how to run a kick ass bug bounty program - node summit 2013
DESCRIPTION
Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.TRANSCRIPT
How to run a kick-ass bug bounty program
Casey Ellis – CEO Chris Raethke – CTO
Bugcrowd Inc
AGILE SCRUM
PAIRING TDD
CI
BEST PRACTICE...
all apps have security bugs
...REALITY
Current Approach
Bad Guys Good Guys
...help!
ARRRGGGH!
A Better Approach
Bad Guys Moar’ Good Guys
...arrrrrgh?
What is a bug bounty program?
Bug bounties are awesome…
…but hard.
The mistake *everyone* makes
DATA PEOPLE
The Golden Rules
Respect the researcher
If you touch code, pay it.
Manage expectations
Normalize inputs
Pay quickly
Fix problems quickly
Be open about duplicates
Questions?
Casey Ellis – CEO Chris Raethke – CTO
Bugcrowd Inc