AppSecUSA 2016: 'Your License for Bug Hunting Season'
•Download as PPTX, PDF•
2 likes•945 views
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Talk originally given at AppSecUSA 2016 | October 13, 2016
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (6)
Similar to AppSecUSA 2016: 'Your License for Bug Hunting Season'
Similar to AppSecUSA 2016: 'Your License for Bug Hunting Season' (20)
More from bugcrowd
More from bugcrowd (9)
Recently uploaded
Recently uploaded (20)
AppSecUSA 2016: 'Your License for Bug Hunting Season'
- 1. Your License for Bug Hunting Season James Denaro & Casey Ellis
- 2. Speakers 10/13/2016 Your License for Bug Hunting Season James Denaro Attorney, Founder of Cipher Law Casey Ellis Founder & CEO, Bugcrowd
- 3. Agenda Risk & Reward of Bug Bounties Addressing Two Main Areas of Concern: 1. Uncertainty 2. Liability Questions 10/13/2016 Your License for Bug Hunting Season
- 4. 10/13/2016 Your License for Bug Hunting Season Is it safe in the water?
- 5. 10/13/2016 Your License for Bug Hunting Season What are we really talking about? By W.carter - Own work, CC BY-SA 4.0, https://commons.wikimedia. org/w/index.php?curid=3497 9655
- 6. Uncertainty
- 7. Uncertainty FAQs • How do I budget for a bug bounty? • How do I know good hackers will test my apps? • How do I know I’ll get good results? 10/13/2016 Your License for Bug Hunting Season Top concerns for individuals looking into running a bug bounty program in next few years
- 8. Uncertainty: Results & Talent • Crafting your Program: – Program Type • Public vs. Private • Ongoing vs. On-Demand 10/13/2016 Your License for Bug Hunting Season How are researchers invited to private programs? measured by accuracy, activity, impact and trust
- 9. Uncertainty: Results & Talent • Crafting your Program: – Bounty Brief • In-Scope & Out-of-Scope • Rewards • Rules 10/13/2016 Your License for Bug Hunting Season
- 10. Additional Uncertainties • Budgeting • Processes • Getting internal buy-in • Legal questions 10/13/2016 Your License for Bug Hunting Season
- 11. Liability
- 12. #1 Most Frequently Asked Question What happens if a hacker goes rogue? • Logical • Procedural • Emotional • Legal 10/13/2016 Your License for Bug Hunting Season By YBS 999 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
- 13. Additional Liability/Legal Concerns • Contracts & NDAs • Who has liability for loss of data/business assets? • Personal liability? • Who has jurisdiction? 10/13/2016 Your License for Bug Hunting Season
- 14. Questions?
Editor's Notes
- These are the FAQs.
- Risk vs. Reward Jim: talk about what we’re really talking about Casey: Benefits are preemptive -> why aren’t we doing this? A lot of what we’re flushing out risks and rewards
- Risk vs. Reward Jim: talk about what we’re really talking about Casey: Benefits are preemptive -> why aren’t we doing this? A lot of what we’re flushing out risks and rewards
- People don’t know what the risks are, and it’s about control, fear of losing control to people we’ve been trained to distrust
- Image: Of individuals looking to run a program in the next few years, these are their perceived apprehensions Set context for this discussion – we do get a lot of questions about what to expect these concerns are understandable… 40,000 hackers 112 different countries Marketplace
- Jim jump in on public vs. private
- Tl:dr; you’re in control. This model has evolved from the wild wild west it was, and there are knobs and levers at your disposal to meet your business goals: Program type – public vs. private: use cases for both Ongoing vs. on-demand: use cases for both Writing your bounty brief: in-scope & out of scope Jim pipe in here to talk about that doing this in general is illegal… this is acts as a legal contract
- This section is highly connected to the previous sections, and the underlying issue is ‘control’ and responsibility
- Speak to this slide in foursteps: #1: Logic - the likelihood of a hacker finding a critical vulnerability, selling it on the dark web, and the bug being exploited is unlikely – in that time frame, another would have submitted it through the program (model supports this) and client would have fixed it – shadowbrokers cisco bugs in the wild, collision #2: Rules & Procedures – community terms, rules you must follow, default non-disclosure, ramifications for not following those rules are: banned temporarily or permanently #3: Emotional: we know the, their t-shirt size, etc. #4: Legal Address the root of this question… risk (Jim did a really good job of talking about risk in the webinar) and if you’re really concerned, go back and reference what we talked about earlier – private programs
- This section is highly connected to the previous sections, and the underlying issue is ‘control’ and responsibility