Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
8,100 hackers + Your apps = ???
SourceCONF Boston 2014
Why are we here?
About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned e...
What’s a bug bounty
program?
History
0
125
250
375
500
1995 2000 2005 2010 2015
It’s not just about being
cheap, or loud…
It’s about leveling the
playing field.
Black/gray hat economics
Goal: Exploit the bug and keep it alive
Resources: Many hackers/skill-sets/motivations/time
Incen...
White hat economics
Goal: Find the bug and kill it
Resources: Single sets of eyes
Incentive: Paid for effort
Bug bounty economics
A white hat goal with black/gray market economics
and resourcing.
Reward pool: $10,000
2 weeks elapsed
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$2,500
1st
$1,000
2nd
$500
3rd
$250
Al...
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
349 researchers participated.
243 security submissions from 23 countries.
7...
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
67 rewardable Issues
$142.86 deduplicated cost per issue
16 active security...
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$10,000
5 days of effort in the
first 8 hours of the
bounty… Across 349
sepa...
With many eyes all bugs are shallow
- Linus’ Law
“
Really?
Credit: Veracode
GnuTLS goto
fail
Credit:
Veracode
Heartbleed
Linus was (a little bit)
wrong.
Developer Incentive
Make it work.
Security Incentive
“Hey, I found a bug!”
Who is doing this well
right now?
With many eyes and the right
incentive all bugs are shallow
- Linus’ Amended Law
“
Sound familiar?
Bug bounties repurpose the economics
of offense to the defensive side.
So how do you get more
eyes on security bugs?
Cash Soft Incentives Kudos
Swag, challenge coins,
points systems,
exclusive ...
Ready to start?
Bug bounties are
awesome…
…but hard.
Tips from the trenches
The mistake *everyone* makes:
VULNERABILITY DATA
PEOPLE
The Golden Rule:
Respect the researcher
If you touch the code, pay
the researcher
Be upfront and clear about
what you will and won’t
pay
Be transparent about
duplicate and won’t fix
issues
Fix quick, pay quick.
Expect front loading
Controlled incidents
improve your dev team
Remember that bounty
hunting is casual (vs
committed)
Conclusion
• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …this shift in strat...
Questions?
@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7...
Upcoming SlideShare
Loading in …5
×

SOURCEConf Boston 2014 - 5,500 hackers + Your code = ???

There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

  • Be the first to comment

  • Be the first to like this

SOURCEConf Boston 2014 - 5,500 hackers + Your code = ???

  1. 1. 8,100 hackers + Your apps = ??? SourceCONF Boston 2014
  2. 2. Why are we here?
  3. 3. About me @caseyjohnellis JABAH (Just Another Blonde Aussie Hacker) Recovering pentester turned solution architect turned entrepreneur Wife and two kids now living in San Francisco Founder and CEO of Bugcrowd
  4. 4. What’s a bug bounty program?
  5. 5. History 0 125 250 375 500 1995 2000 2005 2010 2015
  6. 6. It’s not just about being cheap, or loud…
  7. 7. It’s about leveling the playing field.
  8. 8. Black/gray hat economics Goal: Exploit the bug and keep it alive Resources: Many hackers/skill-sets/motivations/time Incentive: Paid for results
  9. 9. White hat economics Goal: Find the bug and kill it Resources: Single sets of eyes Incentive: Paid for effort
  10. 10. Bug bounty economics A white hat goal with black/gray market economics and resourcing.
  11. 11. Reward pool: $10,000 2 weeks elapsed CASE STUDY Wordpress Sprint Bounty + 5 Plugins $2,500 1st $1,000 2nd $500 3rd $250 All Others
 or the remainder divided by number of valid unique bugs… which ever is lower)
  12. 12. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 349 researchers participated. 243 security submissions from 23 countries. 7 unauth’d to full privilege 0-day vulnerabilities.
  13. 13. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 67 rewardable Issues $142.86 deduplicated cost per issue 16 active security researchers in first hour 8 hours effort in first elapsed hour
  14. 14. CASE STUDY Wordpress Sprint Bounty + 5 Plugins $10,000 5 days of effort in the first 8 hours of the bounty… Across 349 separate sets of eyes 5 days of effort VS
  15. 15. With many eyes all bugs are shallow - Linus’ Law “
  16. 16. Really? Credit: Veracode GnuTLS goto fail Credit: Veracode Heartbleed
  17. 17. Linus was (a little bit) wrong.
  18. 18. Developer Incentive Make it work.
  19. 19. Security Incentive “Hey, I found a bug!”
  20. 20. Who is doing this well right now?
  21. 21. With many eyes and the right incentive all bugs are shallow - Linus’ Amended Law “
  22. 22. Sound familiar?
  23. 23. Bug bounties repurpose the economics of offense to the defensive side.
  24. 24. So how do you get more eyes on security bugs? Cash Soft Incentives Kudos Swag, challenge coins, points systems, exclusive opportunities Hall of Fame, job prospects, contract prospects, community kudos, general swagger
  25. 25. Ready to start?
  26. 26. Bug bounties are awesome…
  27. 27. …but hard.
  28. 28. Tips from the trenches
  29. 29. The mistake *everyone* makes: VULNERABILITY DATA PEOPLE
  30. 30. The Golden Rule: Respect the researcher
  31. 31. If you touch the code, pay the researcher
  32. 32. Be upfront and clear about what you will and won’t pay
  33. 33. Be transparent about duplicate and won’t fix issues
  34. 34. Fix quick, pay quick.
  35. 35. Expect front loading
  36. 36. Controlled incidents improve your dev team
  37. 37. Remember that bounty hunting is casual (vs committed)
  38. 38. Conclusion • Bug bounties are cost effective, and highly marketable… but that’s not the full story… • …this shift in strategy is necessary to address the fundamental asymmetries in the way we do things today. • Go start one. • More tips and tricks at https://blog.bugcrowd.com
  39. 39. Questions?
  40. 40. @caseyjohnellis https://bugcrowd.com casey@bugcrowd.com Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @k8em0, @codesoda and the @bugcrowd team.

×