There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

1. 8,100 hackers + Your apps = ???
SourceCONF Boston 2014

2. Why are we here?

3. About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd

4. What’s a bug bounty
program?

5. History
0
125
250
375
500
1995 2000 2005 2010 2015

6. It’s not just about being
cheap, or loud…

7. It’s about leveling the
playing field.

8. Black/gray hat economics
Goal: Exploit the bug and keep it alive
Resources: Many hackers/skill-sets/motivations/time
Incentive: Paid for results

9. White hat economics
Goal: Find the bug and kill it
Resources: Single sets of eyes
Incentive: Paid for effort

10. Bug bounty economics
A white hat goal with black/gray market economics
and resourcing.

11. Reward pool: $10,000
2 weeks elapsed
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$2,500
1st
$1,000
2nd
$500
3rd
$250
All Others
or the remainder divided by
number of valid unique
bugs… which ever is lower)

12. CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
349 researchers participated.
243 security submissions from 23 countries.
7 unauth’d to full privilege 0-day vulnerabilities.

13. CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
67 rewardable Issues
$142.86 deduplicated cost per issue
16 active security researchers in first hour
8 hours effort in first elapsed hour

14. CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$10,000
5 days of effort in the
first 8 hours of the
bounty… Across 349
separate sets of eyes
5 days of effort
VS

15. With many eyes all bugs are shallow
- Linus’ Law
“

16. Really?
Credit: Veracode
GnuTLS goto
fail
Credit:
Veracode
Heartbleed

17. Linus was (a little bit)
wrong.

18. Developer Incentive
Make it work.

19. Security Incentive
“Hey, I found a bug!”

20. Who is doing this well
right now?

21. With many eyes and the right
incentive all bugs are shallow
- Linus’ Amended Law
“

22. Sound familiar?

23. Bug bounties repurpose the economics
of offense to the defensive side.

24. So how do you get more
eyes on security bugs?
Cash Soft Incentives Kudos
Swag, challenge coins,
points systems,
exclusive opportunities
Hall of Fame, job
prospects, contract
prospects, community
kudos, general swagger

25. Ready to start?

26. Bug bounties are
awesome…

27. …but hard.

28. Tips from the trenches

29. The mistake *everyone* makes:
VULNERABILITY DATA
PEOPLE

30. The Golden Rule:
Respect the researcher

31. If you touch the code, pay
the researcher

32. Be upfront and clear about
what you will and won’t
pay

33. Be transparent about
duplicate and won’t fix
issues

34. Fix quick, pay quick.

35. Expect front loading

36. Controlled incidents
improve your dev team

37. Remember that bounty
hunting is casual (vs
committed)

38. Conclusion
• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …this shift in strategy is necessary to address the
fundamental asymmetries in the way we do things
today.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com

39. Questions?

40. @caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7,
iamthecavalry.com, @treyford, @k8em0, @codesoda and the
@bugcrowd team.