What Do Hackers Want from Bounty Programs?

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 4:30 p.m. (45 minutes)

Bounty programs are all the rage these days but what do hackers / researchers think of them? Drawing on my experience as a participant in multiple bounty programs I want to discuss the ins and outs of how hackers work with companies, what they are looking for (hint: not just money) and how companies can improve their programs to attract more researchers.

Presenters:

• Yakov Shafranovich
  I am technology generalist focused on solving problems. Some of things I have done include: developing visual SQL tools, contributing to mobile apps to help people get healthier, and helping non-profits preserve books. I also participated in the development of many anti-spam standards used today (SPF and DomainKeys), and created the Abuse Reporting Format (ARF - RFC 5965) used for exchanging spam reports by most ISPs today. Among other things I authored RFC 4180 which documents the CSV format. My day job is doing application security but by night I do independent security research. Some of my findings have includes vulnerabilities in ASUS routers, Qualcomm's GPS chips and online pharmacies.

Links:

• https://globalappsecdc2019.sched.com/event/Ur65/what-do-hackers-want-from-bounty-programs

Similar Presentations:

• CackalackyCon 2 (2023) / Uncovering Vulnerabilities: An Introduction to Bug Bounty Programs
• DerbyCon 3.0 All in the Family (2013) / Decoding Bug Bounty Programs
• DEF CON 22 (2014) / Bug Bounty Programs Evolution