There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".
3. About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd
11. Reward pool: $10,000
2 weeks elapsed
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$2,500
1st
$1,000
2nd
$500
3rd
$250
All Others
or the remainder divided by
number of valid unique
bugs… which ever is lower)
12. CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
349 researchers participated.
243 security submissions from 23 countries.
7 unauth’d to full privilege 0-day vulnerabilities.
13. CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
67 rewardable Issues
$142.86 deduplicated cost per issue
16 active security researchers in first hour
8 hours effort in first elapsed hour
14. CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$10,000
5 days of effort in the
first 8 hours of the
bounty… Across 349
separate sets of eyes
5 days of effort
VS
24. So how do you get more
eyes on security bugs?
Cash Soft Incentives Kudos
Swag, challenge coins,
points systems,
exclusive opportunities
Hall of Fame, job
prospects, contract
prospects, community
kudos, general swagger
38. Conclusion
• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …this shift in strategy is necessary to address the
fundamental asymmetries in the way we do things
today.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com