View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar About the content: Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world. After viewing this presentation and ondemand webinar you will: 1. Learn if a bug bounty program is right for your organization 2. Understand if a bug bounty encourages hackers to attack your systems 3. Explore the real benefits of bug bounty programs – and find out if they actually work 4. Get insight on whether these programs are too hard and costly to manage

1. 7 Bug Bounty Myths

2. What Is a Bug Bounty?

3. 3
What is a Bug Bounty?
For Those of You Who Are New
To companies and
their applications
in exchange for…
Where
independent
security
researchers all
over the word
f
Think of it as a competition…
Find & report
vulnerabilities
Rewards

4. Poll
(Single Select)
Question: I believe our organization’s security could be improved with the
addition of a bug bounty program?
• Strongly agree
• Somewhat agree
• Neither agree or disagree
• Somewhat disagree
• Strongly disagree

5. 5
Why Are More Organizations Doing Bug Bounty Programs?
Ballooning attack surface
We have debt to clear and we need to be able to plan for the
future
Active, efficient
adversaries
Well developed “offensive” economic
Broken status quo
Automation doesn’t provide enough coverage, reliance on
one off conusulting engagements
Cybersecurity resource
shortage
209,000 in the USA alone

6. A New Way to Run Bug Bounties

7. 7
Why Do We Exist?
Platform That Connects Organizations to the Researcher Community
40,000+ Researchers
With specialized skills including
web, mobile and IoT hacking.
Our community is made up of
tens of thousands of the
hackers from around the world.
f
Organizations Both Big
and Small
Making Bug Bounties easy for
ever type of company through
a variety of Bug Bounty
Solutions.

8. A Radical Cyber Security Advantage
A Crowd That Thinks Like An
Adversary But Acts Like an Ally to Find
Vulnerabilities
A Platform That Simplifies Connecting
Researchers to Organizations
Security Expertise To Design, Support,
and Manage Crowd Security Programs
Enterprise Bug Bounty Solutions & Hackers-On Demand
7 Bug Bounty Myths

9. 7 Bug Bounty Myths

10. 10
Myth #1: All bug bounty programs are ‘public’
False. Today, the majority of bug bounty programs are invite-only programs.
68%
Of Programs
Are Private
Best Practice: Start with private program
• Learn how to scope and define program with fewer researchers
• Build processes and experience in receiving submissions
• Address specific security needs with curated crowd

11. 11
Myth #2: Only tech companies run bug bounties
False. The bug bounty model has evolved to be effective and flexible for organizations of virtually any size or type.
Growth in programs is
being driven by adoption
across industries
Top Emerging segments:
• Automotive
• Medical Device
• Government

12. 12
Myth #3: Running a bounty program is too risky
False. With a trusted partner, running a bug bounty program is no more risky than other, traditional security assessment methods.
Public
Disclosure
Incidents
.0005%
“YOU CAN VERY WELL QUANTIFY AND CONTROL FOR
THE RISKS AND REWARDS OF USING THE CROWD,
SUCH THAT IN THE END, THE LEGAL EXPOSURE THAT
AN ORGANIZATION HAS FROM USING THE CROWD IS
BASICALLY THE SAME AS IT WOULD HAVE FROM ANY
OTHER MEANS OF PEN TESTING THAT YOU MIGHT
TRADITIONALLY BUY FROM A PEN TESTING
PROVIDER.”
JAMES DENARO, FOUNDER OF CIPHERLAW
• Programs incentivize good behavior
• Researchers want to do the right thing
• Using a platform where your program and researchers are managed
“out of the box” is key

13. 13
Myth #4: Bug bounties don’t attract talented testers
False. Many of our bug hunters are the most talented security researchers in the world, and many are full-time security professionals.
“WE DECIDED TO RUN A BUG BOUNTY
PROGRAM TO GET ACCESS TO A WIDE
VARIETY OF SECURITY TESTERS.
HIRING SECURITY RESEARCHERS IS
VERY DIFFICULT IN TODAY’S MARKET...
WE HAVE PRODUCTS THAT COVER A
WIDE VARIETY OF APPLICATIONS,
USING A WIDE VARIETY OF
TECHNOLOGIES, SO WE NEED
SECURITY TESTING THAT CAN COVER
ALL THOSE AREAS.”
JON GREEN, SR. DIRECTOR OF
SECURITY ARCHITECTURE, ARUBA“Inside the Mind of a Hacker”
https://pages.bugcrowd.com/inside-the-mind-of-
a-hacker-2016

14. 14
Myth #5: They don’t yield high-value results
False. Bug bounties help organizations uncover high-quality vulnerabilities missed by traditional security assessment methods.
Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016
“WE THINK OF THE BUG BOUNTY
PROGRAM AS ‘PART OF THIS
COMPLETE BREAKFAST.’ YOU
HAVE ALL THESE INTERNAL
ACTIVITIES, AND THE BUGCROWD
PROGRAM FOR US... IS A NICE
SUPPLEMENT TO THOSE THINGS,
IT CATCHES BUGS THAT OUR
INTERNAL TESTING DIDN’T
CATCH.”
JIM HEBERT, SR. SECURITY
ENGINEER, FITBIT
P1, P2, P3 % of
Submissions
Increasing
Dramatically

15. 15
Myth #6: They’re too costly and hard to budget for
False. You can control your bug bounty budget, and we help make the best suggestion for your organization.
“EFFICIENCY AND
EFFECTIVENESS OF THE
CROWD IS REALLY WHY WE
BRING THEM ON... BECAUSE
WE HAVE THE CROWD
INVOLVED IN THE
VULNERABILITY
MANAGEMENT PROGRAM, IT’S
HELPED IN EXPANDING OF
OUR TEAM FOR A FRACTION
OF THE COST. NOW MY
INTERNAL RESOURCES ARE
BETTER UTILIZED.”
DAVID BAKER, CSO, OKTA
https://pages.bugcrowd.c
om/whats-a-bug-worth
15 Hours
Avg Time Spent
220+
# of Researchers
3500
Hours
Total Testing Time
2 Full Time
heads
Okta’s Bug Bounty Throughput

16. Poll
(Single Select)
Question: I believe we have enough staff and resources to deal with all of
our security challenges
• Strongly agree
• Somewhat agree
• Neither agree or disagree
• Somewhat disagree
• Strongly disagree

17. 17
Myth #7: Bounty programs are too hard to manage
False. With a trusted partner, bug bounty programs are easy, efficient and effective. You receive ready-to-fix, high value bugs.
Crowd + Platform + Expertise
• Reduce the program management load on
your security team with an easy to use
platform to manage programs and
communicate with researchers
• Only receive and act on real vulnerabilities
with automated triage and expert validation
of submissions
• Incentivize and reward researchers globally
with automated, direct payment through our
platform with no commission on payouts

18. 18
Multi Solution Bug Bounty Model Gaining Traction
Not Just About Public Programs
Engage the collective intelligence of
thousands of security researchers
worldwide.
The perfect solution to incentivize the
continuous testing of main web
properties, self-sign up apps, or anything
already publicly accessible.
Private Ongoing Program
Public Ongoing
Program
Continuous testing using a private,
invite-only, crowd of researchers.
Incentivize the continuous testing of
main web properties, self-signup apps,
or anything publically accessible.
Project based testing using a private,
invite-only, crowd of researchers.
Target new products, major releases, or
anything requiring a short period of
testing. Replace costly pen-tests.
On-Demand Program
Many organizations are utilizing different types of Bug Bounty Solutions

19. Key Takeaways

20. A Radical Cyber Security Advantage
A Crowd That Thinks Like An
Adversary But Acts Like an Ally to Find
Vulnerabilities
A Platform That Simplifies Connecting
Researchers to Organizations
Security Expertise To Design, Support,
and Manage Crowd Security Programs
Enterprise Bug Bounty Solutions & Hackers-On Demand
7 Bug Bounty Myths

21. 7 Bug Bounty Myths

22. Next Steps
Talk with a bug bounty expert:
 Bugcrowd.com/chat-with-us