Overview
Syllabus
Intro
Grant
Netscape "Bugs Bounty"
An (Abbreviated) History of Bug Bounties Since 1995
Do you really want to let people attack you?
Who are these people?
The Value of Crowdsourced Testing
Overview
But you never mentioned paying rewards!
Touch the code, pay the bug.
but first, Step 0
Scope
Focus
Exclusions
This is what a shared environment looks like...
Access
Manage Expectations
Communication is Key
Coordinated Disclosure
Define a Vulnerability Rating Taxonomy (VRT)
The Regular Methodologies
The Bughunter's Methodology
Consider the business impact!
Remember what it's all about.
Case Study: Instructure
Taught by
OWASP Foundation