Don't let bug bounty kill your appsec posture

Bug bounty is a wonderful thing, and over the last few years it has completely overturned the industry focus, where more and more organizations direct money and resources to operating thriving programs. But there is another side to bug bounty - the side that can side-track your entire appsec strategy. As bug bounty becomes more and more popular, more and more researchers focus on scale and wide-spread issues that can be discovered by automation, rather than spending their time on deeper technical research of a particular target. Your team might easily get bombarded with low impact (valid) issues such as subdomain takeovers and XSS on random domains, and less and less focused on higher risk issues that require deep technical understanding. While this can be sometimes subverted by carefully aligning your scope and educating your researchers, you might end up spending more time on refining your program than on actually solving issues. As an enthusiastic bug bounty researcher myself, I truly believe in bug bounty. As an appsec manager, I understand bug bounty will never be enough to replace penetration testing. In this talk I’ll cover some of the pitfalls we fell into within our own program, and how you need to calibrate your expectations from bug bounty - and perhaps recalibrate your appsec strategy.