What Do Hackers Want from Bounty Programs?

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 4:30 p.m. (45 minutes).

Bounty programs are all the rage these days but what do hackers / researchers think of them? Drawing on my experience as a participant in multiple bounty programs I want to discuss the ins and outs of how hackers work with companies, what they are looking for (hint: not just money) and how companies can improve their programs to attract more researchers.


Presenters:

  • Yakov Shafranovich
    I am technology generalist focused on solving problems. Some of things I have done include: developing visual SQL tools, contributing to mobile apps to help people get healthier, and helping non-profits preserve books. I also participated in the development of many anti-spam standards used today (SPF and DomainKeys), and created the Abuse Reporting Format (ARF - RFC 5965) used for exchanging spam reports by most ISPs today. Among other things I authored RFC 4180 which documents the CSV format. My day job is doing application security but by night I do independent security research. Some of my findings have includes vulnerabilities in ASUS routers, Qualcomm's GPS chips and online pharmacies.

Links:

Similar Presentations: