Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months
Conference: BlackHat USA 2019
2019-08-08
Summary
The Bug Bounty Micro Summit discussed best practices for launching and running successful bug bounty programs, including the importance of taking a slow and steady approach, learning from submissions, and looking at products from an attacker's perspective. The panelists also discussed the need for bug bounty programs to become more inclusive and collaborative, and the potential for gamification and incident management to keep programs engaging and active.
- Taking a slow and steady approach is important for launching successful bug bounty programs
- Learning from submissions can teach vendors a lot about their products and how to strengthen them
- Looking at products from an attacker's perspective can also improve their security
- Bug bounty programs need to become more inclusive and collaborative
- Gamification and incident management can help keep bug bounty programs engaging and active
Abstract
Ever want to talk to someone that runs a bug bounty program and trade best practices and horror stories? Join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.
Materials:
Tags: