To Bounty or Not to Bounty - Security@ Insights from 500 Organizations

Explore insights from 500 organizations on vulnerability disclosure programs in this AppSec California 2016 conference talk. Gain a comprehensive understanding of the surge in Security@ activity and learn about a weighted index framework for assessing program performance across six dimensions. Discover an analytical approach to running effective Security@ programs, whether you have an active bug bounty program or are just starting out. Benefit from Alex Rice's expertise as he shares lessons from his experience at Facebook and HackerOne, and learn how to shed blind dogma in favor of data-driven decision-making. Walk away with practical knowledge on metrics, response efficiency, and community engagement to enhance your organization's security collaboration efforts.

Intro
Facebook
HackerOne
A caveat
Who is this talk for
Different ways to answer
Vulnerability metrics
Response efficiency
Bar metrics
Example program
Do we bounty or not
Responsible disclosure
Community resources
State of the Internet
Bug bounty
Riot Games
Summary
Would you do a bug bounty
How do you deal with disclosures