3. Trends
3.5 million unfulfilled
security positions
worldwide by 2021.
Cyber incidents are
leading global business
risks in 2019.
By 2022, automated and
Crowdsourced Security
Testing Platform products
and services will be
employed by more than
50% of enterprises, up
from less than 5% today.
6. Vulnerability Disclosure Policy
● Guidelines for vulnerability disclosure
● See something? Say something!
● No cash rewards
● Independent researchers
● Various backgrounds
● Ongoing
● Compliance (ISO 29147, ISO 30111)
Penetration Testing
● Traditional approach
● Consulting arrangement
● Fixed project price
● Limited in number of researchers
● Limited in skills
● Limited in time
● Compensation based on process
Bug Bounty Program
● Crowdsourced approach
● Terms and Conditions
● Cash rewards
● Hundreds of researchers
● Various backgrounds
● Ongoing
● Compensation based on bugs
Security Measures
7. Where does it fit?
* based on “The Building Security in Maturity Model” by Gary McGraw, Ph.D., Sammy Migues, and Jacob West
8. Based on ENISA report “Economics of vulnerability disclosure* based on “Economics of vulnerability disclosure” by Erik Silfversten, William Phillips, Giacomo Persi Paoli (RAND Europe) and Cosmin Ciobanu (ENISA)
9. Types of Crowdsourced Security
Type/Feature
Responsible
Disclosure
Public
Bounty
Private
Bounty
Time Bound
Bounty
Live Hacking
Incentive Recognition Monetary Monetary Monetary Monetary
Access Public Public Private Private/Public Private
Scope Full Coverage Full Coverage
Full/Partial
Coverage
Specific Target Full Coverage
Duration Continuous Continuous Continuous 1-2 months 1-3 days
10. Bug Bounty History
93% of the Forbes Global 2000 have no public way to report a vulnerability
12. Vulnerability Disclosure in Government Sector
Country Dates Type Hackers Bugs Bounty Budget
USA March 2016 - now Bug
Bounty
1400 3,000 $330,000
Singapore December 2018 -
January 2019
Bug
Bounty
400 26 $11,750
Switzerland February 2019 -
March 2019
Bug
Bounty
1000+ 67 $150,000
European Union January 2019 - now Bug
Bounty
100+ 200+ $973,000
Netherlands January 2013 - now VDP
United Kingdom November 2018 - now VDP
France Announced
15. Live Hacking Events in Ukraine
Kharkiv
25 hackers
4 companies
60 reports
2017 2018
Kyiv
25 hackers
3 companies
102 reports
2019
Kyiv
12 hackers
1 company
54 reports
16. Myth # 1: Hackers can’t be trusted
Myth # 2: Some important data can be
stolen during a bug bounty program
Myth # 3: Bug bounty programs attract
additional attention from hackers
Myth # 4: Bug bounty program is a very
risky action
Myths and Facts
17. Why Think About Bug Bounty Today
Eliminate critical vulnerabilities from your product
Learn what hackers know about your software and security
Reduce the risk of cybercriminals by using ethical hackers to find bugs first
Get continuous feedback about your security
18. Evgenia Broshevan
CEO of HackenProof
e.broshevan@hackenproof.com
@jerh17
Be proactive, not reactive!