Decoding Bug Bounty Programs

Presented at DerbyCon 3.0 All in the Family (2013), Sept. 27, 2013, 5 p.m. (50 minutes).

Let’s deconstruct the world of digital bounty hunters.

Amid the growing trend to “crowd source” services, a few progressive enterprises are taking a new approach to information security. A potential game-changer, these companies are shifting the traditional model of IT risk assessment by opening their doors — and their wallets — to freelance hackers who break in without fear of legal repercussions. Bug Bounty Programs pay cash money to hackers for responsibly disclosing security vulnerabilities on production applications and networks.

From the vantage point of the bounty hunter, this presentation will examine who these freelance hackers are, their motivations, and their perspective on the value of bug bounty programs. It is equally as important to understand the perspective of the individuals that run these programs, how the programs fit into a comprehensive, information security framework, as well as key successes and failures to date of this new crowd-sourced model. As part of this, the discussion will review metrics from an existing program and highlight some of the more interesting bugs discovered.

Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level.


Presenters:

  • Jon Rose
    Hacker, developer, product manager, and trainer, Jon Rose has been working in the security industry for his entire career. His current mission is to make security accessible to developers, startups, and service providers through a variety of ventures. Outside technology, his other interests include running, camping, coffee, robots, and beer. http://www.linkedin.com/in/jrose400

Links:

Similar Presentations: