Bug Bounty Programs - Successfully Controlling Complexity and Perpetual Temptation

Explore the intricacies of bug bounty programs in this informative conference talk from AppSecUSA 2017. Gain insights from a panel of industry experts as they discuss successful strategies for controlling complexity and managing perpetual temptation in bug bounty initiatives. Learn about different types of programs, scope limitations, private vs. public approaches, and effective controls. Discover the lifecycle of bug bounty programs, legal considerations, vulnerability databases, and payment frameworks. Delve into topics such as setting expectations, fixing security vulnerabilities, and addressing false positives and negatives. Understand the benefits and legal risks associated with bug bounty programs, as well as ethical considerations and payment systems. Enhance your knowledge of this crucial aspect of application security through the experiences and expertise shared by leaders from PayPal, Stroz Friedberg, ITSPmagazine, Gotham Digital Science, and Baker and McKenzie LLP.

Introduction
Panel
Introductions
How Many Companies Have Bug Bounty Programs
First Payout for a Hacker
Types of Bug Bounty Programs
Limiting Your Scope
Starting Private
Static Code Analysis
Private Program
Private vs Public
Most Effective Control
Hybrids
Lifecycle
Global vs US
Poorly defined scope
Inhouse counsel
Product development
Legal IR
Vulnerability database
When researchers get paid
Paying upfront
Setting expectations
Signing up for bugs that dont promise to pay
Fixing security vulnerabilities
Consistency
Audience Question
Public vs Private Disclosure
Sharing
False Negatives
Benefits
Legal Risks
False Positive Rates
Transferring Findings
Payment Systems
Payment Frameworks
Ethical Behavior
Ban Everyone
Facebook Bounty
Bitcoin Bounty
Summary