Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, July 1 • 16:15 - 17:00
Running a bug bounty: what you need to know.

Sign up or log in to save this to your schedule and see who's attending!

Having a bug bounty program is one of the most cost-effective and productive methods of finding security vulnerabilities today. Bug bounty programs provide substantial value in terms of findings, only require payment for valid results, and bring a level of depth via manual testing that goes beyond the capabilities scanners and other traditional pen-testing tools – often serving as a valuable complement to automated testing. But, as anyone who has tried to run a bug bounty program knows, it's no simple or small undertaking... 

Coming from the unique position of being professionals who have helped to create and manage hundreds of bug bounty programs, we're uniquely positioned to cover key bounty concepts, and provide advice on how to run a successful bug bounty program. Whether you're already running a bug bounty program, looking to run a bug bounty program, or are a researcher who participates in programs, this talk aims to deepen your knowledge on the subject. 

The talk will be broken up into two parts: 

1) The first segment will cover setting up a bug bounty program, including specific tips/guidance for creating a successful program. Having setup and run a range of bounty programs – some requiring more work than others – these are some invaluable insights into what it takes to make a program successful. Some of the key concepts and questions that will be covered include (but are not limited to): 

Scoping - how to focus researchers on the targets that matter to you. What considerations should you make when setting your scope? 
Compensation - how much should you pay, and what does that get you? 
Public vs. private bounties - is this open to the world, or only a select group? 
Managed vs. self-managed - are you planning on processing all the vulnerabilities yourself, or do you plan to outsource the initial processing of submissions? 
Getting the most out of your program - thoughts on what should be in/out of scope, standard exclusions, and other information to provide researchers with everything they need to be successful. 
Your promise to the researchers - response times, communication, and public disclosure. What do you bring to the table? 
Researcher engagement and participation - how do you keep researchers engaged and participating in your program? 
Access, etc - how will researchers be testing your app? Credentials/access/etc? 

2) The second segment will cover the validation and processing of researchers' submissions. Using the experience we've gained from having processed tens of thousands of researcher submissions, we will provide insight into the back end of security operations for a bug bounty program. Key topics include: 

Tips for evaluating researcher submissions - anyone who has done a bounty, knows the submission volume can be overwhelming at times. How do you deal with and process these submissions? 
What makes up a good report? - some thoughts for researchers, on how to write quality submissions. 
Communicating with researchers - how do you communicate with researchers, deal with unhappy researchers, etc? 
Thoughts on recommended vulnerability priority ratings - what priority level and payout should you give for any given vulnerability? 
Working with a team - some real-world learning experiences and tips for working as a team and applying those lessons to issues as they arise. 
And of course, some classic submission horror stories… 

By the end of the talk, attendees who managed to stay awake will have a behind-the-scenes understanding of how to successfully setup, run, and participate in a bug bounty program.

Speakers
SK

Shpend Kurtishaj

Shpend Kurtishaj occasional bounty hunter himself, and work for Bugcrowd (a crowdsourcing bug bounty platform), helping run and manage client’s bounty programs. He’s worked on hundreds of bounty programs, processed thousands of submissions, and have a litany of valuable insights to share in the world of bug bounties. Shpend works as an Application Security Engineer who helps process and validate incoming submissions to bounty programs. He... Read More →
avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant has been with Bugcrowd, a crowdsourced cybersecurity solution, for roughly two years - initially helping process bounty submissions as an Application Security Engineer/Analyst, and later transitioning to his current role of Solutions Architect. With a background in appsec, and an occasional bug hunter himself, he offers a unique perspective to Bugcrowd clients - helping them create, setup, and manage successful bounty programs across a... Read More →


Friday July 1, 2016 16:15 - 17:00
Room D (Tiziano Ballrom Sec. 3)

Attendees (20)