investigator in the Zotob criminal investigation, and analyzed APT's at Microsoft. She then spent 4 years investigating product vulnerabilities in BlackBerry's Security Response Team followed by an offensive security role as the Director of the Synack Red Team. Today she is responsible for directing the efforts of Bugcrowd's global team of more than 16,000 security researchers, optimizing vulnerability reporting performance for customers and researchers, and aiding 'the Crowd' with ongoing skill development and overall success in Bugcrowd programs. Ms. Price holds a Bachelor of Science degree in Behavioral Psychology and a Bachelor of Science degree in Public Health Education. She has previously spoken at a number of conferences, including Black Hat USA, RSA, Kaspersky Security Analyst Summit, Metricon, and Derbycon.

Links:

• https://www.blackhat.com/us-15/briefings.html#hi-this-is-urgent-plz-fix-asap-critical-vulnerabilities-and-bug-bounty-programs
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - HI THIS IS URGENT PLZ FIX ASAP Critical Vulnerabilities And Bug Bounty Programs.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - HI THIS IS URGENT PLZ FIX ASAP Critical Vulnerabilities And Bug Bounty Programs.mp4
• https://www.youtube.com/watch?v=SuDxYLWfGPo
• https://www.blackhat.com/docs/us-15/materials/us-15-Price-Hi-This-Is-Urgent-Plz-Fix-ASAP-Critical-Vulnerabilities-And-Bug-Bounty-Programs.pdf

Similar Presentations:

• Black Hat USA 2022 / Bug Bounty Evolution: Not Your Grandson's Bug Bounty
• AppSec USA 2016 / Your License for Bug Hunting Season
• BSides Austin 2016 / If You Can't Beat 'Em, Join 'Em: Tips For Running a Successful Bug Bounty Program