Critical Vulnerabilities and Bug Bounty Programs

Explore critical vulnerabilities and bug bounty programs in this Black Hat conference talk. Delve into the world of cybersecurity research, examining the effectiveness of bug bounty programs and their impact on uncovering significant security flaws. Learn about highly critical vulnerabilities discovered through various programs and their consequences for customers. Analyze the balance between high-quality submissions and less impactful reports, and discover strategies for improving the overall quality of bug reports. Gain insights into different bounty models, submission frameworks, and prioritization techniques used by major tech companies. Evaluate the geographical distribution of researchers and the types of vulnerabilities they uncover. Discuss the challenges and benefits of bug bounty programs, including rapid triage, reward consistency, and performance feedback. Conclude with a call to action and engage in a question-and-answer session to deepen your understanding of this critical aspect of cybersecurity.

Intro
Agenda
Disclaimer
Google VRP
Google Bounty Program
Google Researcher Location Data
Facebook Bounty Program
Facebook 2014 Report
GitHub Bug Bounty
Microsoft Bug Bounty
Microsoft Online Services Bounty
Acknowledgements
Different Bounty Models
Bounty Data
Customers
Submissions
Rewards
High Priority Critical
Who is finding these bugs
Submissions by geography
Google
Facebook
Delete Photos
Simple Simple
Smartsheet
Import User Bug
Upload Import Bug
Tesla Bug Bounty
Authentication Bypass Bug
Submission Framework Expectations
Other Companies
Other Resources
Out Of Scope
Direct Performance Feedback
Rapid triage prioritization
LastPass prioritization
Is it worth it
SLA
Stop rewarding bad behavior
Reward consistently
Conclusions
Call To Action
Question Time