View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
3. 3
What is a Bug Bounty?
For Those of You Who Are New
To companies and
their applications
in exchange for…
Where
independent
security
researchers all
over the word
f
Think of it as a competition…
Find & report
vulnerabilities
Rewards
4. Poll
(Single Select)
Question: I believe our organization’s security could be improved with the
addition of a bug bounty program?
• Strongly agree
• Somewhat agree
• Neither agree or disagree
• Somewhat disagree
• Strongly disagree
5. 5
Why Are More Organizations Doing Bug Bounty Programs?
Ballooning attack surface
We have debt to clear and we need to be able to plan for the
future
Active, efficient
adversaries
Well developed “offensive” economic
Broken status quo
Automation doesn’t provide enough coverage, reliance on
one off conusulting engagements
Cybersecurity resource
shortage
209,000 in the USA alone
7. 7
Why Do We Exist?
Platform That Connects Organizations to the Researcher Community
40,000+ Researchers
With specialized skills including
web, mobile and IoT hacking.
Our community is made up of
tens of thousands of the
hackers from around the world.
f
Organizations Both Big
and Small
Making Bug Bounties easy for
ever type of company through
a variety of Bug Bounty
Solutions.
8. A Radical Cyber Security Advantage
A Crowd That Thinks Like An
Adversary But Acts Like an Ally to Find
Vulnerabilities
A Platform That Simplifies Connecting
Researchers to Organizations
Security Expertise To Design, Support,
and Manage Crowd Security Programs
Enterprise Bug Bounty Solutions & Hackers-On Demand
7 Bug Bounty Myths
10. 10
Myth #1: All bug bounty programs are ‘public’
False. Today, the majority of bug bounty programs are invite-only programs.
68%
Of Programs
Are Private
Best Practice: Start with private program
• Learn how to scope and define program with fewer researchers
• Build processes and experience in receiving submissions
• Address specific security needs with curated crowd
11. 11
Myth #2: Only tech companies run bug bounties
False. The bug bounty model has evolved to be effective and flexible for organizations of virtually any size or type.
Growth in programs is
being driven by adoption
across industries
Top Emerging segments:
• Automotive
• Medical Device
• Government
12. 12
Myth #3: Running a bounty program is too risky
False. With a trusted partner, running a bug bounty program is no more risky than other, traditional security assessment methods.
Public
Disclosure
Incidents
.0005%
“YOU CAN VERY WELL QUANTIFY AND CONTROL FOR
THE RISKS AND REWARDS OF USING THE CROWD,
SUCH THAT IN THE END, THE LEGAL EXPOSURE THAT
AN ORGANIZATION HAS FROM USING THE CROWD IS
BASICALLY THE SAME AS IT WOULD HAVE FROM ANY
OTHER MEANS OF PEN TESTING THAT YOU MIGHT
TRADITIONALLY BUY FROM A PEN TESTING
PROVIDER.”
JAMES DENARO, FOUNDER OF CIPHERLAW
• Programs incentivize good behavior
• Researchers want to do the right thing
• Using a platform where your program and researchers are managed
“out of the box” is key
13. 13
Myth #4: Bug bounties don’t attract talented testers
False. Many of our bug hunters are the most talented security researchers in the world, and many are full-time security professionals.
“WE DECIDED TO RUN A BUG BOUNTY
PROGRAM TO GET ACCESS TO A WIDE
VARIETY OF SECURITY TESTERS.
HIRING SECURITY RESEARCHERS IS
VERY DIFFICULT IN TODAY’S MARKET...
WE HAVE PRODUCTS THAT COVER A
WIDE VARIETY OF APPLICATIONS,
USING A WIDE VARIETY OF
TECHNOLOGIES, SO WE NEED
SECURITY TESTING THAT CAN COVER
ALL THOSE AREAS.”
JON GREEN, SR. DIRECTOR OF
SECURITY ARCHITECTURE, ARUBA“Inside the Mind of a Hacker”
https://pages.bugcrowd.com/inside-the-mind-of-
a-hacker-2016
14. 14
Myth #5: They don’t yield high-value results
False. Bug bounties help organizations uncover high-quality vulnerabilities missed by traditional security assessment methods.
Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016
“WE THINK OF THE BUG BOUNTY
PROGRAM AS ‘PART OF THIS
COMPLETE BREAKFAST.’ YOU
HAVE ALL THESE INTERNAL
ACTIVITIES, AND THE BUGCROWD
PROGRAM FOR US... IS A NICE
SUPPLEMENT TO THOSE THINGS,
IT CATCHES BUGS THAT OUR
INTERNAL TESTING DIDN’T
CATCH.”
JIM HEBERT, SR. SECURITY
ENGINEER, FITBIT
P1, P2, P3 % of
Submissions
Increasing
Dramatically
15. 15
Myth #6: They’re too costly and hard to budget for
False. You can control your bug bounty budget, and we help make the best suggestion for your organization.
“EFFICIENCY AND
EFFECTIVENESS OF THE
CROWD IS REALLY WHY WE
BRING THEM ON... BECAUSE
WE HAVE THE CROWD
INVOLVED IN THE
VULNERABILITY
MANAGEMENT PROGRAM, IT’S
HELPED IN EXPANDING OF
OUR TEAM FOR A FRACTION
OF THE COST. NOW MY
INTERNAL RESOURCES ARE
BETTER UTILIZED.”
DAVID BAKER, CSO, OKTA
https://pages.bugcrowd.c
om/whats-a-bug-worth
15 Hours
Avg Time Spent
220+
# of Researchers
3500
Hours
Total Testing Time
2 Full Time
heads
Okta’s Bug Bounty Throughput
16. Poll
(Single Select)
Question: I believe we have enough staff and resources to deal with all of
our security challenges
• Strongly agree
• Somewhat agree
• Neither agree or disagree
• Somewhat disagree
• Strongly disagree
17. 17
Myth #7: Bounty programs are too hard to manage
False. With a trusted partner, bug bounty programs are easy, efficient and effective. You receive ready-to-fix, high value bugs.
Crowd + Platform + Expertise
• Reduce the program management load on
your security team with an easy to use
platform to manage programs and
communicate with researchers
• Only receive and act on real vulnerabilities
with automated triage and expert validation
of submissions
• Incentivize and reward researchers globally
with automated, direct payment through our
platform with no commission on payouts
18. 18
Multi Solution Bug Bounty Model Gaining Traction
Not Just About Public Programs
Engage the collective intelligence of
thousands of security researchers
worldwide.
The perfect solution to incentivize the
continuous testing of main web
properties, self-sign up apps, or anything
already publicly accessible.
Private Ongoing Program
Public Ongoing
Program
Continuous testing using a private,
invite-only, crowd of researchers.
Incentivize the continuous testing of
main web properties, self-signup apps,
or anything publically accessible.
Project based testing using a private,
invite-only, crowd of researchers.
Target new products, major releases, or
anything requiring a short period of
testing. Replace costly pen-tests.
On-Demand Program
Many organizations are utilizing different types of Bug Bounty Solutions
20. A Radical Cyber Security Advantage
A Crowd That Thinks Like An
Adversary But Acts Like an Ally to Find
Vulnerabilities
A Platform That Simplifies Connecting
Researchers to Organizations
Security Expertise To Design, Support,
and Manage Crowd Security Programs
Enterprise Bug Bounty Solutions & Hackers-On Demand
7 Bug Bounty Myths
JP
Point to drive home: We cast a wide net for this webcast so assume that someone has never heard the term “Bug Bounty” before. Keep it simple.
CE
Point to drive home: We will “sell” ourselves a bit at the end of the press but quickly explain how Bugcrowd is the platform that connects a crowd currently at 38,000 to companies and their applications. Bugcrowd makes it easy to run bounty programs and delivers the crowd to achieve a radical security advantage for our customers. We run both private and public programs and quickly explain what each of those are in a sentence each.
JP transition to Casey
CE
Point to drive home: We will “sell” ourselves a bit at the end of the press but quickly explain how Bugcrowd is the platform that connects a crowd currently at 38,000 to companies and their applications. Bugcrowd makes it easy to run bounty programs and delivers the crowd to achieve a radical security advantage for our customers. We run both private and public programs and quickly explain what each of those are in a sentence each.
CE
CE
Point to drive home: We just showed some stats on the trends, but anecdotally we surveyed and asked our customers why they were adopting the Bug Bounty Model. The collectivity creativity, volume of testers, and results based model were the clear front runners. Explain what each of those mean without sound “salesy"
CE
Point to drive home: We have reached a tipping point it seems where the number of programs being ran are starting to quickly accelerate. More so, private programs are being adopted rapidly.
CE
Point to drive home: We just showed some stats on the trends, but anecdotally we surveyed and asked our customers why they were adopting the Bug Bounty Model. The collectivity creativity, volume of testers, and results based model were the clear front runners. Explain what each of those mean without sound “salesy"
CE
Point to drive home: We have reached a tipping point it seems where the number of programs being ran are starting to quickly accelerate. More so, private programs are being adopted rapidly.
CE
Point to drive home: We have reached a tipping point it seems where the number of programs being ran are starting to quickly accelerate. More so, private programs are being adopted rapidly.
CE
Point to drive home: We have reached a tipping point it seems where the number of programs being ran are starting to quickly accelerate. More so, private programs are being adopted rapidly.
CE
Point to drive home: We have reached a tipping point it seems where the number of programs being ran are starting to quickly accelerate. More so, private programs are being adopted rapidly.
CE
Point to drive home: Plug the variety of solutions we offer and how utilizing all 3 are really paramount to full “Bug Bounty Coverage” and success