Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.

1. May 20 2015

2. Agenda
 Introductions
 Bug bounty program evolution
 Common myths and misconceptions
 Lessons from Barracuda’s Bug Bounty program
 How businesses and technology derive value from bug
bounty programs
 The art of running a successful & effective bug bounty
program

3. @caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
CEO & Co-Founder

4. @k3r3n3
http://k3r3n3.com
Industry Analyst &
Author

6. Source:“25YearsOfVulnerabilities: 1988-2012SourcefireResearchReport”

10. @K3r3n3

11. Bug Bounty Programs

12. Source : 1995 PR Newswire Association , The Free Library

13. 1995
2002
2004
2007
2010
2011
2012
2014
2013
2015
2005
History of Bug
Bounties

14. Finifter, Matthew, Devdatta Akhawe, and David
Wagner. "An Empirical Study of Vulnerability Rewards
Programs." USENIX Security. Vol. 13. 2013.

16. Your Elastic Security Team.

17. These brands (and others) trust Bugcrowd…

18. Source: www.bugcrowd.com/list-of-bug-bounty-programs
Adoption Across Industries
 Technology
 Software
 Hardware
 Automotive & Air Travel
 Consumer Electronics
 Financial Services

20. Common Questions:
 What will we have to do, as a company?
 Who else can see our vulnerability data?
 Where’s the Value – and Is it worth it?
 Who are these “Researchers”, anyway?
 Can we hire them?

21. Interactive Poll Question #1
What is the most common barrier for bug
bounty adoption?
 Organization is not mature enough to support a program
 Not sure how to engage directly with hacker community
 Concerns over control of security operations and
process
 Perceived high operational cost vs uncertain business
value

22. Initial Research Findings
 Organizations can benefit from flexible security
testing by a large community, which is sometimes
a more time & cost effective approach
 A trusted intermediary can help eliminate common
“control” issues
 Value isn’t just in security : it’s reputation,
business process, & hiring

24. Finding Value
 Business, technology and organizational values
 Security : Finding bugs that everyone else missed
 The “Ouch! an outsider just pwned your code”
effect
 Financial & Cost Effectiveness
 Better Security Reputation In The Marketplace
 Business , R&D process , talent pool/vetting

25. Case Study:
History:
 Barracuda created their own bug bounty program
4.5 years ago after receiving a few submissions
from outsiders
 They recognized the value of more eyes and
incentivizing them correctly
 Built out a team to manage the program from end-
end

26. Problem:
 Too many team members having to
spend time sifting through email
submissions to find the quality
reports
 Too much overhead in working with
finance to get a $50 (or any
amount) PO created to send to a
researcher
 Spent a lot of resources
engineering and maintaining their
own report database on the
backend
Solution:
 Bugcrowd's crowd control platform
maintains submission history
across the board
 Crowdcontrol handles all payment
logistics, so a single check is cut to
Bugcrowd, we handle the rest
 Bugcrowd's management services
handle the noise of the
submissions so barracudas team
can focus solely on the valid,
serious reports
Case Study:

27. How to Run Successful &
Effective Program
 Tips from Bugcrowd
 Quality of Bugs, Types, Quantity and
Severity
 Finding bugs that others missed?
 Attract Great Research Talent

28. Security Researcher POV
 Is it worth it?
 Am I breaking the law (globally, or in
my country?)
 Can I get a job?
 Who is a “Researcher”, anyway?

29. Continue the Conversation
What Benefit Do You Value The Most From a
Bug bounty / Vulnerability Discovery
program?

30. Go Find Some Bugs…
Thank You!
@k3r3n3
@caseyjohnellis
@bugcrowd