7 Bug Bounty Myths
What Is a Bug Bounty?
3
What is a Bug Bounty?For Those of You Who Are New
To companies and their applications in exchange for…
Where independent security researchers all over the word
f
Think of it as a competition…Find & report vulnerabilities
Rewards
Poll(Single Select)
Question: I believe our organization’s security could be improved with the addition of a bug bounty program?• Strongly agree• Somewhat agree• Neither agree or disagree• Somewhat disagree• Strongly disagree
5
Why Are More Organizations Doing Bug Bounty Programs?
Ballooning attack surface
We have debt to clear and we need to be able to plan for the future
Active, efficient adversaries
Well developed “offensive” economic
Broken status quoAutomation doesn’t provide enough coverage, reliance on one off conusulting engagements
Cybersecurity resource shortage
209,000 in the USA alone
A New Way to Run Bug Bounties
7
Why Do We Exist?Platform That Connects Organizations to the Researcher Community
40,000+ Researchers
With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world.
f
Organizations Both Big and Small
Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.
A Radical Cyber Security Advantage
A Crowd That Thinks Like An Adversary But Acts Like an Ally to Find
Vulnerabilities
A Platform That Simplifies Connecting Researchers to Organizations
Security Expertise To Design, Support, and Manage Crowd Security Programs
Enterprise Bug Bounty Solutions & Hackers-On Demand
7 Bug Bounty Myths
7 Bug Bounty Myths
10
Myth #1: All bug bounty programs are ‘public’ False. Today, the majority of bug bounty programs are invite-only programs.
68%
Of Programs
Are Private
Best Practice: Start with private program• Learn how to scope and define program with fewer researchers• Build processes and experience in receiving submissions• Address specific security needs with curated crowd
11
Myth #2: Only tech companies run bug bountiesFalse. The bug bounty model has evolved to be effective and flexible for organizations of virtually any size or type.
Growth in programs is being driven by adoption across industries
Top Emerging segments:• Automotive• Medical Device• Government
12
Myth #3: Running a bounty program is too riskyFalse. With a trusted partner, running a bug bounty program is no more risky than other, traditional security assessment methods.
Public Disclosure Incidents.0005
%
“YOU CAN VERY WELL QUANTIFY AND CONTROL FOR THE RISKS AND REWARDS OF USING THE CROWD, SUCH THAT IN THE END, THE LEGAL EXPOSURE THAT AN ORGANIZATION
HAS FROM USING THE CROWD IS BASICALLY THE SAME AS IT WOULD HAVE FROM ANY OTHER MEANS OF PEN TESTING
THAT YOU MIGHT TRADITIONALLY BUY FROM A PEN TESTING PROVIDER.”
JAMES DENARO, FOUNDER OF CIPHERLAW
• Programs incentivize good behavior• Researchers want to do the right thing• Using a platform where your program and researchers are
managed “out of the box” is key
13
Myth #4: Bug bounties don’t attract talented testersFalse. Many of our bug hunters are the most talented security researchers in the world, and many are full-time security professionals.
“WE DECIDED TO RUN A BUG BOUNTY PROGRAM TO GET ACCESS TO A WIDE
VARIETY OF SECURITY TESTERS. HIRING SECURITY RESEARCHERS IS VERY DIFFICULT IN TODAY’S MARKET... WE HAVE PRODUCTS
THAT COVER A WIDE VARIETY OF APPLICATIONS, USING A WIDE VARIETY OF TECHNOLOGIES, SO WE NEED SECURITY TESTING THAT CAN COVER ALL THOSE
AREAS.”
JON GREEN, SR. DIRECTOR OF SECURITY
ARCHITECTURE, ARUBA
“Inside the Mind of a Hacker”
https://pages.bugcrowd.com/inside-the-mind-of-a-hacker-2016
14
Myth #5: They don’t yield high-value resultsFalse. Bug bounties help organizations uncover high-quality vulnerabilities missed by traditional security assessment methods.
Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016
“WE THINK OF THE BUG BOUNTY PROGRAM AS ‘PART OF THIS
COMPLETE BREAKFAST.’ YOU HAVE ALL THESE INTERNAL ACTIVITIES, AND THE BUGCROWD PROGRAM FOR US... IS A NICE SUPPLEMENT TO THOSE THINGS,
IT CATCHES BUGS THAT OUR INTERNAL TESTING DIDN’T CATCH.”
JIM HEBERT, SR. SECURITY ENGINEER,
FITBIT
15
Myth #6: They’re too costly and hard to budget forFalse. You can control your bug bounty budget, and we help make the best suggestion for your organization.
“EFFICIENCY AND EFFECTIVENESS OF THE CROWD IS REALLY WHY WE BRING THEM ON... BECAUSE WE HAVE THE CROWD INVOLVED IN THE VULNERABILITY MANAGEMENT PROGRAM, IT’S HELPED IN EXPANDING OF OUR TEAM FOR A FRACTION OF THE COST. NOW MY INTERNAL RESOURCES ARE BETTER UTILIZED.”
DAVID BAKER, CSO, OKTA
https://pages.bugcrowd.com/
whats-a-bug-worth
15 Hours
Avg Time Spent
220+
# of Researchers
3500Hours
Total Testing Time2 Full Time
heads
Okta’s Bug Bounty Throughput
Poll(Single Select)
Question: I believe we have enough staff and resources to deal with all of our security challenges• Strongly agree• Somewhat agree• Neither agree or disagree• Somewhat disagree• Strongly disagree
17
Myth #7: Bounty programs are too hard to manageFalse. With a trusted partner, bug bounty programs are easy, efficient and effective. You receive ready-to-fix, high value bugs.
Crowd + Platform + Expertise
• Reduce the program management load on your security team with an easy to use platform to manage programs and communicate with researchers
• Only receive and act on real vulnerabilities with automated triage and expert validation of submissions
• Incentivize and reward researchers globally with automated, direct payment through our platform with no commission on payouts
18
Multi Solution Bug Bounty Model Gaining TractionNot Just About Public Programs
Engage the collective intelligence of
thousands of security researchers
worldwide.
The perfect solution to incentivize the
continuous testing of main web
properties, self-sign up apps, or
anything already publicly accessible.
Private Ongoing ProgramPublic Ongoing Program
Continuous testing using a private,
invite-only, crowd of researchers.
Incentivize the continuous testing of
main web properties, self-signup apps,
or anything publically accessible.
Project based testing using a private,
invite-only, crowd of researchers.
Target new products, major releases, or
anything requiring a short period of
testing. Replace costly pen-tests.
On-Demand Program
Many organizations are utilizing different types of Bug Bounty Solutions
Key Takeaways
A Radical Cyber Security Advantage
A Crowd That Thinks Like An Adversary But Acts Like an Ally to Find
Vulnerabilities
A Platform That Simplifies Connecting Researchers to Organizations
Security Expertise To Design, Support, and Manage Crowd Security Programs
Enterprise Bug Bounty Solutions & Hackers-On Demand
7 Bug Bounty Myths
7 Bug Bounty Myths
Next Steps
Talk with a bug bounty expert: Bugcrowd.com/chat-with-us
Top Related