Bug Bounty Hunters: Lessons From Darth Vader

Presented at BSidesDC 2014, Oct. 18, 2014, 3:30 p.m. (50 minutes).

Darth Vader was a ruthless leader and considered by many to be one of the all-time greatest villains. But in fairness to Lord Vader, he set clear expectations for his staff, expected results, and was an early adopter when it came to the usage of bounty hunters to accomplish goals when his internal team wasn’t effective. The security industry, IT professionals, and developers have been failing for several decades by writing insecure code, not providing practical solutions, and generally failing the public. Yet, for some reason we have yet to be force-choked out of the industry. Lord Vader would find the lack of results disturbing.

This talk will discuss Lord Vader’s management tactics and how they can be applied to security teams today when implementing a bug bounty program. Further, the talk will provide analysis of aggregated vulnerability bounty information over the past several years as well as some profound insights on security researchers, quality of research, vendor disposition, disclosure trends, and the value of security vulnerabilities. Finally, it will cover what constitutes a solid bounty program as well as provide some thought-provoking insight that will lead to serious discussion about the state of bug bounties and the associated bounty hunters. Are they in fact living up to the hype of being an amazing resource for software security? Or will we realize that Admiral Piett was correct in what he said to Darth Vader; "Bounty Hunters. We don't need that scum."

Presenters:

• Jake Kouns - CISO at Risk Based Security
  Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB.org. Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE, SyScan and many more. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed by the media. Mr. Kouns is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. He has also been interviewed as an expert in the security industry by Information Week, eWeek, Processor.com, Federal Computer Week, Government Computer News and SC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and was featured on the cover of the April 2010 Issue of SCMagazine. More found here: www.linkedin.com/in/jkouns/

Links:

• https://bsidesdc14.busyconf.com/schedule#activity_5382cddca9dc5f695700000b
• https://www.youtube.com/watch?v=vpgZfvN3AL8

Similar Presentations:

• BSides Austin 2016 / If You Can't Beat 'Em, Join 'Em: Tips For Running a Successful Bug Bounty Program
• GrrCON 2018 / Bounty Hunters
• Black Hat USA 2022 / Bug Bounty Evolution: Not Your Grandson's Bug Bounty