Bug bounty or beg bounty?

•

0 likes•222 views

The first security technology bug bounty predated the Internet by over one hundred years: Alfred C Hobbs breaking an unbreakable lock at the Great Exhibition of 1851 for the princely sum of 200 Guineas. With the acceleration of technology adoption, unintended consequences, our adversaries, and the need to quickly understand how "unhackable" things really are, it's safe to say that things have escalated since then. In 2021, there as many who benefit from engaging the good-faith hacker community as there are folks who find themselves lost in a mish-mash of term confusion, unclear expectations, and general reservations - in spite of the increasingly obvious truth that "it takes an army of allies to overcome an army of adversaries". This breakout is for both. Casey John Ellis, the Founder, Chairman, and CTO of Bugcrowd, pioneer of the crowdsourced security as-a-service category, and co-founder of The Disclose.io Project will unpack the "family tree" of vulnerability disclosure, bug bounty, and crowdsourced security testing, frame up how we got here, and facilitate a discussion from the group about where it all goes next.

https://bugcrowd.com/try-bugcrowd
Bug bounty or beg bounty?
Casey Ellis - Blackhat EU CISO Summit 
November 2021

https://bugcrowd.com/try-bugcrowd
whoami
$ sudo hack.sh $ sudo hustle.sh
@caseyjohnellis

casey.ellis@bugcrowd.com

+1.415.530.1129

https://cje.io
Hacker > Pentester > Solutions guy > Serial entrepreneur

Founder/Chairman/CTO of Bugcrowd and  
Co-founder of The disclose.io Project

Pioneered Crowdsourced Security as-a-Service

20 years in Infosec

Proud Australian, husband, and father of two

Lives between Sydney, Australia and San Francisco, USA

https://bugcrowd.com/try-bugcrowd
agenda
How did we get here?

Tips for unsolicited contact

Broke vs Woke

Discussion

https://bugcrowd.com/try-bugcrowd
whois bugcrowd.com

https://bugcrowd.com/try-bugcrowd
How did we get here?

https://bugcrowd.com/try-bugcrowd
“Diversity is a critical yet often overlooked
factor in security and controls strategies.
Moving to a paid bounty gives us the ability
to attract a wider pool of ethically-trained
security researchers from across the
globe.”
Nick McKenzie, Bugcrowd CI&SO
Formerly NAB, Standard Chartered Bank, J.P. Morgan and UBS

No proactive program
Vulnerability
disclosure program
Bug bounty program
If vulnerability discovery
was lightning…

https://bugcrowd.com/try-bugcrowd
Vulnerability disclosure programs
Bug bounty programs
“Bug bounty platforms”
Crowdsourced security
Outsourced pentesting
Multi-player pentesting
“Bug bounty platforms”
Multi-sourced security
Open to the public Invitation-only

https://bugcrowd.com/try-bugcrowd
Broke vs Woke

https://bugcrowd.com/try-bugcrowd
• Do set clear expectations on what happens next and try to meet
them (Golden rule: Maintain expectations)

• Don’t entertain payment if payment isn’t proactively o
ff
ered

• Assume good-faith at the outset - Di
ff
erent languages, cultures,
and countries communicate di
ff
erently by default, and the initial
experience can be unsettling

• Do consider starting a VDP, at minimum, to align expectations and
get information to the right place

• Do reach out to experts like Bugcrowd or the NCSC to help you
through the process

https://bugcrowd.com/try-bugcrowd
Broke:

“Rub some blockchain/
automation/ML on it and it’ll go
away”

Woke:

“Cybersecurity is a people
problem, the technology just
makes it go faster.”

https://bugcrowd.com/try-bugcrowd
Broke:

Vulnerability Disclosure Programs
(VDP) as a marketing stunt

Woke:

VDP as a leading indicator of
security maturity, through the
acceptance of potential failure

https://bugcrowd.com/try-bugcrowd
Broke:

Bug bounty as a silver-bullet

Woke:

Bug bounty as a way for the
business to internalize that the
boogeyman is real

https://bugcrowd.com/try-bugcrowd
Broke:

Total payouts as a vanity metric

Woke:

Required payout as a business metric for
cost of attack

https://bugcrowd.com/try-bugcrowd
Broke:

Pentest as an assurance-only model

Woke:

Assurance + impact to create

builder/breaker feedback loops

https://bugcrowd.com/try-bugcrowd
Broke:

security@domain.com > /dev/null

Woke:

disclose.io

https://bugcrowd.com/try-bugcrowd
Discussion time

https://bugcrowd.com/try-bugcrowd

@caseyjohnellis

casey.ellis@bugcrowd.com 
+1.415.530.1129

https://cje.io
Thank you!
Questions?

It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers in order to level the skill and resourcing playing field against our adversaries. So, how’s it all going? Did it all turn out to be a “tech company” thing? What have the results, and the impact on cybersecurity defense been on more traditionally conservative industries, like financial services? What can the history of the relationship between helpful hackers and organizations tell us about what we’ll need for the future? In this talk, Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) will unpack some salient lessons after nearly 10 years building Bugcrowd.

RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

Casey Ellis

Just over 8 years ago bug bounty was a shiny security thing that crazy tech companies did sometimes, the concept of a digital locksmith hadn't been established in the consumer yet, and the Internet was generally a smaller and less politicized place. Casey Ellis decided it might be a good idea to "release the hounds" into the status quo, launching Bugcrowd and kicking off the crowdsourced security as a service market category, and it's safe to say that a fair bit has happened since. This keynote is for infosec practitioners and budding cybersecurity entrepreneurs, talking through what we've learned, what's changed, where I think it's all going next, and where we can position ourselves to continue making the Internet a more resilient place.

#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...

Casey Ellis

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

Casey Ellis

ACRNA Webinar #5: Cyber Security – The Unlikely Romance

Casey Ellis

When most folks hear the word “hacker” their reaction is one of fear, but those responsible for cybersecurity are increasingly understanding the role of the “digital locksmiths” amongst us. In this talk, Casey Ellis will unpack the unlikely romance between trusted, good-faith computer hackers, and the people who build and defend software infrastructure. He’ll share insights on how this feedback loop between builders and breakers has broken out of the early-adopter technology bubble to create a more resilient Internet for more traditionally conservative industries, including those where ICS/SCADA make up the core of their business. There will also be plenty of time for Q&A, so get your questions ready!

TechCrunch Early Stage 2020 - How to prioritize security at your startup

Casey Ellis

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Casey Ellis

Writing vuln reports that maximize payouts - Nullcon 2016

bugcrowd

This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

Mazin Ahmed

Bug Bounty #Defconlucknow2016

Shubham Gupta

The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

Frans Rosén

Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.

Bug Bounty - Hackers Job

Arbin Godar

This document discusses bug bounty programs, which pay security researchers monetary rewards for reporting qualifying security bugs to companies. It explains that bug bounties are a cost-effective way for companies to improve security. The document provides tips for getting started in bug hunting, such as practicing skills, reading materials, and thinking logically. Popular bug bounty programs and platforms are also listed.

Hackfest presentation.pptx

Peter Yaworski

Computer And Internet Security

JFashant

This presentation discusses computer and internet security. It explains that hackers seek personal information like passwords and credit card numbers. It recommends using antivirus software and secure passwords to protect against malware, viruses, and identity theft. Social networking sites can also pose privacy and security risks if too much personal information is shared. The presentation stresses the importance of computer security and limiting what information people share online.

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

Mazin Ahmed

Wordpress security best practices - WordCamp Waukesha 2017

vdrover

Bug Bounty - Play For Money

Shubham Gupta

This document provides an overview of bug bounty hunting. It discusses: - What bug bounty programs are and how they work - A brief history of major bug bounty programs from the 1990s to present day - Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment - Popular bug bounty platforms and programs - How to get started with the process of bug hunting - Tips for writing bug reports that document the issue and steps to reproduce it - Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept

Building & Hacking Modern iOS Apps

SecuRing

After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd

How to Delete plus network.com

mariagoel7

Free Download http://www.reimage.com/includes/router_land.php?tracking=PiyushSites&banner=reimage.us.com&exec=run Buy Now http://www.reimageplus.com/includes/router_land.php?tracking=PiyushSites&banner=order-form&order=1&order_method=paypal Get securely delete plus network.com from the infected Windows computer using the best automatic plus network.com removal tool which safely remove this infection and protect your pc from further problems. Read More: http://uninstallpcvirus.blogspot.in/2013/03/quick-guide-to-uninstall-plusnetworkcom.html

Two-Factor Authentication Presentation

SamSmith537

This document provides sources for slides related to two-factor authentication and cybersecurity best practices. Sources include websites for authentication plugins and services, articles about password security and common passwords, images of authentication methods and phishing examples, and stock photos. The sources cover topics like hardware security keys, phone-based authentication, location-based authentication, and multi-factor vs two-factor authentication.

Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke

EC-Council

Straight to the point, with the multitude of leaks, the latest new age hacking weapons have brought an onslaught of new attack vectors! This is one of the presentations you don’t want to miss! Wayne will be demonstrating highly modified custom mobile deployable network hacking cyber weapons, such as Network BlackBoxs, Evil WiFi Honeypots, custom USB delivered payloads and finally how we can take these weapons to the sky autonomously using various custom build drones.

LKNOG3 - Bug Bounty

LKNOG

A document discusses bug bounty programs and security research. It defines bug bounty programs as initiatives that reward individuals for discovering and ethically reporting software flaws. It discusses the history of bug bounties dating back to the 1980s. It also outlines why bug bounty programs are important for finding vulnerabilities before malicious hackers, and describes common vulnerabilities, critical vulnerabilities, and how to start a bug bounty program.

PGDAY EU 2016 workshop - privacy and security

Steve Gill

This document discusses privacy and security considerations for PhoneGap applications. It begins by introducing the presenter and defining key terms like security and privacy. It then discusses the relationship between security and privacy, noting that good security is needed to protect privacy. The document outlines various types of attacks that could be mounted against a PhoneGap app, like SQL injection, cross-site scripting, and man-in-the-middle attacks. It provides recommendations for mitigating these risks, such as using whitelisting, content security policy, and certificate pinning. The presentation concludes by providing additional security resources.

BugBounty Roadmap with Mohammed Adam

Mohammed Adam

Bug bounty roadmap covers various techniques for finding vulnerabilities such as understanding the target application flow, using passive reconnaissance tools to discover assets, hacking with Burp Suite to find bugs like XSS and SQLi, and keeping up with new trends to improve bounty hunting. The presentation emphasizes thorough preparation and research to avoid duplicate reports and better understand the target before launching attacks. It also provides tips for writing high-quality bug reports to build good relationships with security teams.

Top 10 Web Hacking Techniques of 2014

Quick Heal Technologies Ltd.

Bug bounty

n|u - The Open Security Community

This document discusses bug bounty programs (BBPs), which reward security researchers for responsibly disclosing software vulnerabilities. It introduces BBPs, noting they save companies money while improving security. Major companies like Google and Facebook run BBPs. The document outlines prerequisites for BBPs like learning security testing techniques. It provides tips for finding vulnerabilities like understanding a site's scope, tools, and avoiding duplicate reports. Common vulnerability types in BBPs include injection flaws and insecure data storage.

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Casey Ellis

The document discusses the increasing adoption of crowdsourced security practices like vulnerability disclosure programs (VDP) and bug bounty programs within critical infrastructure sectors. It notes that while conservative sectors are slower to adopt these practices, regulatory pressure is accelerating their adoption. The document also observes that aging critical infrastructure organizations tend to have many publicly accessible initial access vectors, and that digital transformation compounds this issue. Finally, it discusses moving security practices from a "broke" to "woke" approach, emphasizing the human aspects of security rather than just technology.

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem". In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.

What's hot

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...

Frans Rosén

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

Mazin Ahmed

Bug Bounty #Defconlucknow2016

Shubham Gupta

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

Frans Rosén

Bug Bounty - Hackers Job

Arbin Godar

Hackfest presentation.pptx

Peter Yaworski

Computer And Internet Security

JFashant

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

Mazin Ahmed

Wordpress security best practices - WordCamp Waukesha 2017

vdrover

Bug Bounty - Play For Money

Shubham Gupta

Building & Hacking Modern iOS Apps

SecuRing

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd

How to Delete plus network.com

mariagoel7

Two-Factor Authentication Presentation

SamSmith537

Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke

EC-Council

LKNOG3 - Bug Bounty

LKNOG

PGDAY EU 2016 workshop - privacy and security

Steve Gill

BugBounty Roadmap with Mohammed Adam

Mohammed Adam

Top 10 Web Hacking Techniques of 2014

Quick Heal Technologies Ltd.

Bug bounty

n|u - The Open Security Community

What's hot (20)

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

Bug Bounty #Defconlucknow2016

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

Bug Bounty - Hackers Job

Hackfest presentation.pptx

Computer And Internet Security

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

Wordpress security best practices - WordCamp Waukesha 2017

Bug Bounty - Play For Money

Building & Hacking Modern iOS Apps

5 Tips to Successfully Running a Bug Bounty Program

How to Delete plus network.com

Two-Factor Authentication Presentation

Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke

LKNOG3 - Bug Bounty

PGDAY EU 2016 workshop - privacy and security

BugBounty Roadmap with Mohammed Adam

Top 10 Web Hacking Techniques of 2014

Bug bounty

Similar to Bug bounty or beg bounty?

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Casey Ellis

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Cyber security awareness presentation nepal

ICT Frame Magazine Pvt. Ltd.

This document is a summary of a webinar on cyber security and digital safety. It discusses various types of hackers, defines cyber crimes, and covers topics like social media security, mental health and cyber security, and how to protect websites from hacking. It provides scopes in the cyber security field and lists some dedicated cyber security companies in Nepal. The webinar aims to educate normal users on filing the cyber space safely.

Bulletproof IT Security

London School of Cyber Security

This document discusses strategies for achieving bulletproof IT security. It recommends establishing strong security policies, frequent employee training, ongoing self-assessments, encryption, asset management, and testing business continuity plans. It also stresses the importance of system hardening through vulnerability management and addressing issues like BYOD. The document provides numerous free tools and resources organizations can use to identify vulnerabilities, harden systems, and prevent malware.

Data Privacy for Activists

Greg Stromire

WordPress Security - Learning From Hacks

Tony Perez

This document discusses strategies for WordPress website security based on common attack scenarios. It describes how phishing attacks target users and how hackers have compromised websites by infecting plugins or exploiting vulnerabilities in connected applications like vBulletin forums. The key lessons are to verify all software sources, implement layered defenses like two-factor authentication, web application firewalls, integrity monitoring and backups, and isolate applications when possible. A defense-in-depth approach is necessary as no single measure prevents all attacks.

Blockchain for Impact Amy Neumann October 2019

Resourceful Nonprofit

How is blockchain affecting nonprofits, NGOs, social enterprise, and other organizations creating positive impact -- right now? This presentation gives examples and use cases, as well as resources and tools you can use to stay updated on trends in blockchain and other emerging technology. Presented at Better World Day 2019 in Cleveland, OH by Amy Neumann, founder and executive director of the 501(c)3 nonprofit, Free Tech for Nonprofits.

You Spent All That Money And Still Got Owned

Joe McCray

This talk will focus on practical methods of identifying and bypassing modern enterprise class security solutions such as Load Balancers, both Network and Host-based Intrusion Prevention Systems (IPSs), Web Application Firewalls (WAFs), and Network Access Control Solutions (NAC). The goal of this talk is to show IT Personnel the common weaknesses in popular security products and how those products should be configured. The key areas are: * IPS Identification and Evasion * WAF Identification and Bypass * Anti-Virus Bypass * Privilege Escalation * Becoming Domain Admin

Cyber Security Workshop @SPIT- 3rd October 2015

Nilesh Sapariya

Build Automate and Test Strategies - BATMAN

Eturnti Consulting Pvt Ltd

1. The document discusses strategies around automating security processes to keep pace with rapid software development cycles. It notes problems that arise when security cannot keep up, such as lack of business agility. 2. Automating security checks and integrating them into continuous integration/delivery pipelines is proposed as a solution. This includes running automated vulnerability scans on code check-ins and having security bugs break the build. 3. A cultural shift is needed where security is a shared responsibility and developers/operations staff understand security outputs. Continuous learning and improving processes will also help security scale effectively.

Security

Bob Cherry

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

fangjiafu

This document discusses penetration testing approaches from the past compared to today. It notes that in the past, penetration testing was easier because networks had fewer security controls like firewalls and patches. The document then provides tips and techniques for identifying security controls like load balancers, intrusion prevention systems, and web application firewalls that may be in place on modern networks. It also discusses ways to potentially bypass these controls like using encryption, proxies, or virtual private networks.

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Appsec usa roberthansen

drewz lin

This document provides a summary of a presentation by Robert Hansen on the future of browser security. Hansen argues that while browser developers want to improve security and privacy, their companies' business models focused on advertising revenue prohibit them from doing so. He outlines various techniques used by advertisers and browser companies to track users against their preferences. Hansen advocates for technical controls that allow users to opt out of tracking through a "can not track" approach, rather than relying on ineffective "do not track" policies. He concludes by discussing WhiteHat Security's focus on privacy and their plans to add more security and privacy features to their Aviator browser.

Defcamp 2013 - Does it pay to be a blackhat hacker

DefCamp

The document discusses different types of hackers - white hat, grey hat, and black hat. A white hat hacker conducts ethical hacking and security testing, while a black hat hacker violates security for personal gain or maliciousness. The document uses a real Apache PHP vulnerability as an example to show how a black hat hacker could potentially exploit it at large scale to infect millions of servers and earn millions setting up a powerful botnet to perform DDoS attacks and other illicit activities for profit, though this scenario is more science fiction. While financially lucrative, being a black hat hacker risks legal consequences like jail time.

Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker

Dan Vasile

This document summarizes a presentation about different types of hackers - white hat, grey hat, and black hat. White hats follow ethical practices like responsible disclosure. Grey hats sometimes act illegally but with good intentions. Black hats hack for personal gain or maliciousness. The document describes a real PHP vulnerability in Apache that allows remote code execution. It then discusses the potential financial gains but legal risks of different approaches like responsible disclosure, selling the exploit, or creating a large botnet to exploit it at scale for ongoing profits from criminal activities.

CheckPoint: Anatomy of an evolving bot

Group of company MUK

The document discusses various techniques used by malware and botnets to evade detection. It describes how malware authors bypass traditional detection methods through obfuscation, packing, encryption, and avoiding static or dynamic analysis. It also outlines potential solutions to these challenges such as using rootkits to subvert analysis machines, tapping into browsers to detect obfuscated code, and monitoring unusual process enumeration. The challenges of polymorphic malware generating numerous variants is also covered.

So you wanna be a pentester - free webinar to show you how

Joe McCray

I’ll be covering things like: - Some of the various types of penetration testing jobs - Education/Certification/Experience/Skill requirements - Should I have a degree – if so what type? - Should I have certifications – if so which ones? - Should I have work experience – if so what type? - What skills should I have prior to applying? - Do I need to be a good programmer? - Where can I get these skills if I’m not currently working in the field? - Security clearance requirements - What are good key words to use when searching IT job sites for pentesting jobs? - What to expect during the interview process - I’m not in the US, where can I find pentester work abroad? - How much money can I expect to make as a pentester? - The good the bad and the ugly…what the work is actually like day-in and day-out

Intro to INFOSEC

Sean Whalen

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference

NSC42 Ltd

Similar to Bug bounty or beg bounty? (20)

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Cyber security awareness presentation nepal

Bulletproof IT Security

Data Privacy for Activists

WordPress Security - Learning From Hacks

Blockchain for Impact Amy Neumann October 2019

You Spent All That Money And Still Got Owned

Cyber Security Workshop @SPIT- 3rd October 2015

Build Automate and Test Strategies - BATMAN

Security

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

Why isn't infosec working? Did you turn it off and back on again?

Appsec usa roberthansen

Defcamp 2013 - Does it pay to be a blackhat hacker

Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker

CheckPoint: Anatomy of an evolving bot

So you wanna be a pentester - free webinar to show you how

Intro to INFOSEC

Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference

More from Casey Ellis

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

Casey Ellis

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

Casey Ellis

Of all the problems the internet has, there seems to be one that rules them all: It doesn’t understand how to work with it’s immune system. In this talk I’ll run through the past/present/future of the vulnerability disclosure, and give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple. I’ll close with a Call To Action for all participants with simple ways to help and get involved.

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Casey Ellis

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Casey Ellis

This document summarizes a presentation on cybersecurity legal issues for companies. It discusses the growing costs and impacts of cyberattacks like data breaches and ransomware. Bug bounty programs that hire security researchers are presented as a way for companies to find vulnerabilities, but they may also increase legal obligations to notify breaches. The role of legal counsel in addressing these issues is examined, including maintaining technical competence. Elements of effective cybersecurity programs and incident response planning are outlined to help mitigate risks and consequences.

Full Disclosure Debate - NBT 5

Casey Ellis

The document discusses the debate between full disclosure and proactive vulnerability disclosure. It defines full disclosure as publicly disclosing a vulnerability before notifying the vendor. The document argues that full disclosure is like an unavoidable aspect like death and taxes because parts of the internet will always be poor at proactive disclosure. It lists several reasons why full disclosure is considered bad, such as giving unsophisticated actors access to exploits, reinforcing negative stereotypes of hackers, and scaring people away from supporting proactive disclosure programs. The document concludes by arguing that hyping up low criticality vulnerabilities and clickbaity journalism can hurt the reputation and progress of the security community overall.

Webinar kym-casey-bug bounty tipping point webcast - po edits

Casey Ellis

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013. As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point? Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016. Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

Casey Ellis

Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.

AppSecUSA - Your License for Bug Hunting Season

Casey Ellis

Tweet Share You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Video: https://www.youtube.com/watch?v=ziUUyA0-zwg

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Casey Ellis

This document discusses bug bounty programs and their growing adoption. It addresses common objections to running bug bounty programs, such as them being too risky, expensive, or hard to manage. Data is presented showing bug bounties attract talented researchers who find critical issues quickly. Stories from companies highlight how bug bounties help expand security teams cost effectively. The document concludes by advising companies to align expectations, communicate openly, and pay bounty hunters fast and well to have healthy bug bounty relationships.

Introducing Bugcrowd

Casey Ellis

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

Casey Ellis

This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including: 1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency. 2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully. 3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Casey Ellis

Our current approach to security assessment is inherently flawed; automation tools only find what they are programmed to find and penetration testing is extremely limited. Bug bounties build upon and improve upon these existing application security testing tools by harnessing the human creativity of the whitehat researcher community with a pay-for-results rewards model. As a cyber security veteran, Casey will analyze the evolution of the application security industry over the past several years and address why the existing tools and practices are falling short. With data from hundreds of bug bounty programs, he will also show how bug bounties are bridging the gap between companies who need to find security flaws before they’re exploited, and the hackers at the table ready to help. https://2017.conference.auscert.org.au/speaker/casey-ellis/

Enigma 2018 - Combining the Power of Builders and Breakers

Casey Ellis

This document discusses bug bounty programs and crowdsourced security. It begins by introducing the founder and background of bug bounty programs. Then it discusses the problems they address like growing attack surfaces and skilled labor shortages. It outlines the current state of vulnerability disclosure programs, public and private bug bounties, and crowdsourced security. Case studies show bug bounties are effective at finding complex issues. Researchers tend to be educated with security experience. The future of these programs is seen as addressing consumer and legislative pressures. Tips are provided like starting small, aligning expectations, open communication, fast payment, and getting legal advice. It closes by calling for continued cooperation across stakeholders.

Welcome to the blue team! How building a better hacker accidentally built a b...

Casey Ellis

Security practitioners know that the threats that face an organization are always active, and that while defenders need to get everything right, a good attacker only needs to get one thing right. That’s all well and good for security practitioners, but what about the rest of the company? How do you transform security from a rather inconvenient checklist, to a nascent awareness of the threat? How do you get those responsible for providing your attack surface to ‘actually care about whether it’s secure or not?

More from Casey Ellis (14)

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Full Disclosure Debate - NBT 5

Webinar kym-casey-bug bounty tipping point webcast - po edits

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

AppSecUSA - Your License for Bug Hunting Season

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Introducing Bugcrowd

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Enigma 2018 - Combining the Power of Builders and Breakers

Welcome to the blue team! How building a better hacker accidentally built a b...

Recently uploaded

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Alpen-Adria-Universität

dbms calicut university B. sc Cs 4th sem.pdf

Shinana2

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Finale of the Year: Apply for Next One!

GDSC PJATK

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

alexjohnson7307

HCL Notes and Domino License Cost Reduction in the World of DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365. Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

SitimaJohn

Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.

WeTestAthens: Postman's AI & Automation Techniques

Postman

Recommendation System using RAG Architecture

fredae14

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...

Tatiana Kojar

Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI. With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.

Recently uploaded (20)

Introduction of Cybersecurity with OSS at Code Europe 2024

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

dbms calicut university B. sc Cs 4th sem.pdf

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Columbus Data & Analytics Wednesdays - June 2024

Finale of the Year: Apply for Next One!

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

HCL Notes and Domino License Cost Reduction in the World of DLAU

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Driving Business Innovation: Latest Generative AI Advancements & Success Story

June Patch Tuesday

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Building Production Ready Search Pipelines with Spark and Milvus

5th LF Energy Power Grid Model Meet-up Slides

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

WeTestAthens: Postman's AI & Automation Techniques

Recommendation System using RAG Architecture

Best 20 SEO Techniques To Improve Website Visibility In SERP

Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...

Bug bounty or beg bounty?

1. The Crowdsourced Security Platform

2. https://bugcrowd.com/try-bugcrowd Bug bounty or beg bounty? Casey Ellis - Blackhat EU CISO Summit  November 2021

3. https://bugcrowd.com/try-bugcrowd whoami $ sudo hack.sh $ sudo hustle.sh @caseyjohnellis casey.ellis@bugcrowd.com +1.415.530.1129 https://cje.io Hacker > Pentester > Solutions guy > Serial entrepreneur Founder/Chairman/CTO of Bugcrowd and   Co-founder of The disclose.io Project Pioneered Crowdsourced Security as-a-Service 20 years in Infosec Proud Australian, husband, and father of two Lives between Sydney, Australia and San Francisco, USA

4. https://bugcrowd.com/try-bugcrowd agenda How did we get here? Tips for unsolicited contact Broke vs Woke Discussion

5. https://bugcrowd.com/try-bugcrowd whois bugcrowd.com

6. https://bugcrowd.com/try-bugcrowd How did we get here?

7. https://bugcrowd.com/try-bugcrowd

8. https://bugcrowd.com/try-bugcrowd “Diversity is a critical yet often overlooked factor in security and controls strategies. Moving to a paid bounty gives us the ability to attract a wider pool of ethically-trained security researchers from across the globe.” Nick McKenzie, Bugcrowd CI&SO Formerly NAB, Standard Chartered Bank, J.P. Morgan and UBS

9. No proactive program Vulnerability disclosure program Bug bounty program If vulnerability discovery was lightning…

10. https://bugcrowd.com/try-bugcrowd Vulnerability disclosure programs Bug bounty programs “Bug bounty platforms” Crowdsourced security Outsourced pentesting Multi-player pentesting “Bug bounty platforms” Multi-sourced security Open to the public Invitation-only

11. https://bugcrowd.com/try-bugcrowd Broke vs Woke

12. https://bugcrowd.com/try-bugcrowd • Do set clear expectations on what happens next and try to meet them (Golden rule: Maintain expectations) • Don’t entertain payment if payment isn’t proactively o ff ered • Assume good-faith at the outset - Di ff erent languages, cultures, and countries communicate di ff erently by default, and the initial experience can be unsettling • Do consider starting a VDP, at minimum, to align expectations and get information to the right place • Do reach out to experts like Bugcrowd or the NCSC to help you through the process

13. https://bugcrowd.com/try-bugcrowd Broke vs Woke

14. https://bugcrowd.com/try-bugcrowd Broke: “Rub some blockchain/ automation/ML on it and it’ll go away” Woke: “Cybersecurity is a people problem, the technology just makes it go faster.”

15. https://bugcrowd.com/try-bugcrowd Broke: Vulnerability Disclosure Programs (VDP) as a marketing stunt Woke: VDP as a leading indicator of security maturity, through the acceptance of potential failure

16. https://bugcrowd.com/try-bugcrowd Broke: Bug bounty as a silver-bullet Woke: Bug bounty as a way for the business to internalize that the boogeyman is real

17. https://bugcrowd.com/try-bugcrowd Broke: Total payouts as a vanity metric Woke: Required payout as a business metric for cost of attack

18. https://bugcrowd.com/try-bugcrowd Broke: Pentest as an assurance-only model Woke: Assurance + impact to create builder/breaker feedback loops

19. https://bugcrowd.com/try-bugcrowd Broke: security@domain.com > /dev/null Woke: disclose.io

20. https://bugcrowd.com/try-bugcrowd Discussion time

21. https://bugcrowd.com/try-bugcrowd @caseyjohnellis casey.ellis@bugcrowd.com  +1.415.530.1129 https://cje.io Thank you! Questions?

Bug bounty or beg bounty?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Bug bounty or beg bounty?

Similar to Bug bounty or beg bounty? (20)

More from Casey Ellis

More from Casey Ellis (14)

Recently uploaded

Recently uploaded (20)

Bug bounty or beg bounty?