Fad or Future - Getting Past the Bug Bounty Hype

Explore the realities of bug bounty programs in this 51-minute Black Hat conference talk. Gain insights from experienced bounty managers as they discuss the impact on application security, signal-to-noise ratio, return on investment, and interactions with bounty hunters. Learn about crucial aspects like scoping, budgeting, vulnerability valuation, and effective communication. Discover the importance of mature operational security practices, competition dynamics, and how bug bounties complement existing security measures. Delve into topics such as private vs. public programs, vendor agreements, disclosure policies, and balancing rewards. Understand team structures, handling low-quality bug reports, and engaging application teams. Get practical advice on prioritizing internally, managing technical vs. business risk, and setting appropriate rewards and scope for your bug bounty program.

Intro
About me
About the panelists
Scope of the bounty programs
Numbers and results
What is a bug bounty
What do you wish youd known before launching
How to forecast and plan both resourcing and budget
Understanding the value of a vulnerability
Communication is key
Mature OPSEC practice
Competition
Complementing Security
Silent Circle
Training
Private vs Public
Vendor Agreements
Bug Bounty Program
Disclosure
Balancing the Bounty
Tactical Resources
Team Structure
Handling lowquality bugs
Lowquality bugs
Respect your research
Technical risk vs business risk
How to get application teams engaged
Prioritize internally
Technical vs business risk
Reward
Out of Scope
Rewards
Scope
Charles
Patrick F