Hunting Bugs - Running a Bug Bounty Program Slide deck put together for https://c0r0n4con.com/ (April/2020) Abstract Security best practices can't guarantee that a system or app is 100% free of bugs, so we have to detect bugs and vulnerabilities before the bad guys were able to explore them. Join us to hear the experience (takeaways and challenges) running a Bug Bounty program in a financial institution, bringing together the hacker community, AppSec and CSIRT teams. Outline We have been heard a lot about Bug Bounty (BB) programs and how security researchers has been making a lot of money by reporting bugs. Too much has been said from the researchers’ perspective, and too little from the companies running a BB program. An evolution of the endless Responsible Disclosure discussions and Vulnerability Report Programs, Bug Bounty programs have become a new trend in the information security industry, providing a valid communication channel for external entities to report the existence of bugs and vulnerabilities in a company’s platform and services. In this talk we will discuss the experience of a Brazilian Bank on implementing a bug bounty program as part of its application security strategy. From the point of view of an organization running a bug bounty program, we will present the challenges and benefits (expected and unexpected ones). BB program also brings the researcher community closer to the industry, representing a relevant initiative to strengthen relationship with the information security community. Running a BB program also demands strong commitment on having the issues fixed and also improves the information security visibility across the organization. Since a vulnerability can represent severe losses, detection and response are critical for the business. In order to have a proper response time for reported vulnerabilities , the CSIRT and AppSec teams play a key role in the BB program, by leading the remediation efforts whenever necessary.