Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SOURCEConf Boston 2014 - 5,500 hackers + Your code = ???


Published on

There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SOURCEConf Boston 2014 - 5,500 hackers + Your code = ???

  1. 1. 8,100 hackers + Your apps = ??? SourceCONF Boston 2014
  2. 2. Why are we here?
  3. 3. About me @caseyjohnellis JABAH (Just Another Blonde Aussie Hacker) Recovering pentester turned solution architect turned entrepreneur Wife and two kids now living in San Francisco Founder and CEO of Bugcrowd
  4. 4. What’s a bug bounty program?
  5. 5. History 0 125 250 375 500 1995 2000 2005 2010 2015
  6. 6. It’s not just about being cheap, or loud…
  7. 7. It’s about leveling the playing field.
  8. 8. Black/gray hat economics Goal: Exploit the bug and keep it alive Resources: Many hackers/skill-sets/motivations/time Incentive: Paid for results
  9. 9. White hat economics Goal: Find the bug and kill it Resources: Single sets of eyes Incentive: Paid for effort
  10. 10. Bug bounty economics A white hat goal with black/gray market economics and resourcing.
  11. 11. Reward pool: $10,000 2 weeks elapsed CASE STUDY Wordpress Sprint Bounty + 5 Plugins $2,500 1st $1,000 2nd $500 3rd $250 All Others
 or the remainder divided by number of valid unique bugs… which ever is lower)
  12. 12. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 349 researchers participated. 243 security submissions from 23 countries. 7 unauth’d to full privilege 0-day vulnerabilities.
  13. 13. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 67 rewardable Issues $142.86 deduplicated cost per issue 16 active security researchers in first hour 8 hours effort in first elapsed hour
  14. 14. CASE STUDY Wordpress Sprint Bounty + 5 Plugins $10,000 5 days of effort in the first 8 hours of the bounty… Across 349 separate sets of eyes 5 days of effort VS
  15. 15. With many eyes all bugs are shallow - Linus’ Law “
  16. 16. Really? Credit: Veracode GnuTLS goto fail Credit: Veracode Heartbleed
  17. 17. Linus was (a little bit) wrong.
  18. 18. Developer Incentive Make it work.
  19. 19. Security Incentive “Hey, I found a bug!”
  20. 20. Who is doing this well right now?
  21. 21. With many eyes and the right incentive all bugs are shallow - Linus’ Amended Law “
  22. 22. Sound familiar?
  23. 23. Bug bounties repurpose the economics of offense to the defensive side.
  24. 24. So how do you get more eyes on security bugs? Cash Soft Incentives Kudos Swag, challenge coins, points systems, exclusive opportunities Hall of Fame, job prospects, contract prospects, community kudos, general swagger
  25. 25. Ready to start?
  26. 26. Bug bounties are awesome…
  27. 27. …but hard.
  28. 28. Tips from the trenches
  29. 29. The mistake *everyone* makes: VULNERABILITY DATA PEOPLE
  30. 30. The Golden Rule: Respect the researcher
  31. 31. If you touch the code, pay the researcher
  32. 32. Be upfront and clear about what you will and won’t pay
  33. 33. Be transparent about duplicate and won’t fix issues
  34. 34. Fix quick, pay quick.
  35. 35. Expect front loading
  36. 36. Controlled incidents improve your dev team
  37. 37. Remember that bounty hunting is casual (vs committed)
  38. 38. Conclusion • Bug bounties are cost effective, and highly marketable… but that’s not the full story… • …this shift in strategy is necessary to address the fundamental asymmetries in the way we do things today. • Go start one. • More tips and tricks at
  39. 39. Questions?
  40. 40. @caseyjohnellis Greets to Chris, Rob and SourceCONF crew,, Rapid7,, @treyford, @k8em0, @codesoda and the @bugcrowd team.