Overview
Explore hard-earned insights on bug bounty programs in this 43-minute conference talk from AppSecEU 2015 in Amsterdam. Delve into crucial aspects of managing bug bounties, including legal considerations, defining scope, preparing program briefs, and handling public and private programs. Learn how to address challenges such as out-of-scope submissions, issue reproduction, upstream vulnerabilities, and reward structures. Gain valuable knowledge on setting expectations, managing payouts, and navigating the complexities of bug bounty programs to enhance your organization's security posture.
Syllabus
Hard Knock Lessons On Bug Bounties
UNIVERSITY RAPID
2,888 Paid submissions (all time)
First things first
You're going to want to make friends with legal
What is in scope?
How bulletproof is your scope?
Preparing the brief
Sample Public Program
Sample Private Program
Public programs
When expectations aren't
How will you reward useful but out of scope submissions?
Can you reproduce the issue?
Handling upstream issues
What about swag rewards?
When are you going to payout?
Bumping rewards
Taught by
OWASP Foundation