RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

•

0 likes•347 views

Just over 8 years ago bug bounty was a shiny security thing that crazy tech companies did sometimes, the concept of a digital locksmith hadn't been established in the consumer yet, and the Internet was generally a smaller and less politicized place. Casey Ellis decided it might be a good idea to "release the hounds" into the status quo, launching Bugcrowd and kicking off the crowdsourced security as a service market category, and it's safe to say that a fair bit has happened since. This keynote is for infosec practitioners and budding cybersecurity entrepreneurs, talking through what we've learned, what's changed, where I think it's all going next, and where we can position ourselves to continue making the Internet a more resilient place.

Technology

https://bugcrowd.com/try-bugcrowd
Release The Hounds: Part 2
“8 Years Is A Long Ass Time”
Casey Ellis - IsolationCon 2 Keynote 2021

https://bugcrowd.com/try-bugcrowd
#rip @dakami

:’(

https://bugcrowd.com/try-bugcrowd
whoami
Founder/Chairman/CTO of Bugcrowd and  
Founder of disclose.io

20 years in infosec

Pioneered Crowdsourced Security as-a-Service

Proud Australian, husband, and father of two

Lives in San Francisco, California IDK
$ sudo hack.sh $ sudo hustle.sh
@caseyjohnellis

https://cje.io

https://bugcrowd.com/try-bugcrowd
what are we talking about?
what we’ve been up to

what we’ve seen the industry do

where crowdsourcing/multisourcing is up to now

what comes next

q&a

https://bugcrowd.com/try-bugcrowd
1 March 2013

https://www.slideshare.net/bugcrowd/release-the-hounds-a-look-inside-bugcrowd-ruxmon-1-march-2013

https://bugcrowd.com/try-bugcrowd
0.1 1.0

https://bugcrowd.com/try-bugcrowd
2012
(RIP GOOD TIMES)

https://bugcrowd.com/try-bugcrowd
nekkminnit…

https://bugcrowd.com/try-bugcrowd
“All security is the product of
something bad happening”
…Magical SF Lyft driver

https://bugcrowd.com/try-bugcrowd
2013
“Hacking happens”

https://bugcrowd.com/try-bugcrowd
…followed by

https://bugcrowd.com/try-bugcrowd
2014
“Hacking happens to me”

https://bugcrowd.com/try-bugcrowd
2015
“Hacking happens to me and it hurts”

https://bugcrowd.com/try-bugcrowd
2016
“Hacking happens to my country”

https://bugcrowd.com/try-bugcrowd
2017
to
2020
“Software is eating
the world and bad
guys are eating the
software”

https://bugcrowd.com/try-bugcrowd
2020
“My employee’s 5 year old responsible for my corporate attack surface”

https://bugcrowd.com/try-bugcrowd
2021
“It’s turtles all the way down”

https://bugcrowd.com/try-bugcrowd
If it’s repeated enough at the dinner table,
it’ll end up in the board room.

https://bugcrowd.com/try-bugcrowd
…2021?

https://bugcrowd.com/try-bugcrowd
What was Bugcrowd
doing?

https://bugcrowd.com/try-bugcrowd
198 employees

$80M USD raised

157,194 vulns nuked

50M USD paid out

~200k signed up

1,000s of programs

https://bugcrowd.com/try-bugcrowd
Australian-based ASG

…also, we’re hiring ;)

https://bugcrowd.com/try-bugcrowd
#thoughtops

https://bugcrowd.com/try-bugcrowd
“I need security to be useful to
my business”
…Most CISOs in 2021

https://bugcrowd.com/try-bugcrowd
Business/Finance
Risk
Technical
Political
CISO

https://bugcrowd.com/try-bugcrowd
Humility
Skill
Empathy
h4xors

Broke:

“Rub some blockchain/
automation/ML on it and it’ll go
away”

Woke:

“Cybersecurity is a people
problem, the technology just
makes it go faster.”

Broke:

VDP as a marketing stunt

Woke:

VDP to show that failure is a part
of being human, and to jump-start
vulnerability remediation
processes

Broke:

Bug bounty as a vulnerability
swatting silver-bullet

Woke:

Bug bounty as a way for the
business to internalize that the
boogeyman is real

Broke:

Total payouts as a vanity metric

Woke:

Required payout as a business metric for
cost of attack

Broke:

Pentest as an assurance-only model

Woke:

Assurance & impact to create builder/
breaker feedback loops

Broke:

“China wouldn’t bother with my stuff”

Woke:

“How do I detect and contain a nation-
state assuming they are successful”

Broke:

security@domain.com > /dev/null

Woke:

disclose.io

https://bugcrowd.com/try-bugcrowd
In summary
The cybersecurity industry is only just getting started

Hackers have a seat at almost any table now

Good things happen when you step out

…so hence forth and be rad.

“A ship in
port is
safe…
…but
that’s not
what ships
are for”

https://bugcrowd.com/try-bugcrowd
Questions?
@caseyjohnellis

casey@bugcrowd.com

https://cje.io
Greetz to stu, sasquatch, jack, chloé, phil, fred, the TMHC
crew, bugcrowders, the disclose.io posse. Special greetz to
bitquark, n0x00, zephyr, zseano, and the OG #britcrowd
crew

#RIP @dakami

It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers in order to level the skill and resourcing playing field against our adversaries. So, how’s it all going? Did it all turn out to be a “tech company” thing? What have the results, and the impact on cybersecurity defense been on more traditionally conservative industries, like financial services? What can the history of the relationship between helpful hackers and organizations tell us about what we’ll need for the future? In this talk, Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) will unpack some salient lessons after nearly 10 years building Bugcrowd.

TechCrunch Early Stage 2020 - How to prioritize security at your startup

Casey Ellis

Corncon 2021 - Inside the Unlikely Romance

Casey Ellis

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

Casey Ellis

Bug bounty or beg bounty?

Casey Ellis

The first security technology bug bounty predated the Internet by over one hundred years: Alfred C Hobbs breaking an unbreakable lock at the Great Exhibition of 1851 for the princely sum of 200 Guineas. With the acceleration of technology adoption, unintended consequences, our adversaries, and the need to quickly understand how "unhackable" things really are, it's safe to say that things have escalated since then. In 2021, there as many who benefit from engaging the good-faith hacker community as there are folks who find themselves lost in a mish-mash of term confusion, unclear expectations, and general reservations - in spite of the increasingly obvious truth that "it takes an army of allies to overcome an army of adversaries". This breakout is for both. Casey John Ellis, the Founder, Chairman, and CTO of Bugcrowd, pioneer of the crowdsourced security as-a-service category, and co-founder of The Disclose.io Project will unpack the "family tree" of vulnerability disclosure, bug bounty, and crowdsourced security testing, frame up how we got here, and facilitate a discussion from the group about where it all goes next.

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Casey Ellis

20160613 TNC TERENA

University of Twente

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...

Frans Rosén

This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.

Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.

NetVU Tech-4290/4390

jreverri

This document provides a list of security resources and blogs that can be used to stay informed about the latest threats and best practices for securing a network. It includes over 20 links to sites run by organizations like the Sans Internet Storm Center, Microsoft Malware Protection Center, and various security experts. The document also provides photo credits for any images used in an accompanying presentation.

WordPress Security - Learning From Hacks

Tony Perez

This document discusses strategies for WordPress website security based on common attack scenarios. It describes how phishing attacks target users and how hackers have compromised websites by infecting plugins or exploiting vulnerabilities in connected applications like vBulletin forums. The key lessons are to verify all software sources, implement layered defenses like two-factor authentication, web application firewalls, integrity monitoring and backups, and isolate applications when possible. A defense-in-depth approach is necessary as no single measure prevents all attacks.

Hackfest presentation.pptx

Peter Yaworski

Top 10 Web Hacking Techniques of 2014

Quick Heal Technologies Ltd.

Vigrx plus youtube

sekagode

Final Presentation

Lani-Girl Petrulo

"How to Destroy The Web". Bruce Lawson, Opera Software

Yandex

Two-Factor Authentication Presentation

SamSmith537

This document provides sources for slides related to two-factor authentication and cybersecurity best practices. Sources include websites for authentication plugins and services, articles about password security and common passwords, images of authentication methods and phishing examples, and stock photos. The sources cover topics like hardware security keys, phone-based authentication, location-based authentication, and multi-factor vs two-factor authentication.

Sucuri Webinar: How to Clean a Hacked Magento Website

Sucuri

TIP: Make sure you scroll to the last slide to view the video recording. On Feb 22, 2017, Sucuri Incident Responder, Cesar Anjos, presented this webinar as a step by step guide on how to clean a hacked Magento website. If your Magento website has been hacked, learn how to appropriately deal with the security incident, fix the hack, and secure your ecommerce website against future breaches. This webinar will take place on Wednesday, Feb 22nd at 11am PST. Following his presentation, Cesar will take questions from participants. Please complete the form to register. In this webinar you will learn how to: - Understand if there has been a compromise - Beginner - Determine the presence of credit card stealers - Intermediate/Advanced - Look for the most common credit card stealers - Intermediate - Handle potential data breaches - Intermediate - Remove most Magento infections - Beginner

Hacked - What do you do now?

Tony Perez

Sammy Virus

coolkyle

Microblogging Fast Fast Good Good

Dave Delaney

Api pain points

Phil Sturgeon

I've been building APIs for a long time now and it is becoming ever more common for server-side developer thanks to the rise of front-end JavaScript frameworks, iPhone applications and generally API-centric architectures. On one hand you're just grabbing stuff from a data source and shoving it out as JSON, but surviving changes in business logic, database schema updates, new or deprecated etc gets super difficult. This talk will outline the common pitfalls developers get trapped in when building APIs and outline methods to avoid them, including naming stuff badly then having to rename everything, when and how to use POST/PUT/PATCH, data structures, DDoSing yourself because pagination, picking your authentication system and all sorts of other stuff.

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

fangjiafu

This document discusses penetration testing approaches from the past compared to today. It notes that in the past, penetration testing was easier because networks had fewer security controls like firewalls and patches. The document then provides tips and techniques for identifying security controls like load balancers, intrusion prevention systems, and web application firewalls that may be in place on modern networks. It also discusses ways to potentially bypass these controls like using encryption, proxies, or virtual private networks.

There is something about Event

Eddie Kao

WordPress Security - Dealing With Today's Hacks

Tony Perez

The document discusses various security issues related to WordPress websites and provides recommendations for improving WordPress security. It covers common attacks like defacements, backdoors, phishing injections and malicious redirects. It demonstrates how commands like grep, curl and find can be used to detect these issues. The document emphasizes the importance of access control and updating WordPress and plugins. It also recommends security-focused plugins and resources.

Souders WPO Web2.0Expo

guest0b3d92d

This document summarizes Steve Souders' presentation on web performance optimization (WPO). It discusses how speed is the most important website feature and outlines techniques to improve performance like optimizing assets, reducing page weight, and leveraging caching. It also covers emerging trends like SPDY and improvements to third-party content. The key takeaways are that WPO matters significantly, new standards are coming, and guarding against slow third-party code.

Design of-steel-structures bhavakkati- by easy engineering.net

saibabu48

The document contains repeated text blocks noting that content was downloaded from www.EasyEngineering.net. It requests that other websites or blogs do not copy or republish the materials and to report any instances of finding the same materials with the EasyEngineering watermark. The document provides attribution to EasyEngineering.net as the source but does not contain any other substantive content.

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem". In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Casey Ellis

The document discusses the increasing adoption of crowdsourced security practices like vulnerability disclosure programs (VDP) and bug bounty programs within critical infrastructure sectors. It notes that while conservative sectors are slower to adopt these practices, regulatory pressure is accelerating their adoption. The document also observes that aging critical infrastructure organizations tend to have many publicly accessible initial access vectors, and that digital transformation compounds this issue. Finally, it discusses moving security practices from a "broke" to "woke" approach, emphasizing the human aspects of security rather than just technology.

What's hot

Writing vuln reports that maximize payouts - Nullcon 2016

bugcrowd

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

Frans Rosén

NetVU Tech-4290/4390

jreverri

WordPress Security - Learning From Hacks

Tony Perez

Hackfest presentation.pptx

Peter Yaworski

Top 10 Web Hacking Techniques of 2014

Quick Heal Technologies Ltd.

Vigrx plus youtube

sekagode

Final Presentation

Lani-Girl Petrulo

"How to Destroy The Web". Bruce Lawson, Opera Software

Yandex

Two-Factor Authentication Presentation

SamSmith537

Sucuri Webinar: How to Clean a Hacked Magento Website

Sucuri

Hacked - What do you do now?

Tony Perez

Sammy Virus

coolkyle

Microblogging Fast Fast Good Good

Dave Delaney

Api pain points

Phil Sturgeon

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

fangjiafu

There is something about Event

Eddie Kao

WordPress Security - Dealing With Today's Hacks

Tony Perez

Souders WPO Web2.0Expo

guest0b3d92d

Design of-steel-structures bhavakkati- by easy engineering.net

saibabu48

What's hot (20)

Writing vuln reports that maximize payouts - Nullcon 2016

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

NetVU Tech-4290/4390

WordPress Security - Learning From Hacks

Hackfest presentation.pptx

Top 10 Web Hacking Techniques of 2014

Vigrx plus youtube

Final Presentation

"How to Destroy The Web". Bruce Lawson, Opera Software

Two-Factor Authentication Presentation

Sucuri Webinar: How to Clean a Hacked Magento Website

Hacked - What do you do now?

Sammy Virus

Microblogging Fast Fast Good Good

Api pain points

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

There is something about Event

WordPress Security - Dealing With Today's Hacks

Souders WPO Web2.0Expo

Design of-steel-structures bhavakkati- by easy engineering.net

Similar to RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Casey Ellis

ACRNA Webinar #5: Cyber Security – The Unlikely Romance

Casey Ellis

When most folks hear the word “hacker” their reaction is one of fear, but those responsible for cybersecurity are increasingly understanding the role of the “digital locksmiths” amongst us. In this talk, Casey Ellis will unpack the unlikely romance between trusted, good-faith computer hackers, and the people who build and defend software infrastructure. He’ll share insights on how this feedback loop between builders and breakers has broken out of the early-adopter technology bubble to create a more resilient Internet for more traditionally conservative industries, including those where ICS/SCADA make up the core of their business. There will also be plenty of time for Q&A, so get your questions ready!

Bug Bounty #Defconlucknow2016

Shubham Gupta

The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.

Cyber Security Workshop @SPIT- 3rd October 2015

Nilesh Sapariya

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Casey Ellis

Bug Bounty - Play For Money

Shubham Gupta

This document provides an overview of bug bounty hunting. It discusses: - What bug bounty programs are and how they work - A brief history of major bug bounty programs from the 1990s to present day - Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment - Popular bug bounty platforms and programs - How to get started with the process of bug hunting - Tips for writing bug reports that document the issue and steps to reproduce it - Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept

Earn Money from bug bounty

Jay Nagar

This document provides a report on "Bugs Bounty – A Study". It begins with an introduction to bugs bounty programs, explaining that they are crowdsourcing initiatives that reward individuals for discovering and reporting software bugs. It then describes the process of launching and implementing a bugs bounty program from both a company and researcher perspective. The document examines the scope of bugs bounty programs in India, noting that some large Indian tech companies have programs but awareness and adoption remains low compared to other countries. It concludes that bugs bounty programs are relevant in India and could help improve cybersecurity if proper policies and frameworks were established.

How to Incorporate a Security-First Approach to Your Products by spiderSlik C...

Product School

This document discusses how product managers, engineers, and business stakeholders can incorporate security-first approaches into their work. It provides background on the speaker and outlines several trends in cybersecurity, such as misconfigurations becoming a major risk. It then offers specific actions each group can take, such as product managers nominating a security champion, engineers following the OWASP Top 10 guidelines and limiting permissions, and business stakeholders developing an emergency plan. Useful resources for further learning are also included.

Data Privacy for Activists

Greg Stromire

Croak.it ppt

Protik Roychowdhury

This document provides information about the voice messaging app Croak.it, including its launch details and positive press coverage. In its first 15 days, Croak.it gained over 12,000 unique recordings and 25,550 page views across 110 countries. It was featured in over 40 news sources in 7 languages. The document lists publications that wrote positively about Croak.it's ease of use and ability to share voice messages without language barriers.

Faster Secure Software Development with Continuous Deployment - PH Days 2013

Nick Galbreath

This document discusses moving to a continuous deployment model to improve software security. It argues that the traditional release-based model is harmful, especially for security, as it results in long delays between when code is written and deployed. Continuous deployment aims to deploy small changes frequently, with developers pushing their own code to production. This gets developers more invested in the quality and security of the code they write. It also allows faster fixing of bugs and security issues when they are found. The document outlines steps to gradually implement continuous deployment and address common concerns about its impact on quality, compliance, and customers.

Cutting Edge Search Technology SAScon May 2012

Steve Lock

The document discusses collective intelligence and coolhunting techniques. It provides examples of how coolhunting has been used to predict box office revenues, influence investment decisions, and help organizations make business and product decisions. The document also discusses related concepts like diffusion of innovation, swarm creativity, and structured markup. It provides links to additional resources for learning more about these topics and tools for working with collective intelligence.

Bulletproof IT Security

London School of Cyber Security

This document discusses strategies for achieving bulletproof IT security. It recommends establishing strong security policies, frequent employee training, ongoing self-assessments, encryption, asset management, and testing business continuity plans. It also stresses the importance of system hardening through vulnerability management and addressing issues like BYOD. The document provides numerous free tools and resources organizations can use to identify vulnerabilities, harden systems, and prevent malware.

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

NSC42 Ltd

Title: The Security Phoenix Subtitle: From the ashes of DEVOPS Synopsis: The talk will take the audience on a path to integrate security in development covering aspect like SDLC, People and Technology, Metrix, and maturity matrix. The Talk will focus on several aspect like: • Visibility of vulnerabilities in production • Traceability of software built and source of the component • Visualization of vulnerabilities and target (Divide in quarter, Build vs Fix) • Maturity matrix and path to evolution with KCI • Advanced concepts like breaking the build, license to operate If time is available, the talk will explore some additional lesson learned rough length: Compressed 25+5 min long version 30 min Audience Take Away: ● How to build a cybersecurity programme with people and technology at the heart ● How and why to trace component and how they are built ● Why visibility in production and traceability is important ● How to set targets for product teams and what to measure in various phases ● How to involve risk assessment and where to apply governance ● Use cases to visualize vulnerabilities

Android mobile app security offensive security workshop

Abhinav Sejpal

The document discusses various techniques for analyzing and exploiting Android applications, including using Drozer to bypass activity validation, replicating data exposure issues across apps, reversing APKs to analyze and patch detection of root access, exploiting vulnerabilities in app webviews through injected JavaScript, and demonstrating API attacks. The presentation encourages participation in the security community to share knowledge and ideas.

Nbt con december-2014-slides

Behrouz Sadeghipour

Nbt con december-2014-slides

Behrouz Sadeghipour

The document provides an overview of bug bounty programs, including popular programs from Google, Yahoo, Facebook, and Microsoft. It discusses bug bounty platforms like Bugcrowd, Crowdcurity, HackerOne and SYNACK. The document offers tips for researchers on how to effectively find bugs, write quality reports, maximize payouts, and learn from other experienced researchers. The goal of bug bounty programs is to improve security by rewarding researchers for responsibly disclosing vulnerabilities.

You Spent All That Money And Still Got Owned

Joe McCray

This talk will focus on practical methods of identifying and bypassing modern enterprise class security solutions such as Load Balancers, both Network and Host-based Intrusion Prevention Systems (IPSs), Web Application Firewalls (WAFs), and Network Access Control Solutions (NAC). The goal of this talk is to show IT Personnel the common weaknesses in popular security products and how those products should be configured. The key areas are: * IPS Identification and Evasion * WAF Identification and Bypass * Anti-Virus Bypass * Privilege Escalation * Becoming Domain Admin

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

Mazin Ahmed

Similar to RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME (20)

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

ACRNA Webinar #5: Cyber Security – The Unlikely Romance

Bug Bounty #Defconlucknow2016

Cyber Security Workshop @SPIT- 3rd October 2015

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Bug Bounty - Play For Money

Earn Money from bug bounty

How to Incorporate a Security-First Approach to Your Products by spiderSlik C...

Data Privacy for Activists

Croak.it ppt

Faster Secure Software Development with Continuous Deployment - PH Days 2013

Cutting Edge Search Technology SAScon May 2012

Bulletproof IT Security

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

Android mobile app security offensive security workshop

Nbt con december-2014-slides

You Spent All That Money And Still Got Owned

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

More from Casey Ellis

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

Casey Ellis

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

Casey Ellis

Of all the problems the internet has, there seems to be one that rules them all: It doesn’t understand how to work with it’s immune system. In this talk I’ll run through the past/present/future of the vulnerability disclosure, and give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple. I’ll close with a Call To Action for all participants with simple ways to help and get involved.

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Casey Ellis

This document summarizes a presentation on cybersecurity legal issues for companies. It discusses the growing costs and impacts of cyberattacks like data breaches and ransomware. Bug bounty programs that hire security researchers are presented as a way for companies to find vulnerabilities, but they may also increase legal obligations to notify breaches. The role of legal counsel in addressing these issues is examined, including maintaining technical competence. Elements of effective cybersecurity programs and incident response planning are outlined to help mitigate risks and consequences.

Full Disclosure Debate - NBT 5

Casey Ellis

The document discusses the debate between full disclosure and proactive vulnerability disclosure. It defines full disclosure as publicly disclosing a vulnerability before notifying the vendor. The document argues that full disclosure is like an unavoidable aspect like death and taxes because parts of the internet will always be poor at proactive disclosure. It lists several reasons why full disclosure is considered bad, such as giving unsophisticated actors access to exploits, reinforcing negative stereotypes of hackers, and scaring people away from supporting proactive disclosure programs. The document concludes by arguing that hyping up low criticality vulnerabilities and clickbaity journalism can hurt the reputation and progress of the security community overall.

Webinar kym-casey-bug bounty tipping point webcast - po edits

Casey Ellis

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013. As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point? Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016. Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

Casey Ellis

Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.

AppSecUSA - Your License for Bug Hunting Season

Casey Ellis

Tweet Share You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Video: https://www.youtube.com/watch?v=ziUUyA0-zwg

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Casey Ellis

This document discusses bug bounty programs and their growing adoption. It addresses common objections to running bug bounty programs, such as them being too risky, expensive, or hard to manage. Data is presented showing bug bounties attract talented researchers who find critical issues quickly. Stories from companies highlight how bug bounties help expand security teams cost effectively. The document concludes by advising companies to align expectations, communicate openly, and pay bounty hunters fast and well to have healthy bug bounty relationships.

Introducing Bugcrowd

Casey Ellis

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

Casey Ellis

This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including: 1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency. 2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully. 3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Casey Ellis

Our current approach to security assessment is inherently flawed; automation tools only find what they are programmed to find and penetration testing is extremely limited. Bug bounties build upon and improve upon these existing application security testing tools by harnessing the human creativity of the whitehat researcher community with a pay-for-results rewards model. As a cyber security veteran, Casey will analyze the evolution of the application security industry over the past several years and address why the existing tools and practices are falling short. With data from hundreds of bug bounty programs, he will also show how bug bounties are bridging the gap between companies who need to find security flaws before they’re exploited, and the hackers at the table ready to help. https://2017.conference.auscert.org.au/speaker/casey-ellis/

Enigma 2018 - Combining the Power of Builders and Breakers

Casey Ellis

This document discusses bug bounty programs and crowdsourced security. It begins by introducing the founder and background of bug bounty programs. Then it discusses the problems they address like growing attack surfaces and skilled labor shortages. It outlines the current state of vulnerability disclosure programs, public and private bug bounties, and crowdsourced security. Case studies show bug bounties are effective at finding complex issues. Researchers tend to be educated with security experience. The future of these programs is seen as addressing consumer and legislative pressures. Tips are provided like starting small, aligning expectations, open communication, fast payment, and getting legal advice. It closes by calling for continued cooperation across stakeholders.

Welcome to the blue team! How building a better hacker accidentally built a b...

Casey Ellis

Security practitioners know that the threats that face an organization are always active, and that while defenders need to get everything right, a good attacker only needs to get one thing right. That’s all well and good for security practitioners, but what about the rest of the company? How do you transform security from a rather inconvenient checklist, to a nascent awareness of the threat? How do you get those responsible for providing your attack surface to ‘actually care about whether it’s secure or not?

More from Casey Ellis (13)

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Full Disclosure Debate - NBT 5

Webinar kym-casey-bug bounty tipping point webcast - po edits

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

AppSecUSA - Your License for Bug Hunting Season

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Introducing Bugcrowd

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Enigma 2018 - Combining the Power of Builders and Breakers

Welcome to the blue team! How building a better hacker accidentally built a b...

Recently uploaded

Operating System Used by Users in day-to-day life.pptx

Pravash Chandra Das

Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes. Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions. Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻 The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️ Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution. The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365. Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

GenAI Pilot Implementation in the organizations

kumardaparthi1024

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on integration of Salesforce with Bonterra Impact Management. Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

A Comprehensive Guide to DeFi Development Services in 2024

Intelisync

DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum. In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance. In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape. At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology. Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

Fueling AI with Great Data with Airbyte Webinar

Zilliz

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

Recommendation System using RAG Architecture

fredae14

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

saastr

Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr

saastr

Azure API Management to expose backend services securely

Dinusha Kumarasiri

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

Recently uploaded (20)

Operating System Used by Users in day-to-day life.pptx

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Choosing The Best AWS Service For Your Website + API.pptx

GenAI Pilot Implementation in the organizations

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Programming Foundation Models with DSPy - Meetup Slides

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

A Comprehensive Guide to DeFi Development Services in 2024

Main news related to the CCS TSI 2023 (2023/1695)

Fueling AI with Great Data with Airbyte Webinar

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Recommendation System using RAG Architecture

Introduction of Cybersecurity with OSS at Code Europe 2024

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Skybuffer SAM4U tool for SAP license adoption

5th LF Energy Power Grid Model Meet-up Slides

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr

Azure API Management to expose backend services securely

Presentation of the OECD Artificial Intelligence Review of Germany

RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

1. https://bugcrowd.com/try-bugcrowd Release The Hounds: Part 2 “8 Years Is A Long Ass Time” Casey Ellis - IsolationCon 2 Keynote 2021

2. https://bugcrowd.com/try-bugcrowd #rip @dakami :’(

3. https://bugcrowd.com/try-bugcrowd

4. https://bugcrowd.com/try-bugcrowd whoami Founder/Chairman/CTO of Bugcrowd and   Founder of disclose.io 20 years in infosec Pioneered Crowdsourced Security as-a-Service Proud Australian, husband, and father of two Lives in San Francisco, California IDK $ sudo hack.sh $ sudo hustle.sh @caseyjohnellis https://cje.io

5. https://bugcrowd.com/try-bugcrowd what are we talking about? what we’ve been up to what we’ve seen the industry do where crowdsourcing/multisourcing is up to now what comes next q&a

6. https://bugcrowd.com/try-bugcrowd 1 March 2013 https://www.slideshare.net/bugcrowd/release-the-hounds-a-look-inside-bugcrowd-ruxmon-1-march-2013

7. https://bugcrowd.com/try-bugcrowd

8. https://bugcrowd.com/try-bugcrowd 0.1 1.0

9. https://bugcrowd.com/try-bugcrowd

10. https://bugcrowd.com/try-bugcrowd

11. https://bugcrowd.com/try-bugcrowd 2012 (RIP GOOD TIMES)

12. https://bugcrowd.com/try-bugcrowd

13. https://bugcrowd.com/try-bugcrowd nekkminnit…

14. https://bugcrowd.com/try-bugcrowd “All security is the product of something bad happening” …Magical SF Lyft driver

15. https://bugcrowd.com/try-bugcrowd 2013 “Hacking happens”

16. https://bugcrowd.com/try-bugcrowd …followed by

17. https://bugcrowd.com/try-bugcrowd 2014 “Hacking happens to me”

18. https://bugcrowd.com/try-bugcrowd 2015 “Hacking happens to me and it hurts”

19. https://bugcrowd.com/try-bugcrowd 2016 “Hacking happens to my country”

20. https://bugcrowd.com/try-bugcrowd 2017 to 2020 “Software is eating the world and bad guys are eating the software”

21. https://bugcrowd.com/try-bugcrowd 2020 “My employee’s 5 year old responsible for my corporate attack surface”

22. https://bugcrowd.com/try-bugcrowd 2021 “It’s turtles all the way down”

23. https://bugcrowd.com/try-bugcrowd If it’s repeated enough at the dinner table, it’ll end up in the board room.

24. https://bugcrowd.com/try-bugcrowd

25. https://bugcrowd.com/try-bugcrowd …2021?

26. https://bugcrowd.com/try-bugcrowd

27. https://bugcrowd.com/try-bugcrowd What was Bugcrowd doing?

28. https://bugcrowd.com/try-bugcrowd 2.0

29. https://bugcrowd.com/try-bugcrowd 3.0

30. https://bugcrowd.com/try-bugcrowd 4.0

31. https://bugcrowd.com/try-bugcrowd 198 employees $80M USD raised 157,194 vulns nuked 50M USD paid out ~200k signed up 1,000s of programs

32. https://bugcrowd.com/try-bugcrowd

33. https://bugcrowd.com/try-bugcrowd

34. https://bugcrowd.com/try-bugcrowd

35. https://bugcrowd.com/try-bugcrowd Australian-based ASG …also, we’re hiring ;)

36. https://bugcrowd.com/try-bugcrowd #thoughtops

37. https://bugcrowd.com/try-bugcrowd “I need security to be useful to my business” …Most CISOs in 2021

38. https://bugcrowd.com/try-bugcrowd Business/Finance Risk Technical Political CISO

39. https://bugcrowd.com/try-bugcrowd Humility Skill Empathy h4xors

40. Broke: “Rub some blockchain/ automation/ML on it and it’ll go away” Woke: “Cybersecurity is a people problem, the technology just makes it go faster.”

41. Broke: VDP as a marketing stunt Woke: VDP to show that failure is a part of being human, and to jump-start vulnerability remediation processes

42. Broke: Bug bounty as a vulnerability swatting silver-bullet Woke: Bug bounty as a way for the business to internalize that the boogeyman is real

43. Broke: Total payouts as a vanity metric Woke: Required payout as a business metric for cost of attack

44. Broke: Pentest as an assurance-only model Woke: Assurance & impact to create builder/ breaker feedback loops

45. Broke: “China wouldn’t bother with my stuff” Woke: “How do I detect and contain a nation- state assuming they are successful”

46. Broke: security@domain.com > /dev/null Woke: disclose.io

47. disclose.io - Fixing the Internet’s Auto-Immune Problem - Open Source Disclosure Policy Framework - Safe Harbor logo recognition - Public directory of adopters and search tools for hunters - Legal standardization of vulnerability disclosure language - Safe Harbor for good-faith hackers - Rewarding proactive behavior on the company Get involved: Ping us at hello@disclose.io

48. https://bugcrowd.com/try-bugcrowd In summary The cybersecurity industry is only just getting started Hackers have a seat at almost any table now Good things happen when you step out …so hence forth and be rad.

49. “A ship in port is safe… …but that’s not what ships are for”

50. https://bugcrowd.com/try-bugcrowd Questions? @caseyjohnellis casey@bugcrowd.com https://cje.io Greetz to stu, sasquatch, jack, chloé, phil, fred, the TMHC crew, bugcrowders, the disclose.io posse. Special greetz to bitquark, n0x00, zephyr, zseano, and the OG #britcrowd crew #RIP @dakami

RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

Similar to RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME (20)

More from Casey Ellis

More from Casey Ellis (13)

Recently uploaded

Recently uploaded (20)

RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME