Overview
Syllabus
Introduction
Panel
Introductions
How Many Companies Have Bug Bounty Programs
First Payout for a Hacker
Types of Bug Bounty Programs
Limiting Your Scope
Starting Private
Static Code Analysis
Private Program
Private vs Public
Most Effective Control
Hybrids
Lifecycle
Global vs US
Poorly defined scope
Inhouse counsel
Product development
Legal IR
Vulnerability database
When researchers get paid
Paying upfront
Setting expectations
Signing up for bugs that dont promise to pay
Fixing security vulnerabilities
Consistency
Audience Question
Public vs Private Disclosure
Sharing
False Negatives
Benefits
Legal Risks
False Positive Rates
Transferring Findings
Payment Systems
Payment Frameworks
Ethical Behavior
Ban Everyone
Facebook Bounty
Bitcoin Bounty
Summary
Taught by
OWASP Foundation