Previous proposalHow do you keep your secrets and how much does it cost?
Next proposalSRE: Culture & Strategy
Devil lies in the details: running a successful bug bounty programme in your organization
Submitted by Shadab Siddiqui (@shadsidd) on Thursday, 6 June 2019
Section: Full talk Technical level: Beginner Session type: Lecture Section: Full talk of 40 mins duration Technical level: Beginner Status: Confirmed & Scheduled
The aim is to help everyone understand the two side of bug bounty or vulnerability research program. Everyone would get a walkthrough on though how glamourous one side for a bug bounty hunter is with all fancy rewards/recognition and in a time where bug bounty profile is equivalent to developers GitHub profile in a CV to how hard it is for an organization to decide on whether to have a program like this or not.
Finding the way forward is hard as having one has it’s own problem and not having one has it’s own repurcursion. And also glimpse into what challenges pop up while we go down the path of having one from aligning different teams(finance/legal/PR/engineering etc.) across the organization. In a nutshell, the aim is to deliver on what point to consider in the timeline of an organisation to have a bug bounty program and understand the pros and cons of it.
Agenda of this talk is to give a glimpse into the actual world of bug bounty and just not from what we read in news. These will be some points of discussion to paint a complete picture for the audience:
-Introduction and benefits of having a bug bounty program
-Discuss on would it make sense to have a bug bounty program or can we live without it
-What take do leadership has on bug bounty, their concerns, and expectations
-What could go wrong if we dont even bother
-When is the right time in the timeline of an organization to have open connect with security researchers
-What kind of organizations need such program or how do we decide it for my non-IT organization
-What platform make sense? Should we buy or build our own
-Why problem would pop up while building a platform vs drawbacks on signing up on a platform
-What all process needs to put in place across the organization to have a successful one
-What is bare minimum automation we need to have to scale up to all bugs we receive
-How do different teams react to it like the legal team(policies), finance team, PR team etc.
-What are the logistic problem that shows up towards the launch
-Do’s and Do not’s of a bug bounty program
-My take on what it takes to run a successful bug bounty program
Shadab has led Black Ops teams err.. Information Security teams as a specialist with unicorns like Ola, Flipkart and large scale Internet firms like Adobe. An engineer by heart with out of the box thinking.
He has good hands-on experience in E-commerce, payment gateways, mobile security, logistic product, Digital signing, Container/Infra Security, plugging security as part of SDLC to name and few others.
He has bootstrapped security engineering team multiple times from scratch. He has experience around building security automation, building real-time detection of attack anomalies, evangelizing security, compliance, cryptography and making sure the product security is kept the tallest.
Currently, he heads Information security, Privacy and Trust @Hotstar