SS
Shadab Siddiqui
@shadsidd
Devil lies in the details: running a successful bug bounty programme in your organization
Submitted Jun 6, 2019
Section:
Full talk of 40 mins duration
Technical level:
Beginner
Section:
Full talk
Technical level:
Beginner
Session type:
Lecture
The aim is to help everyone understand the two side of bug bounty or vulnerability research program. Everyone would get a walkthrough on though how glamourous one side for a bug bounty hunter is with all fancy rewards/recognition and in a time where bug bounty profile is equivalent to developers GitHub profile in a CV to how hard it is for an organization to decide on whether to have a program like this or not.
Finding the way forward is hard as having one has it’s own problem and not having one has it’s own repurcursion. And also glimpse into what challenges pop up while we go down the path of having one from aligning different teams(finance/legal/PR/engineering etc.) across the organization. In a nutshell, the aim is to deliver on what point to consider in the timeline of an organisation to have a bug bounty program and understand the pros and cons of it.
Outline
Agenda of this talk is to give a glimpse into the actual world of bug bounty and just not from what we read in news. These will be some points of discussion to paint a complete picture for the audience:
-Introduction and benefits of having a bug bounty program
-Discuss on would it make sense to have a bug bounty program or can we live without it
-What take do leadership has on bug bounty, their concerns, and expectations
-What could go wrong if we dont even bother
-When is the right time in the timeline of an organization to have open connect with security researchers
-What kind of organizations need such program or how do we decide it for my non-IT organization
-What platform make sense? Should we buy or build our own
-Why problem would pop up while building a platform vs drawbacks on signing up on a platform
-What all process needs to put in place across the organization to have a successful one
-What is bare minimum automation we need to have to scale up to all bugs we receive
-How do different teams react to it like the legal team(policies), finance team, PR team etc.
-What are the logistic problem that shows up towards the launch
-Do’s and Do not’s of a bug bounty program
-My take on what it takes to run a successful bug bounty program
Speaker bio
Shadab has led Black Ops teams err.. Information Security teams as a specialist with unicorns like Ola, Flipkart and large scale Internet firms like Adobe. An engineer by heart with out of the box thinking.
He has good hands-on experience in E-commerce, payment gateways, mobile security, logistic product, Digital signing, Container/Infra Security, plugging security as part of SDLC to name and few others.
He has bootstrapped security engineering team multiple times from scratch. He has experience around building security automation, building real-time detection of attack anomalies, evangelizing security, compliance, cryptography and making sure the product security is kept the tallest.
Currently, he heads Information security, Privacy and Trust @Hotstar
Slides
https://docs.google.com/presentation/d/1stD4eHdtosbeBAee8FNBIYotNHxJJINGzCd1VvVgTEg
Login to leave a comment
Shadab Siddiqui
@shadsidd Submitter
Key takeaways would be:
-How to set up your own successful bug bounty programs with beforehand list of all gotcha's
-How to handle bad situation/dark side of a bug bounty program
-How to balance out security team effort vs bug bounty program, how to define right KPIs for each and what to measure
-When is the right time to have a formal BB program and how to handle if you don't have one but still receive the submission of bugs
-How to set things straight from an organizational point of view with security researchers so there isn't abuse/exploitation of vulnerabilities
In the section "my take of BB" I would cover on what infrastructure India provides for such programs and how to do in general most organization try to deal with it.
All ideas about what to have in scope and how to handle when a critical issue is submitted in something which isn't in scope etc. would be covered in "Do's and Do not's"
The flow would be on how do we arrive at if BB then How to launch(leadership buy-in // setting right cadence //setting up right process//designing the BB flow //figuring out payment logistic and problems all if it has in Indian ecosystem), what things to take care of, what are grey areas, how you should engage and how do you measure it's performance
Zainab Bawa
@zainabbawa Editor & Promoter
Thanks for the submission, Shadab. This will be an interesting session. Some comments from review: