Explore insights from 500 organizations on vulnerability disclosure programs in this AppSec California 2016 conference talk. Gain a comprehensive understanding of the surge in Security@ activity and learn about a weighted index framework for assessing program performance across six dimensions. Discover an analytical approach to running effective Security@ programs, whether you have an active bug bounty program or are just starting out. Benefit from Alex Rice's expertise as he shares lessons from his experience at Facebook and HackerOne, and learn how to shed blind dogma in favor of data-driven decision-making. Walk away with practical knowledge on metrics, response efficiency, and community engagement to enhance your organization's security collaboration efforts.
To Bounty or Not to Bounty - Security@ Insights from 500 Organizations
Overview
Syllabus
Intro
Facebook
HackerOne
A caveat
Who is this talk for
Different ways to answer
Vulnerability metrics
Response efficiency
Bar metrics
Example program
Do we bounty or not
Responsible disclosure
Community resources
State of the Internet
Bug bounty
Riot Games
Summary
Would you do a bug bounty
How do you deal with disclosures
Taught by
OWASP Foundation
Related Courses
-
Practical Tips for Running a Successful Bug Bounty Program
-
An Oral History of Bug Bounty Programs
-
Consumer Bug Bounty Panel - Tech Bug Bounty Panel - Hear from the Program Managers
-
Fad or Future - Getting Past the Bug Bounty Hype
-
Bounty - Building a Coordinated Bug Disclosure Bridge for the EU
-
Bug Bounty Programs - Crowd Sourcing Security
