Lightning Talk - The hidden bug in public bug bounties

Presented at AppSec USA 2016, Oct. 13, 2016, 11:45 a.m. (10 minutes)

On the surface, public bug bounty programs look like a no-brainer. You invite a number of security researchers to find security issues in your application and you only pay for valid results. Who can say no to that? However as we explore in this talk, for many organizations, launching a public bug bounty program is a buggy idea. It's like storming the castle before gathering systematic intelligence and planning strategic attacks. In this talk we will look at some of the challenges of public bug bounties such as: - Low signal to noise  which drives up the cost per bug - Significant program management needed to run the program We will look at the return on investment between running a public bug bounty program and engaging in more focused crowdsourced pen tests. We'll dive deeper into experiences drawn from the crowdsourced appsec industry over the last 4 years, as well as analysis of public accessible data in connection with data gathered from 200+ organizations running security programs on the Cobalt platform.

Presenters:

  • Jacob Hansen - CEO - Cobalt Labs
    Jacob Hansen is the CEO and Co-Founder of Cobalt Labs. Cobalt delivers crowdsourced pen tests and private bug bounties to modern organizations. Prior to founding Cobalt, Jacob was a consultant at Accenture in Copenhagen and London, where he delivered Enterprise IT Solutions for Fortune 1000 clients. As an advocate of crowdsourcing and cybersecurity, Jacob has been featured in Forbes, The Verge, and has spoken at various conferences internationally. Jacob's passion for technology extends to his personal life, where he is a crypto enthusiast and Co-Founder of Bitcoinfilm.org, a non-profit dedicated to sharing stories of bitcoin adoption around the world.

Links:

Similar Presentations: