Overview
Explore the world of bug bounty programs and crowd-sourced security in this 44-minute conference talk from nullcon Goa 2013. Delve into the Mozilla bug bounty program, learning about its creation, successes, and challenges. Gain insights into the differences between bug bounty programs and the black market, understanding how these initiatives can combat the effects of illicit activities. Discover the unique aspects of Mozilla's program, which covers both client-side and website security for Firefox and the Mozilla Foundation. Examine the various types of bug bounty programs, their values, benefits, and potential concerns. Learn about the process of managing submissions, including the role of the Bugmatic Committee and Web Body Process. Analyze the results and cost breakdown of successful programs, and explore who typically submits bugs. By the end of this talk, acquire the knowledge needed to determine if a bug bounty program would benefit your organization and how to initiate one effectively.
Syllabus
Introduction
Why am I here
Mozilla Bug Bounty Program
History of Bug Bounty Programs
Types of Bug Bounty Programs
Black Market Client Programs
Program Values
Vendor vs Black Market
Negative impact on reputation
Benefits
Concerns
Encouraging attackers
Attackers
Security Team
Black Market
Black Box
Bugmatic Committee
Web Body Process
Results
Firefox
Web Valve
Duplicate vs New Bugs
Cost Breakdown
Who Submits
What Next
Bug Bounty Program
What you need to do before you start
Taught by
nullcon