Bug bounties are beautiful, when done right. But what about bug bounties gone bad? Bug bounties have risen in popularity across the globe since the success of Hack the Pentagon, but we are rushing in to use it everywhere, even where sensitive assets are concerned. The allure of "thorough" security vulnerability testing at a fraction of the cost of traditional professional penetration testing seems too good to be true. It is. Like an oversubscribed cell phone provider boasting network speeds that local congestion can never meet, the bug bounty platforms brag sheer account numbers, even as only a tiny fraction of bug hunters have any real luck (or skills). There's a reason many top companies and governments manage their own triage & store their own bugs on premise, not in 5 year old startup cloud platforms triaged by contractors. Who has eyes on your bugs beside you? How can we use this new crowd-sourced security testing safely? Where are we inadvertently mishandling sensitive information in the execution of what in some cases is only superficial security performance art. All organizations need to understand why & how to manage particularly sensitive bugs more securely. What does your threat model & organizational maturity tell you about whether you can safely use a bug bounty, and against which targets? Learn to spot bug bounty Botox, & to go deeper into the tradeoffs of any given bug discovery method. Both sides of this bug gig economy can do better. Come find out how.
Ms. Moussouris recently testified as an expert on bug bounties & the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the US State Department to help renegotiate the... Read More →
