Rootconf 2019

On infrastructure security, DevOps and distributed systems.

Devil lies in the details: running a successful bug bounty programme in your organization

Submitted by Shadab Siddiqui (@shadsidd) on Jun 6, 2019

Section: Full talk Technical level: Beginner Session type: Lecture Section: Full talk of 40 mins duration Technical level: Beginner Status: Confirmed & Scheduled


The aim is to help everyone understand the two side of bug bounty or vulnerability research program. Everyone would get a walkthrough on though how glamourous one side for a bug bounty hunter is with all fancy rewards/recognition and in a time where bug bounty profile is equivalent to developers GitHub profile in a CV to how hard it is for an organization to decide on whether to have a program like this or not.
Finding the way forward is hard as having one has it’s own problem and not having one has it’s own repurcursion. And also glimpse into what challenges pop up while we go down the path of having one from aligning different teams(finance/legal/PR/engineering etc.) across the organization. In a nutshell, the aim is to deliver on what point to consider in the timeline of an organisation to have a bug bounty program and understand the pros and cons of it.


Agenda of this talk is to give a glimpse into the actual world of bug bounty and just not from what we read in news. These will be some points of discussion to paint a complete picture for the audience:

-Introduction and benefits of having a bug bounty program
-Discuss on would it make sense to have a bug bounty program or can we live without it
-What take do leadership has on bug bounty, their concerns, and expectations
-What could go wrong if we dont even bother
-When is the right time in the timeline of an organization to have open connect with security researchers
-What kind of organizations need such program or how do we decide it for my non-IT organization
-What platform make sense? Should we buy or build our own
-Why problem would pop up while building a platform vs drawbacks on signing up on a platform
-What all process needs to put in place across the organization to have a successful one
-What is bare minimum automation we need to have to scale up to all bugs we receive
-How do different teams react to it like the legal team(policies), finance team, PR team etc.
-What are the logistic problem that shows up towards the launch
-Do’s and Do not’s of a bug bounty program
-My take on what it takes to run a successful bug bounty program

Speaker bio

Shadab has led Black Ops teams err.. Information Security teams as a specialist with unicorns like Ola, Flipkart and large scale Internet firms like Adobe. An engineer by heart with out of the box thinking.
He has good hands-on experience in E-commerce, payment gateways, mobile security, logistic product, Digital signing, Container/Infra Security, plugging security as part of SDLC to name and few others.
He has bootstrapped security engineering team multiple times from scratch. He has experience around building security automation, building real-time detection of attack anomalies, evangelizing security, compliance, cryptography and making sure the product security is kept the tallest.

Currently, he heads Information security, Privacy and Trust @Hotstar



  • Zainab Bawa (@zainabbawa) a year ago

    Thanks for the submission, Shadab. This will be an interesting session. Some comments from review:

    1. Will help to structure the talk such to nudge participants into thinking in a certain direction. For example, bug bounties are good as long as they fit within xyz conditions/framework; here’s how you go about planning a bug bounty programme.
    2. Let’s gear the talk towards some definite takeaways for participants.
    3. It will definitely be more interesting if the talk explains the scope of bug bounty and what kind of issues organizations have solved with it and what cannot be solved with a bug bounty programme. Again, going back to point one, it will help to anchor the talk in this problem statement: “here are the conditions/framework necessary to run a good bug bounty programme. I will explain this in my talk so that you can run a successful bug bounty programme in your organization.”
    4. If there is a regulatory framework that is India-specific which specifies the do’s and dont’s bug bounty, cover this in your talk.
  • Shadab Siddiqui (@shadsidd) Proposer a year ago

    Key takeaways would be:
    -How to set up your own successful bug bounty programs with beforehand list of all gotcha’s
    -How to handle bad situation/dark side of a bug bounty program
    -How to balance out security team effort vs bug bounty program, how to define right KPIs for each and what to measure
    -When is the right time to have a formal BB program and how to handle if you don’t have one but still receive the submission of bugs
    -How to set things straight from an organizational point of view with security researchers so there isn’t abuse/exploitation of vulnerabilities

    In the section “my take of BB” I would cover on what infrastructure India provides for such programs and how to do in general most organization try to deal with it.

    All ideas about what to have in scope and how to handle when a critical issue is submitted in something which isn’t in scope etc. would be covered in “Do’s and Do not’s”

    The flow would be on how do we arrive at if BB then How to launch(leadership buy-in // setting right cadence //setting up right process//designing the BB flow //figuring out payment logistic and problems all if it has in Indian ecosystem), what things to take care of, what are grey areas, how you should engage and how do you measure it’s performance

Login to leave a comment