Fad or Future? Getting Past the Bug Bounty Hype

Presented at Black Hat USA 2017, July 27, 2017, 9:45 a.m. (50 minutes).

Ever want to talk to someone that runs a bug bounty program and get the real scoop on its impact to application security? Whether your company has a bounty program or is considering starting one, join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, handling conflicts and unsolicited disclosure, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.


Presenters:

  • Charles Valentine - VP of Technology Services, Indeed
    Charles Valentine is the VP of Technology Services at Indeed, the #1 global job search engine. Indeed currently operates in more than 60 countries and 28 languages, serving over 180 million monthly job seekers, from multiple data centers located around the globe, maintaining better than 99.999% availability and sub-second response times. Charles is responsible for Indeed's infrastructure operations and engineering, security, business intelligence, IT application development, and IT helpdesk. During his tenure, Charles has helped build and grow a global team of technology experts. Prior to Indeed, Charles was VP of Technology Services at XO Group, and was responsible for the technology and systems that ran theknot.com, thenest.com, and thebump.com, prior to XO Group Charles was the head of engineering and operations for texas.gov. Charles holds a Bachelor of Science in Electrical Engineering from Texas Tech University. He lives in Austin, Texas, with his family.
  • Lori Rangel - Director of Product Management, Silent Circle
    Lori Rangel is currently the Director of Product Management at Silent Circle, an encrypted communications company and the developers of the Blackphone2 and Silent Phone. Over the past 18 years, she has worked in various IT functions for accounting, payroll and now secure communications industries. She was part of the first team at Silent Circle to bring world class, peer to peer encrypted communications to the enterprise market for Android and iOS.
  • Kymberlee Price - Open Source Security Management Lead, Microsoft
    With over 13 years’ experience in the information security industry specializing in application security incident response and investigations, Kymberlee Price got her start by pioneering the first security researcher outreach program in the software industry at Microsoft. Ms. Price was later a principal investigator in the Zotob criminal investigation, and analyzed APT's at Microsoft. She then spent 4 years investigating product vulnerabilities in BlackBerry's Security Response Team. After three years directing the efforts of Bugcrowd's more than 50,000 Crowd members in web application, mobile application, IoT and host infrastructure penetration testing, Ms. Price has returned to Microsoft and her passion for securing applications and services that utilize open source and third party libraries. Ms. Price previously co-chaired the Department of Commerce NTIA Working Group on Multi-Party Vulnerability Disclosure and speaks regularly on vulnerability management and product incident response best practices at events including Black Hat USA, RSA, Kaspersky Security Analyst Summit, Nullcon, and Metricon.
  • Angelo Prado - Director, Product Security, salesforce.com
    Angelo Prado is a Director, Product Security Manager at Salesforce.com and an independent security researcher. He has worked as a software and application security engineer for Salesforce, Microsoft, and Motorola. Mr. Prado has a proven record of leading engineering teams of highly trained product security engineers by providing effective application security and building a robust and respected security practice. He is directly responsible for launching and managing one of the largest bug bounty programs in the industry. Mr. Prado is one of the leading contributors to BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), a security exploit against SSL which leverages a compression side channel to derive secrets from the ciphertext in an HTTPS stream. As a thought leader of the security community, Mr. Prado frequently speaks at major conferences worldwide, including Black Hat USA, Black Hat Asia, ToorCon, SecTor, Hacker Halted, TakeDownCon, SC Congress, Comillas University, and Georgetown University. Angelo Prado holds a Master's degree in Computer Science from Universidad Pontificia Comillas, Madrid, where he currently teaches a graduate class (Master's Degree in Security & Telecommunications Engineering) as an associate professor. He has also attended University of Illinois at Urbana-Champaign. His passions and research include web application security, windows security, web browsers, machine learning, malware analysis and side channels. Some of Mr. Prado's recent disclosures include: "SSL, Gone in 30 Seconds -a BREACH Beyond CRIME" (US-CERT, MITRE: CVE-2013-3587) presented at Black Hat USA 2013 (Las Vegas). "Browsers Gone Wild" presented at Black Hat Asia 2015 (Singapore). Resin Pro improperly performs Unicode transformations (US-CERT, NIST: CVE-2014-2966). Mail in Apple iOS6 allows remote attackers to spoof attachments (US-CERT, NIST: CVE-2012-3730). Microsoft Security Researcher Acknowledgments for Online Services (TechNet: 2012, 2013, 2015). Internet Explorer Information Disclosure Vulnerability (CVE-2015-2414).

Links:

Similar Presentations: