Leveling Up Your Bug Bounty Program

Explore the world of bug bounty programs in this 31-minute LASCON conference talk by Charles Valentine, VP of Technology Services at Indeed.com. Discover why top security programs are leveraging diverse skill sets to reduce risk, learn about potential pitfalls, and understand when to deploy or avoid these programs. Gain insights from Indeed's two-year Bug Bounty program experience, focusing on real-world examples of business logic flaws and high-priority vulnerabilities discovered despite existing security testing processes. Delve into topics such as risk assessment, various bug-catching approaches, objections from product and engineering teams, metrics-driven strategies, and the evolution of Indeed's program. Examine the impact on security teams, response times, and payout structures. Learn how to effectively work with the crowd, reduce workload, and involve engineers in security initiatives. Explore innovative approaches like Lockpicking Happy Hour and Firewall Free Fridays, and discover the importance of education and internal security challenges in fostering a strong security culture.

Intro
Agenda
Mission
Mantra
Security team
Environment
Data Centers
Risk vs Threat
When to catch bugs
Big hammer approach
Pen testing
Bug bounties
What gets tested
Objections from product and engineering
Bugcrowd
Points only bug bounty
Metrics driven
Starting to pay
Reports of tickets
Hows it going
Average payout
Response time
Reward breakdown
Payout breakdown
Average payouts
Severity of bugs
Marketing push
Working with the crowd
Reducing workload
External security team
Independent testers
Making mistakes
Would we do it again
Getting engineers involved
Lockpicking Happy Hour
Firewall Free Fridays
Classes
Internal blog
Security bugs
Education
Security challenges
XML
Password Shadow
XSS
QA
Points