SlideShare a Scribd company logo

AppSecUSA 2016: 'Your License for Bug Hunting Season'

Download as PPTX, PDF
bugcrowd
bugcrowd

You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Talk originally given at AppSecUSA 2016 | October 13, 2016

Technology
1 of 14
Your License for Bug Hunting Season James Denaro & Casey Ellis
Speakers 10/13/2016 Your License for Bug Hunting Season James Denaro Attorney, Founder of Cipher Law Casey Ellis Founder & CEO, Bugcrowd
Agenda Risk & Reward of Bug Bounties Addressing Two Main Areas of Concern: 1. Uncertainty 2. Liability Questions 10/13/2016 Your License for Bug Hunting Season
10/13/2016 Your License for Bug Hunting Season Is it safe in the water?
10/13/2016 Your License for Bug Hunting Season What are we really talking about? By W.carter - Own work, CC BY-SA 4.0, https://commons.wikimedia. org/w/index.php?curid=3497 9655
Uncertainty
Uncertainty FAQs • How do I budget for a bug bounty? • How do I know good hackers will test my apps? • How do I know I’ll get good results? 10/13/2016 Your License for Bug Hunting Season Top concerns for individuals looking into running a bug bounty program in next few years
Uncertainty: Results & Talent • Crafting your Program: – Program Type • Public vs. Private • Ongoing vs. On-Demand 10/13/2016 Your License for Bug Hunting Season How are researchers invited to private programs? measured by accuracy, activity, impact and trust
Uncertainty: Results & Talent • Crafting your Program: – Bounty Brief • In-Scope & Out-of-Scope • Rewards • Rules 10/13/2016 Your License for Bug Hunting Season
Additional Uncertainties • Budgeting • Processes • Getting internal buy-in • Legal questions 10/13/2016 Your License for Bug Hunting Season
Liability
#1 Most Frequently Asked Question What happens if a hacker goes rogue? • Logical • Procedural • Emotional • Legal 10/13/2016 Your License for Bug Hunting Season By YBS 999 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
Additional Liability/Legal Concerns • Contracts & NDAs • Who has liability for loss of data/business assets? • Personal liability? • Who has jurisdiction? 10/13/2016 Your License for Bug Hunting Season
Questions?

Recommended

Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsHackerOne
 

Recommended

Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsHackerOne
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...Skybox Security
 
Risk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalRisk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalICT Frame Magazine Pvt. Ltd.
 
Containing the outbreak: The healthcare security pandemic
Containing the outbreak: The healthcare security pandemicContaining the outbreak: The healthcare security pandemic
Containing the outbreak: The healthcare security pandemicAvecto
 
Survey Says! 2017 Shrink Data Results
Survey Says! 2017 Shrink Data ResultsSurvey Says! 2017 Shrink Data Results
Survey Says! 2017 Shrink Data ResultsNational Retail Federation
 
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217National Retail Federation
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
How to be everywhere tackling multi store security
How to be everywhere tackling multi store securityHow to be everywhere tackling multi store security
How to be everywhere tackling multi store securityNational Retail Federation
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomwareAvecto
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testingjananya213
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
2017 U.S. State of Cybercrime
2017 U.S. State of Cybercrime2017 U.S. State of Cybercrime
2017 U.S. State of CybercrimeIDG
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicCisco Security
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationReinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationProofpoint
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Embugcrowd
 

More Related Content

What's hot

Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...Skybox Security
 
Containing the outbreak: The healthcare security pandemic
Containing the outbreak: The healthcare security pandemicContaining the outbreak: The healthcare security pandemic
Containing the outbreak: The healthcare security pandemicAvecto
 
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217National Retail Federation
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
How to be everywhere tackling multi store security
How to be everywhere tackling multi store securityHow to be everywhere tackling multi store security
How to be everywhere tackling multi store securityNational Retail Federation
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomwareAvecto
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testingjananya213
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
2017 U.S. State of Cybercrime
2017 U.S. State of Cybercrime2017 U.S. State of Cybercrime
2017 U.S. State of CybercrimeIDG
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicCisco Security
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationReinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationProofpoint
 

What's hot (20)

Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Program
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
 
Risk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalRisk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In Nepal
 
Containing the outbreak: The healthcare security pandemic
Containing the outbreak: The healthcare security pandemicContaining the outbreak: The healthcare security pandemic
Containing the outbreak: The healthcare security pandemic
 
Survey Says! 2017 Shrink Data Results
Survey Says! 2017 Shrink Data ResultsSurvey Says! 2017 Shrink Data Results
Survey Says! 2017 Shrink Data Results
 
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
How to be everywhere tackling multi store security
How to be everywhere tackling multi store securityHow to be everywhere tackling multi store security
How to be everywhere tackling multi store security
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomware
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
2017 U.S. State of Cybercrime
2017 U.S. State of Cybercrime2017 U.S. State of Cybercrime
2017 U.S. State of Cybercrime
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware Infographic
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
 
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationReinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
 

Viewers also liked

Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Embugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...Splunk
 

Viewers also liked (6)

Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
 

Similar to AppSecUSA 2016: 'Your License for Bug Hunting Season'

AppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonAppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonCasey Ellis
 
The Art of Practice Management Dental Pearls - April 2016
The Art of Practice Management Dental Pearls - April 2016The Art of Practice Management Dental Pearls - April 2016
The Art of Practice Management Dental Pearls - April 2016Marianne Harper
 
Essay On Solar Energy In India
Essay On Solar Energy In IndiaEssay On Solar Energy In India
Essay On Solar Energy In IndiaAlison Parker
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Financial Poise
 
Protecting Your Professional Reputation Online
Protecting Your Professional Reputation OnlineProtecting Your Professional Reputation Online
Protecting Your Professional Reputation OnlineLegal Media Matters
 
Hot Off the Press - Recent Cases & Decisions 2019
Hot Off the Press - Recent Cases & Decisions 2019Hot Off the Press - Recent Cases & Decisions 2019
Hot Off the Press - Recent Cases & Decisions 2019Financial Poise
 
Apa Format Example Paper
Apa Format Example PaperApa Format Example Paper
Apa Format Example PaperTisha Noel
 
Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.
Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.
Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.Rajee Dent
 
Cyber Terrorism Write Essay For You. Online assignment writing service.
Cyber Terrorism Write Essay For You. Online assignment writing service.Cyber Terrorism Write Essay For You. Online assignment writing service.
Cyber Terrorism Write Essay For You. Online assignment writing service.Laura Smith
 
Scholarship Essay Graduate Program Essay
Scholarship Essay Graduate Program EssayScholarship Essay Graduate Program Essay
Scholarship Essay Graduate Program EssayLori Flores
 
Specific Topic For Research Paper. 100 Best Climate C
Specific Topic For Research Paper. 100 Best Climate CSpecific Topic For Research Paper. 100 Best Climate C
Specific Topic For Research Paper. 100 Best Climate CDanielle Richardson
 
Cyber Liability Insurance: An Essential and Urgently Needed Business Investment
Cyber Liability Insurance: An Essential and Urgently Needed Business InvestmentCyber Liability Insurance: An Essential and Urgently Needed Business Investment
Cyber Liability Insurance: An Essential and Urgently Needed Business InvestmentThomas LaPointe
 
The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16
The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16
The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16Digiday
 
Shocking Stats On Identity Theft In Canada And You Could Be One
Shocking Stats On Identity Theft In Canada And You Could Be OneShocking Stats On Identity Theft In Canada And You Could Be One
Shocking Stats On Identity Theft In Canada And You Could Be OneSue Carveth
 
RatemyRoomie.pptx
RatemyRoomie.pptxRatemyRoomie.pptx
RatemyRoomie.pptxLoi Tran
 
Managing a Hack: A Communicator's Guide to a Data Breach
Managing a Hack: A Communicator's Guide to a Data BreachManaging a Hack: A Communicator's Guide to a Data Breach
Managing a Hack: A Communicator's Guide to a Data BreachSandra Fathi
 

Similar to AppSecUSA 2016: 'Your License for Bug Hunting Season' (20)

AppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonAppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting Season
 
The Art of Practice Management Dental Pearls - April 2016
The Art of Practice Management Dental Pearls - April 2016The Art of Practice Management Dental Pearls - April 2016
The Art of Practice Management Dental Pearls - April 2016
 
Essay On Solar Energy In India
Essay On Solar Energy In IndiaEssay On Solar Energy In India
Essay On Solar Energy In India
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
 
Protecting Your Professional Reputation Online
Protecting Your Professional Reputation OnlineProtecting Your Professional Reputation Online
Protecting Your Professional Reputation Online
 
Cets 2016 arents webinar worst case scenario survival training
Cets 2016 arents webinar worst case scenario survival trainingCets 2016 arents webinar worst case scenario survival training
Cets 2016 arents webinar worst case scenario survival training
 
Hot Off the Press - Recent Cases & Decisions 2019
Hot Off the Press - Recent Cases & Decisions 2019Hot Off the Press - Recent Cases & Decisions 2019
Hot Off the Press - Recent Cases & Decisions 2019
 
Apa Format Example Paper
Apa Format Example PaperApa Format Example Paper
Apa Format Example Paper
 
Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.
Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.
Writing - Jetpaper.Web.Fc2.Com. Online assignment writing service.
 
Cyber Terrorism Write Essay For You. Online assignment writing service.
Cyber Terrorism Write Essay For You. Online assignment writing service.Cyber Terrorism Write Essay For You. Online assignment writing service.
Cyber Terrorism Write Essay For You. Online assignment writing service.
 
Scholarship Essay Graduate Program Essay
Scholarship Essay Graduate Program EssayScholarship Essay Graduate Program Essay
Scholarship Essay Graduate Program Essay
 
Specific Topic For Research Paper. 100 Best Climate C
Specific Topic For Research Paper. 100 Best Climate CSpecific Topic For Research Paper. 100 Best Climate C
Specific Topic For Research Paper. 100 Best Climate C
 
Cyber Liability Insurance: An Essential and Urgently Needed Business Investment
Cyber Liability Insurance: An Essential and Urgently Needed Business InvestmentCyber Liability Insurance: An Essential and Urgently Needed Business Investment
Cyber Liability Insurance: An Essential and Urgently Needed Business Investment
 
The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16
The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16
The industry response to ad blocking - Digiday WTF Ad Blocking NYC, 1/14/16
 
R2R Meeting 16 pdf
R2R Meeting 16 pdfR2R Meeting 16 pdf
R2R Meeting 16 pdf
 
Shocking Stats On Identity Theft In Canada And You Could Be One
Shocking Stats On Identity Theft In Canada And You Could Be OneShocking Stats On Identity Theft In Canada And You Could Be One
Shocking Stats On Identity Theft In Canada And You Could Be One
 
RatemyRoomie.pptx
RatemyRoomie.pptxRatemyRoomie.pptx
RatemyRoomie.pptx
 
Essay Globalization
Essay GlobalizationEssay Globalization
Essay Globalization
 
R2R Meeting 16 ppt
R2R Meeting 16 pptR2R Meeting 16 ppt
R2R Meeting 16 ppt
 
Managing a Hack: A Communicator's Guide to a Data Breach
Managing a Hack: A Communicator's Guide to a Data BreachManaging a Hack: A Communicator's Guide to a Data Breach
Managing a Hack: A Communicator's Guide to a Data Breach
 

More from bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 

More from bugcrowd (9)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

AppSecUSA 2016: 'Your License for Bug Hunting Season'

  • 1. Your License for Bug Hunting Season James Denaro & Casey Ellis
  • 2. Speakers 10/13/2016 Your License for Bug Hunting Season James Denaro Attorney, Founder of Cipher Law Casey Ellis Founder & CEO, Bugcrowd
  • 3. Agenda Risk & Reward of Bug Bounties Addressing Two Main Areas of Concern: 1. Uncertainty 2. Liability Questions 10/13/2016 Your License for Bug Hunting Season
  • 4. 10/13/2016 Your License for Bug Hunting Season Is it safe in the water?
  • 5. 10/13/2016 Your License for Bug Hunting Season What are we really talking about? By W.carter - Own work, CC BY-SA 4.0, https://commons.wikimedia. org/w/index.php?curid=3497 9655
  • 7. Uncertainty FAQs • How do I budget for a bug bounty? • How do I know good hackers will test my apps? • How do I know I’ll get good results? 10/13/2016 Your License for Bug Hunting Season Top concerns for individuals looking into running a bug bounty program in next few years
  • 8. Uncertainty: Results & Talent • Crafting your Program: – Program Type • Public vs. Private • Ongoing vs. On-Demand 10/13/2016 Your License for Bug Hunting Season How are researchers invited to private programs? measured by accuracy, activity, impact and trust
  • 9. Uncertainty: Results & Talent • Crafting your Program: – Bounty Brief • In-Scope & Out-of-Scope • Rewards • Rules 10/13/2016 Your License for Bug Hunting Season
  • 10. Additional Uncertainties • Budgeting • Processes • Getting internal buy-in • Legal questions 10/13/2016 Your License for Bug Hunting Season
  • 12. #1 Most Frequently Asked Question What happens if a hacker goes rogue? • Logical • Procedural • Emotional • Legal 10/13/2016 Your License for Bug Hunting Season By YBS 999 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
  • 13. Additional Liability/Legal Concerns • Contracts & NDAs • Who has liability for loss of data/business assets? • Personal liability? • Who has jurisdiction? 10/13/2016 Your License for Bug Hunting Season

Editor's Notes

  1. These are the FAQs.
  2. Risk vs. Reward Jim: talk about what we’re really talking about Casey: Benefits are preemptive -> why aren’t we doing this? A lot of what we’re flushing out risks and rewards
  3. Risk vs. Reward Jim: talk about what we’re really talking about Casey: Benefits are preemptive -> why aren’t we doing this? A lot of what we’re flushing out risks and rewards
  4. People don’t know what the risks are, and it’s about control, fear of losing control to people we’ve been trained to distrust
  5. Image: Of individuals looking to run a program in the next few years, these are their perceived apprehensions Set context for this discussion – we do get a lot of questions about what to expect these concerns are understandable… 40,000 hackers 112 different countries Marketplace
  6. Jim jump in on public vs. private
  7. Tl:dr; you’re in control. This model has evolved from the wild wild west it was, and there are knobs and levers at your disposal to meet your business goals: Program type – public vs. private: use cases for both Ongoing vs. on-demand: use cases for both Writing your bounty brief: in-scope & out of scope Jim pipe in here to talk about that doing this in general is illegal… this is acts as a legal contract
  8. This section is highly connected to the previous sections, and the underlying issue is ‘control’ and responsibility
  9. Speak to this slide in foursteps: #1: Logic - the likelihood of a hacker finding a critical vulnerability, selling it on the dark web, and the bug being exploited is unlikely – in that time frame, another would have submitted it through the program (model supports this) and client would have fixed it – shadowbrokers cisco bugs in the wild, collision #2: Rules & Procedures – community terms, rules you must follow, default non-disclosure, ramifications for not following those rules are: banned temporarily or permanently #3: Emotional: we know the, their t-shirt size, etc. #4: Legal Address the root of this question… risk (Jim did a really good job of talking about risk in the webinar) and if you’re really concerned, go back and reference what we talked about earlier – private programs
  10. This section is highly connected to the previous sections, and the underlying issue is ‘control’ and responsibility