appsecusa 2016: 'your license for bug hunting season
TRANSCRIPT
![Page 1: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/1.jpg)
Your License for Bug Hunting SeasonJames Denaro & Casey Ellis
![Page 2: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/2.jpg)
05/01/2023 Your License for Bug Hunting Season
Speakers
James DenaroAttorney, Founder of Cipher Law
Casey EllisFounder & CEO, Bugcrowd
![Page 3: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/3.jpg)
05/01/2023 Your License for Bug Hunting Season
AgendaRisk & Reward of Bug BountiesAddressing Two Main Areas of Concern:
1. Uncertainty2. Liability
Questions
![Page 4: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/4.jpg)
05/01/2023 Your License for Bug Hunting Season
Is it safe in the water?
![Page 5: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/5.jpg)
05/01/2023 Your License for Bug Hunting Season
What are we really talking about?
By W.carter - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=34979655
![Page 6: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/6.jpg)
Uncertainty
![Page 7: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/7.jpg)
05/01/2023 Your License for Bug Hunting Season
Uncertainty FAQs• How do I budget for a bug bounty?• How do I know good hackers will test my apps?• How do I know I’ll get good results?
Top concerns for individuals looking into running a bug bounty program in next few years
![Page 8: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/8.jpg)
05/01/2023 Your License for Bug Hunting Season
Uncertainty: Results & Talent• Crafting your Program:– Program Type• Public vs. Private• Ongoing vs. On-Demand
How are researchers invited to private programs? measured by accuracy, activity, impact and trust
![Page 9: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/9.jpg)
05/01/2023 Your License for Bug Hunting Season
Uncertainty: Results & Talent• Crafting your Program:– Bounty Brief• In-Scope & Out-of-Scope• Rewards• Rules
![Page 10: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/10.jpg)
05/01/2023 Your License for Bug Hunting Season
Additional Uncertainties• Budgeting• Processes• Getting internal buy-in• Legal questions
![Page 11: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/11.jpg)
Liability
![Page 12: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/12.jpg)
05/01/2023 Your License for Bug Hunting Season
#1 Most Frequently Asked QuestionWhat happens if a hacker goes rogue?• Logical• Procedural• Emotional• Legal
By YBS 999 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
![Page 13: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/13.jpg)
05/01/2023 Your License for Bug Hunting Season
Additional Liability/Legal Concerns• Contracts & NDAs• Who has liability for loss of data/business assets?• Personal liability?• Who has jurisdiction?
![Page 14: AppSecUSA 2016: 'Your License for Bug Hunting Season](https://reader036.vdocuments.us/reader036/viewer/2022062522/587aa8371a28abed218b4e25/html5/thumbnails/14.jpg)
Questions?