logo

Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months

Conference:  BlackHat USA 2019

2019-08-08

Summary

The Bug Bounty Micro Summit discussed best practices for launching and running successful bug bounty programs, including the importance of taking a slow and steady approach, learning from submissions, and looking at products from an attacker's perspective. The panelists also discussed the need for bug bounty programs to become more inclusive and collaborative, and the potential for gamification and incident management to keep programs engaging and active.
  • Taking a slow and steady approach is important for launching successful bug bounty programs
  • Learning from submissions can teach vendors a lot about their products and how to strengthen them
  • Looking at products from an attacker's perspective can also improve their security
  • Bug bounty programs need to become more inclusive and collaborative
  • Gamification and incident management can help keep bug bounty programs engaging and active
One panelist discussed how their team had learned a lot from submissions to their bug bounty program, which had helped them improve their products and become a better team overall. Another panelist emphasized the need for bug bounty programs to be more inclusive and collaborative, and for researchers to work together to improve the overall ecosystem. Finally, a community manager discussed the potential for gamification and incident management to keep bug bounty programs engaging and active over the long term.

Abstract

Ever want to talk to someone that runs a bug bounty program and trade best practices and horror stories? Join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.

Materials:

Tags:

Post a comment

Related work