Overview
This course provides insights from analyzing Security@ data from over 500 organizations to help understand the key factors contributing to a successful vulnerability disclosure program. The course covers a framework for quantifying impact and assessing program performance across dimensions such as researcher breadth, depth, vulnerabilities found, response efficiency, reward competitiveness, and signal ratio. By the end of the course, learners will be equipped with an analytical approach to running an effective Security@ program, whether they are already running a bug bounty program or are considering starting one. The course is suitable for security professionals, organizations looking to collaborate with security researchers, and individuals interested in understanding the dynamics of vulnerability disclosure programs.
Syllabus
Intro
Facebook
HackerOne
A caveat
Who is this talk for
Different ways to answer
Vulnerability metrics
Response efficiency
Bar metrics
Example program
Do we bounty or not
Responsible disclosure
Community resources
State of the Internet
Bug bounty
Riot Games
Summary
Would you do a bug bounty
How do you deal with disclosures
Taught by
OWASP Foundation