Practical Tips for Running a Successful Bug Bounty Program

Discover practical tips for running a successful bug bounty program in this 52-minute conference talk from AppSecUSA 2016. Learn about the history of bug bounties, the value of crowdsourced testing, and key considerations for implementing a program. Explore topics such as scope definition, managing expectations, communication strategies, and vulnerability rating taxonomies. Gain insights from experienced professionals who have managed hundreds of bug bounty programs, and understand how to effectively engage with security researchers. Delve into the challenges and benefits of bug bounty programs, including coordinated disclosure and business impact considerations. Conclude with a case study from Instructure to see real-world application of these principles.

Intro
Grant
Netscape "Bugs Bounty"
An (Abbreviated) History of Bug Bounties Since 1995
Do you really want to let people attack you?
Who are these people?
The Value of Crowdsourced Testing
Overview
But you never mentioned paying rewards!
Touch the code, pay the bug.
but first, Step 0
Scope
Focus
Exclusions
This is what a shared environment looks like...
Access
Manage Expectations
Communication is Key
Coordinated Disclosure
Define a Vulnerability Rating Taxonomy (VRT)
The Regular Methodologies
The Bughunter's Methodology
Consider the business impact!
Remember what it's all about.
Case Study: Instructure