From DevSecOops to Security Success: The Bug Bounty Effect at FINN.no

This conference talk explores how FINN.no transformed their application security approach by implementing a private bug bounty program after struggling with traditional DevSecOps tools since 2019. Learn why bug bounties have proven more effective at discovering real-world vulnerabilities compared to code scanning and dynamic testing tools that often produced false positives and scaling challenges. Discover the practical aspects of launching and managing a successful bug bounty program, including how it complements existing security practices rather than replacing them. Through concrete examples and lessons learned from FINN.no and other Schibsted brands, gain insights into cost-effective security strategies that deliver meaningful results instead of "DevSecOops." The presentation includes both factual information and provocative perspectives that challenge conventional application security wisdom.