Security Evolution - Bug Bounty Programs for Web Applications

Explore the evolution of web application security through bug bounty programs in this 37-minute conference talk by Michael Coates from Mozilla at LASCON 2012. Delve into the history, types, and characteristics of bug bounty programs, understanding their importance in enhancing cybersecurity. Learn about Mozilla's bug bounty program, including issue types, payouts, and qualifying bugs. Gain insights into the benefits, lessons learned, and ethical considerations surrounding these programs. Address common concerns such as cost, attacker motivation, and potential duplication of internal work. Discover how bug bounties complement existing security measures and prepare organizations for implementing successful programs.

Introduction
Web Bounty Programs
History of Bug Bounty Programs
Types of Bug Bounty Programs
General Characteristics of Bug Bounty Programs
Why Launch a Bug Bounty Program
Mozilla Bug Bounty Program
Types of Issues
Issues found
How much Mozilla paid out
Bugs that qualify
Bug Bounty Graph
Benefits
Lessons Learned
What would you say
Why do you do this
Bug bounties are enhancement
Prepare
Do Anything
Encourages Attackers
Cost
Attackers
Duplicate Internal Work
Black Market
Ethical Considerations
Wrap Up
Good Questions