An Oral History of Bug Bounty Programs

Explore an oral history of bug bounty programs in this BSides Nashville 2018 conference talk. Delve into the evolution of vulnerability disclosure, from the Rain Forest Policy to the Trustworthy Computing Memo. Examine the impact of disclosure on driving action and the emergence of vendor-agnostic bounty programs. Learn about Bug Bounty as a Service (BBaaS) and the developing exploit intelligence marketplace. Analyze lessons from the Hacking Team leak and the role of vulnerability brokers. Investigate how bounty programs are affecting exploit development and their influence beyond security patches. Consider the implications of living in the Shadow Brokers reality and the impact on NSA and CIA tools. Discover how Pwn2Own has inspired improvements and the benefits for security researchers in this comprehensive overview of the bug bounty ecosystem.

Intro
A bit about me
The Nature of Disclosure
Rain Forest Policy (RFPolicy)
The Trustworthy Computing Memo
Disclosure Drives Action
Remember Netscape?
Vendor Agnostic Bounty Programs
How vendor agnostic bounties work
Bug Bounty as a Service (BBaaS)
Evolving Marketplace
Exploit Intelligence Marketplace
Economy in Action
Lessons from Hacking Team Leak
How to Get Oday: Vulnerability Brokers
Bounty Programs Killing Exploits
Beyond Just Security Patches
Living in the Shadow Brokers Reality
Killing NSA's Tailored Access Operation exploits
Shades of Stuxnet
Killing CIA's Closed Network Infiltration Tool
Pwn2own Inspired Improvements
Benefits to Researchers
Conclusion