logo

Bug Bounty Evolution: Not Your Grandson's Bug Bounty

Conference:  Black Hat USA 2022

2022-08-11

Summary

The speaker discusses the importance of building a mature security process and workforce, rather than relying solely on bug bounty programs. They also announce the creation of a cybersecurity apprenticeship program and the decision to remain a bootstrapped startup.
  • Understanding vulnerability handling process is more important than the amount of bug bounty money spent or the number of bugs found
  • Open up pen test contracts to bug bounty hunters with tools to potentially identify talent
  • Plan for cyber workforce attrition in key process roles
  • Fixing process is the cure for underlying security problems
  • Announcement of a cybersecurity apprenticeship program
  • Decision to remain a bootstrapped startup
The speaker mentions that in the early 2000s, they were a pen tester and got sick of coming back year after year to find the same bugs still open. This was because the organization didn't have enough people in different security roles internally to fix the issues and systematically eradicate them from future software development.

Abstract

Bug Bounties, once heralded as a security best practice, are growing stale without ever having brought the revolutionary security benefits and great ways to earn a living to the masses that proponents like me dreamed of. What have we been getting wrong and what can we do to save security and our souls? Before Google invigorated the bug bounty practice in 2010 by paying nearly triple the going rate that Mozilla set in the mid-1990s, bug bounty programs had received little fanfare during their previous 20 years of existence. Then, in 2013, when these programs were still not considered mainstream for most organizations, Microsoft launched its programs with the largest bounty amounts in the industry by any software vendor at the time. Then, in 2016 came Hack The Pentagon, and suddenly everyone was either running a bug bounty program or wanted to run one.Where are we now and what have we learned since 2010? Were the myths of being able to compete on price with the offense market true or was it all just marketing by VC-backed bug bounty platforms? Is there an alternative solution for hackers who currently get treated like disposable workers? What's the best path forward for hackers, organizations, and the security industry now that we have seen over a decade of modern bug bounty programs in practice?This talk is for the dreamers, the wishers, the post-modern risk economists, the hackers of labor systems, the destroyers of status quos. This is not your grandson's bug bounty.

Materials:

Tags: