Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
September 2016 1
Folks Leading The Discussion Today
Quick Bios
September 2016 2
Folks Leading The Discussion Today
Quick Bios
@caseyjohnellis
Found and CEO, Bugcrowd
Recovering penteste...
September 2016 3
Agenda
What Are We Covering Today?
1. What is a Bug Bounty?
2. Bug Bounty Industry Trends
3. Trends From ...
CONFIDENTIALJULY 2016 GTM PLAYBOOK
What Is a Bug Bounty?
September 2016 5
What is a Bug Bounty?
For Those of You Who Are New
To companies and
their applications in
exchange for…
W...
September 2016 6
What Problem Do Bug Bounties Solve?
Combat the Defenders Dilemma
September 2016 7
They Have Been Around For 20+ Years
Bug Bounty History
1995
2002
2005
2004
2007
© BUGCROWD INC. 2016
Brea...
September 2016 8
What Does Bugcrowd Do?
Platform That Connects Organizations to the Researcher Community
38,000+ Researche...
CONFIDENTIALJULY 2016 GTM PLAYBOOK
State of Bug Bounty 2016
What Our Data Is Saying About the Industry
September 2016 11
Where Has All Our Data Come From?
Our Success So Far
300+total programs run on the
Bugcrowd platform
64%...
September 2016 10
What We Know Today
Bug Bounties Have Reached A Tipping Point
Quality
Compared with traditional testing
m...
September 2016 12
Considerable Growth In Program Types
Market Adopting Quickly
Total Number of Bounty Programs being ran a...
September 2016 13
Growth Across Many Verticals
Industries Utilizing A Bug Bounty
Companies of all industry types are runni...
September 2016 14
Growth Across All Sizes of Organizations
SMB & Enterprise
Enterprise quickly adopting over last 12 month...
September 2016 15
What is Being Found?
Volume of Valid & Original Vulnerabilities Over Time
Vulnerability Rating Taxonomy:...
September 2016 16
What is Being Found?
Types of Vulnerabilities
Why So Much XXS: http://bgcd.co/xss-big-bugs
XSS accounts ...
September 2016 17
Why Is This Adoption Happening?
Survey Results: Top value in running a bug bounty program
CONFIDENTIALJULY 2016 GTM PLAYBOOK
State of Bug Bounty 2016
What Our Data Is Saying About the Crowd
September 2016 19
Rapidly Growing Researcher Community
Currently 38,000+ Researchers
September 2016 20
Researchers Are Making Money
How Much Has Been Paid Out
$2,054,721 has been paid out to
date to the glob...
September 2016 21
Rapidly Growing Researcher Community
From All Over The World
September 2016 22
Different Types of Researchers
Survey Data: Wide Range of Age & Education
12.76%
4.10%
42.14%
28.70%
12....
September 2016 23
Researcher Time Spent Hacking
Survey Data: Not Yet a Full Time Thing For Most
15% of the crowd is hackin...
September 2016 24
Different Types of Researchers
Survey Data: Wide Range of Skills & Specialities
CONFIDENTIALJULY 2016 GTM PLAYBOOK
Key Takeaways
Where the Market is Today and Where is it Going?
September 2016 26
What We Know Today
Bug Bounties Have Reached A Tipping Point
Quality
Compared with traditional testing
m...
September 2016 27
What We Know Today
Wide Range of Companies Adopting
September 2016 28
Multi Solution Bug Bounty Model Gaining Traction
Not Just About Public Programs
Engage the collective in...
September 2016 29
Predictions and Challenges
Bug Bounties Have Reached A Tipping Point
PREDICTION: The crowd will continue...
CONFIDENTIALJULY 2016 GTM PLAYBOOK
Q&A
Download the full report here: http://bgcd.co/state-of-bug-bounty-2016
Próximo SlideShare
Cargando en…5
×

de

Bug Bounty Tipping Point: Strength in Numbers Slide 1 Bug Bounty Tipping Point: Strength in Numbers Slide 2 Bug Bounty Tipping Point: Strength in Numbers Slide 3 Bug Bounty Tipping Point: Strength in Numbers Slide 4 Bug Bounty Tipping Point: Strength in Numbers Slide 5 Bug Bounty Tipping Point: Strength in Numbers Slide 6 Bug Bounty Tipping Point: Strength in Numbers Slide 7 Bug Bounty Tipping Point: Strength in Numbers Slide 8 Bug Bounty Tipping Point: Strength in Numbers Slide 9 Bug Bounty Tipping Point: Strength in Numbers Slide 10 Bug Bounty Tipping Point: Strength in Numbers Slide 11 Bug Bounty Tipping Point: Strength in Numbers Slide 12 Bug Bounty Tipping Point: Strength in Numbers Slide 13 Bug Bounty Tipping Point: Strength in Numbers Slide 14 Bug Bounty Tipping Point: Strength in Numbers Slide 15 Bug Bounty Tipping Point: Strength in Numbers Slide 16 Bug Bounty Tipping Point: Strength in Numbers Slide 17 Bug Bounty Tipping Point: Strength in Numbers Slide 18 Bug Bounty Tipping Point: Strength in Numbers Slide 19 Bug Bounty Tipping Point: Strength in Numbers Slide 20 Bug Bounty Tipping Point: Strength in Numbers Slide 21 Bug Bounty Tipping Point: Strength in Numbers Slide 22 Bug Bounty Tipping Point: Strength in Numbers Slide 23 Bug Bounty Tipping Point: Strength in Numbers Slide 24 Bug Bounty Tipping Point: Strength in Numbers Slide 25 Bug Bounty Tipping Point: Strength in Numbers Slide 26 Bug Bounty Tipping Point: Strength in Numbers Slide 27 Bug Bounty Tipping Point: Strength in Numbers Slide 28 Bug Bounty Tipping Point: Strength in Numbers Slide 29 Bug Bounty Tipping Point: Strength in Numbers Slide 30
Próximo SlideShare
AppSecUSA 2016: 'Your License for Bug Hunting Season'
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

0 recomendaciones

Compartir

Descargar para leer sin conexión

Bug Bounty Tipping Point: Strength in Numbers

Descargar para leer sin conexión

Recorded on September 21, 2016, Casey Ellis, Bugcrowd CEO and Kymberlee Price, Sr. Director of Researcher Operations, explore current trends in the bug bounty market.

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo
  • Sé el primero en recomendar esto

Bug Bounty Tipping Point: Strength in Numbers

  1. 1. September 2016 1 Folks Leading The Discussion Today Quick Bios
  2. 2. September 2016 2 Folks Leading The Discussion Today Quick Bios @caseyjohnellis Found and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur @kym_possible Senior Director of Researcher Operations, Bugcrowd Data analyst, security evangelist, behavioral psychologist, former director of a Red Team
  3. 3. September 2016 3 Agenda What Are We Covering Today? 1. What is a Bug Bounty? 2. Bug Bounty Industry Trends 3. Trends From the Researcher Community
  4. 4. CONFIDENTIALJULY 2016 GTM PLAYBOOK What Is a Bug Bounty?
  5. 5. September 2016 5 What is a Bug Bounty? For Those of You Who Are New To companies and their applications in exchange for… Where independent security researchers all over the word f Think of it as a competition… Find & report vulnerabilities Rewards
  6. 6. September 2016 6 What Problem Do Bug Bounties Solve? Combat the Defenders Dilemma
  7. 7. September 2016 7 They Have Been Around For 20+ Years Bug Bounty History 1995 2002 2005 2004 2007 © BUGCROWD INC. 2016 Breakthrough in Bug Bounties Modern Bug BountiesEarly Bug Bounties The History of Bug Bounties: Abbreviated Timeline from 1995 to Present 2010 2011 2012 2013 2014 2015 2016
  8. 8. September 2016 8 What Does Bugcrowd Do? Platform That Connects Organizations to the Researcher Community 38,000+ Researchers With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world. f Organizations Both Big and Small Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.
  9. 9. CONFIDENTIALJULY 2016 GTM PLAYBOOK State of Bug Bounty 2016 What Our Data Is Saying About the Industry
  10. 10. September 2016 11 Where Has All Our Data Come From? Our Success So Far 300+total programs run on the Bugcrowd platform 64%private programs compared to 36% public 54K+Total vulnerability submissions made as of September 15, 2016 $3M+Paid out to the crowd as of September 15, 2016 38K+researchers in the crowd as of September 15, 2016 210%program growth
  11. 11. September 2016 10 What We Know Today Bug Bounties Have Reached A Tipping Point Quality Compared with traditional testing methods, bug bounties present a significant advantage Maturation As this model matures, with private programs gaining traction, more organizations can tap into the crowd Growth More organizations are adopting this model, including large enterprises and traditional industries Impact Critical vulnerabilities are increasing in volume along with average payout per bug
  12. 12. September 2016 12 Considerable Growth In Program Types Market Adopting Quickly Total Number of Bounty Programs being ran are on the rise. A 210% increase YOY Private programs being adopted quicker than public programs 63% of all launched programs are private
  13. 13. September 2016 13 Growth Across Many Verticals Industries Utilizing A Bug Bounty Companies of all industry types are running Bug Bounty Programs As expected, computer software and more internet built companies having widest adoption “Non-Traditional” industries (healthcare, financial services) rapidly adopting over last 12 months
  14. 14. September 2016 14 Growth Across All Sizes of Organizations SMB & Enterprise Enterprise quickly adopting over last 12 months accounting for 11% of programs 50% of programs ran by companies with 200 employees or less due to economical advantage
  15. 15. September 2016 15 What is Being Found? Volume of Valid & Original Vulnerabilities Over Time Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016 More critical vulnerabilities being submitted Less non-critical vulnerabilities being submitted Security researchers are getting more discerning with what they submit Organizations are getting more prescriptive with scope and goals of programs
  16. 16. September 2016 16 What is Being Found? Types of Vulnerabilities Why So Much XXS: http://bgcd.co/xss-big-bugs XSS accounts for 66% of all valid submissions CSRF next highest at 20% of all valid submissions
  17. 17. September 2016 17 Why Is This Adoption Happening? Survey Results: Top value in running a bug bounty program
  18. 18. CONFIDENTIALJULY 2016 GTM PLAYBOOK State of Bug Bounty 2016 What Our Data Is Saying About the Crowd
  19. 19. September 2016 19 Rapidly Growing Researcher Community Currently 38,000+ Researchers
  20. 20. September 2016 20 Researchers Are Making Money How Much Has Been Paid Out $2,054,721 has been paid out to date to the global researcher community from 6,803 number of valid vulnerabilities being found Defensive Vulnerability Pricing Model: http://bgcd.co/dvpm-2016
  21. 21. September 2016 21 Rapidly Growing Researcher Community From All Over The World
  22. 22. September 2016 22 Different Types of Researchers Survey Data: Wide Range of Age & Education 12.76% 4.10% 42.14% 28.70% 12.30% Graduate Degree Some Graduate School College Degree Some College High School Degree
  23. 23. September 2016 23 Researcher Time Spent Hacking Survey Data: Not Yet a Full Time Thing For Most 15% of the crowd is hacking on bug bounties as primary source of income 24% of the crowd are full time developers 18% of the crowd are full time pen testers Be on the look our for our upcoming report on the Bugcrowd community
  24. 24. September 2016 24 Different Types of Researchers Survey Data: Wide Range of Skills & Specialities
  25. 25. CONFIDENTIALJULY 2016 GTM PLAYBOOK Key Takeaways Where the Market is Today and Where is it Going?
  26. 26. September 2016 26 What We Know Today Bug Bounties Have Reached A Tipping Point Quality Compared with traditional testing methods, bug bounties present a significant advantage Maturation As this model matures, with private programs gaining traction, more organizations can tap into the crowd Growth More organizations are adopting this model, including large enterprises and traditional industries Impact Critical vulnerabilities are increasing in volume along with average payout per bug
  27. 27. September 2016 27 What We Know Today Wide Range of Companies Adopting
  28. 28. September 2016 28 Multi Solution Bug Bounty Model Gaining Traction Not Just About Public Programs Engage the collective intelligence of thousands of security researchers worldwide. The perfect solution to incentivize the continuous testing of main web properties, self-sign up apps, or anything already publicly accessible. Private Ongoing ProgramPublic Ongoing Program Continuous testing using a private, invite- only, crowd of researchers. The perfect solution to incentivize the continuous testing of apps that require specialized skill sets or that are harder to access. Project based testing using a private, invite-only, crowd of researchers. The perfect solution for testing new products, major releases, new features, or anything needing a quick test for up to two weeks. On-Demand Program Many organizations are utilizing different types of Bug Bounty Solutions
  29. 29. September 2016 29 Predictions and Challenges Bug Bounties Have Reached A Tipping Point PREDICTION: The crowd will continue to diversify and mature, creating more opportunities for organizations to utilize bug bounties for increasingly complex applications PREDICTION: Traditional testing methods will evolve to work alongside bug bounty programs PREDICTION: Bug bounties will shift from a “nice to have” to a “must have” for most organizations

  30. 30. CONFIDENTIALJULY 2016 GTM PLAYBOOK Q&A Download the full report here: http://bgcd.co/state-of-bug-bounty-2016

Recorded on September 21, 2016, Casey Ellis, Bugcrowd CEO and Kymberlee Price, Sr. Director of Researcher Operations, explore current trends in the bug bounty market.

Vistas

Total de vistas

749

En Slideshare

0

De embebidos

0

Número de embebidos

0

Acciones

Descargas

18

Compartidos

0

Comentarios

0

Me gusta

0

×