AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 16:15 - 17:00
Running a bug bounty: what you need to know.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Having a bug bounty program is one of the most cost-effective and productive methods of finding security vulnerabilities today. Bug bounty programs provide substantial value in terms of findings, only require payment for valid results, and bring a level of depth via manual testing that goes beyond the capabilities scanners and other traditional pen-testing tools – often serving as a valuable complement to automated testing. But, as anyone who has tried to run a bug bounty program knows, it's no simple or small undertaking... 

Coming from the unique position of being professionals who have helped to create and manage hundreds of bug bounty programs, we're uniquely positioned to cover key bounty concepts, and provide advice on how to run a successful bug bounty program. Whether you're already running a bug bounty program, looking to run a bug bounty program, or are a researcher who participates in programs, this talk aims to deepen your knowledge on the subject. 

The talk will be broken up into two parts: 

1) The first segment will cover setting up a bug bounty program, including specific tips/guidance for creating a successful program. Having setup and run a range of bounty programs – some requiring more work than others – these are some invaluable insights into what it takes to make a program successful. Some of the key concepts and questions that will be covered include (but are not limited to): 

Scoping - how to focus researchers on the targets that matter to you. What considerations should you make when setting your scope? 
Compensation - how much should you pay, and what does that get you? 
Public vs. private bounties - is this open to the world, or only a select group? 
Managed vs. self-managed - are you planning on processing all the vulnerabilities yourself, or do you plan to outsource the initial processing of submissions? 
Getting the most out of your program - thoughts on what should be in/out of scope, standard exclusions, and other information to provide researchers with everything they need to be successful. 
Your promise to the researchers - response times, communication, and public disclosure. What do you bring to the table? 
Researcher engagement and participation - how do you keep researchers engaged and participating in your program? 
Access, etc - how will researchers be testing your app? Credentials/access/etc? 

2) The second segment will cover the validation and processing of researchers' submissions. Using the experience we've gained from having processed tens of thousands of researcher submissions, we will provide insight into the back end of security operations for a bug bounty program. Key topics include: 

Tips for evaluating researcher submissions - anyone who has done a bounty, knows the submission volume can be overwhelming at times. How do you deal with and process these submissions? 
What makes up a good report? - some thoughts for researchers, on how to write quality submissions. 
Communicating with researchers - how do you communicate with researchers, deal with unhappy researchers, etc? 
Thoughts on recommended vulnerability priority ratings - what priority level and payout should you give for any given vulnerability? 
Working with a team - some real-world learning experiences and tips for working as a team and applying those lessons to issues as they arise. 
And of course, some classic submission horror stories… 

By the end of the talk, attendees who managed to stay awake will have a behind-the-scenes understanding of how to successfully setup, run, and participate in a bug bounty program.


Shpend Kurtishaj

Shpend Kurtishaj occasional bounty hunter himself, and work for Bugcrowd (a crowdsourcing bug bounty platform), helping run and manage client’s bounty programs. He’s worked on hundreds of bounty programs, processed thousands of submissions, and have a litany of valuable insights... Read More →
avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant is currently the Director of Program Operations and Solutions at Bugcrowd, and has been in the application security space for the last eight years, and the bug bounties for the last five. He's gotten his OSCP, given talks at Appsec USA and EU, and enjoys helping others get into... Read More →

Friday July 1, 2016 16:15 - 17:00 CEST
Room D (Tiziano Ballrom Sec. 3)