Explore hard-earned insights on bug bounty programs in this 43-minute conference talk from AppSecEU 2015 in Amsterdam. Delve into crucial aspects of managing bug bounties, including legal considerations, defining scope, preparing program briefs, and handling public and private programs. Learn how to address challenges such as out-of-scope submissions, issue reproduction, upstream vulnerabilities, and reward structures. Gain valuable knowledge on setting expectations, managing payouts, and navigating the complexities of bug bounty programs to enhance your organization's security posture.
Overview
Syllabus
Hard Knock Lessons On Bug Bounties
UNIVERSITY RAPID
2,888 Paid submissions (all time)
First things first
You're going to want to make friends with legal
What is in scope?
How bulletproof is your scope?
Preparing the brief
Sample Public Program
Sample Private Program
Public programs
When expectations aren't
How will you reward useful but out of scope submissions?
Can you reproduce the issue?
Handling upstream issues
What about swag rewards?
When are you going to payout?
Bumping rewards
Taught by
OWASP Foundation
Related Courses
-
Running a Bug Bounty Program - What You Need to Know
-
Practical Tips for Running a Successful Bug Bounty Program
-
5 Tips and Tricks for Running a Successful Bug Bounty Program
-
Bug Bounty Field Manual - Cliff Notes for Planning and Operating Successful Programs
-
Critical Vulnerabilities and Bug Bounty Programs
-
Bug Bounty Programs - Successfully Controlling Complexity and Perpetual Temptation
