AppSec & DevSecOps

A3: Harnessing the Swarm: What a Mature Bug Bounty Program Teaches Us

Thursday, June 8, 2023 1:30 PM - 2:30 PM

Room 401/402


Bug bounties are a great way to find security bugs that are difficult to find via traditional means, like business logic bugs, and create a safety net to complement the rest of your security program. But is your company ready for one? This talk looks at the Slack bug bounty program, active since 2014, and what it takes to have a successful program. Beyond just fixing the bugs, there can be bug triage, public relations, and legal work to do. There are different ways of paying researchers in reputation, swag, or money. We'll also discuss the pros and cons of public and private programs and how to decide between them. We'll cover using scope definition and bounty policies, and managing relationships both with engineering teams and the researcher community. We'll also talk about the impact of bug disclosures on customer trust. If you're looking at starting a bounty program or taking yours to the next level, this session is for you.

Learner Objectives

After this session, the learner will: * Understand how to evaluate if their company is ready for a bug bounty * Understand pros and cons of different types of bounty programs * Understand what resources must be available for program success * Understand implications of public disclosures