May 20 2015

Agenda

Introductions

Bug bounty program evolution

Common myths and misconceptions

Lessons from Barracuda’s Bug Bounty program

How businesses and technology derive value from bug

bounty programs

The art of running a successful & effective bug bounty

program

@caseyjohnellis

https://bugcrowd.com

casey@bugcrowd.com

CEO & Co-Founder

@k3r3n3

http://k3r3n3.com

Industry Analyst &

Author

Source : “25 Years Of Vulnerabilities: 1988-2012 Sourcefire Research Report”

@K3r3n3

Bug Bounty Programs

Source : 1995 PR Newswire Association , The Free Library

1995

2002

2004

2007

2010

2011

20122014

2013

20152005

History of Bug

Bounties

Finifter, Matthew, Devdatta Akhawe, and David Wagner. "An Empirical Study of Vulnerability Rewards Programs." USENIX Security. Vol. 13. 2013.

Your Elastic Security Team.

These brands (and others) trust Bugcrowd…

Source: www.bugcrowd.com/list-of-bug-bounty-programs

Adoption Across Industries

Technology

Software

Hardware

Automotive & Air Travel

Consumer Electronics

Financial Services

Common Questions: What will we have to do, as a company?

Who else can see our vulnerability data?

Where’s the Value – and Is it worth it?

Who are these “Researchers”, anyway?

Can we hire them?

Interactive Poll Question #1

What is the most common barrier for bug bounty adoption?

Organization is not mature enough to support a program

Not sure how to engage directly with hacker community

Concerns over control of security operations and

process

Perceived high operational cost vs uncertain business

value

Initial Research Findings

Organizations can benefit from flexible security

testing by a large community, which is sometimes

a more time & cost effective approach

A trusted intermediary can help eliminate common

“control” issues

Value isn’t just in security : it’s reputation,

business process, & hiring

Finding Value

Business, technology and organizational values

Security : Finding bugs that everyone else missed

The “Ouch! an outsider just pwned your code”

effect

Financial & Cost Effectiveness

Better Security Reputation In The Marketplace

Business , R&D process , talent pool/vetting

Case Study:

History:

Barracuda created their own bug bounty program

4.5 years ago after receiving a few submissions

from outsiders

They recognized the value of more eyes and

incentivizing them correctly

Built out a team to manage the program from end-

end

Problem: Too many team members having to

spend time sifting through email

submissions to find the quality

reports

Too much overhead in working with

finance to get a $50 (or any

amount) PO created to send to a

researcher

Spent a lot of resources

engineering and maintaining their

own report database on the

backend

Solution: Bugcrowd's crowd control platform

maintains submission history

across the board

Crowdcontrol handles all payment

logistics, so a single check is cut to

Bugcrowd, we handle the rest

Bugcrowd's management services

handle the noise of the

submissions so barracudas team

can focus solely on the valid,

serious reports

Case Study:

How to Run Successful &

Effective Program

Tips from Bugcrowd

Quality of Bugs, Types, Quantity and

Severity

Finding bugs that others missed?

Attract Great Research Talent

Security Researcher POV

Is it worth it?

Am I breaking the law (globally, or in

my country?)

Can I get a job?

Who is a “Researcher”, anyway?

Continue the Conversation

What Benefit Do You Value The Most From a

Bug bounty / Vulnerability Discovery

program?

Go Find Some Bugs…

Thank You!

@k3r3n3

@caseyjohnellis

@bugcrowd