This course provides insights from analyzing Security@ data from over 500 organizations to help understand the key factors contributing to a successful vulnerability disclosure program. The course covers a framework for quantifying impact and assessing program performance across dimensions such as researcher breadth, depth, vulnerabilities found, response efficiency, reward competitiveness, and signal ratio. By the end of the course, learners will be equipped with an analytical approach to running an effective Security@ program, whether they are already running a bug bounty program or are considering starting one. The course is suitable for security professionals, organizations looking to collaborate with security researchers, and individuals interested in understanding the dynamics of vulnerability disclosure programs.
To Bounty or Not to Bounty - Security@ Insights from 500 Organizations
Overview
Syllabus
Intro
Facebook
HackerOne
A caveat
Who is this talk for
Different ways to answer
Vulnerability metrics
Response efficiency
Bar metrics
Example program
Do we bounty or not
Responsible disclosure
Community resources
State of the Internet
Bug bounty
Riot Games
Summary
Would you do a bug bounty
How do you deal with disclosures
Taught by
OWASP Foundation
Related Courses
-
Green Sprouts - Encouraging Signs of Life from the Department of Defense's Security Strategy - Lisa Wiswell - USENIX Enigma Conference - 2017
-
An Oral History of Bug Bounty Programs
-
Bug Bounty Programs - Crowd Sourcing Security
-
A Place to Hang Our Hats - Security Community and Culture
-
Bounty - Building a Coordinated Bug Disclosure Bridge for the EU
-
Decoding Bug Bounty Programs - Jon Rose
