appsecusa 2016: 'your license for bug hunting season
TRANSCRIPT
Your License for Bug Hunting SeasonJames Denaro & Casey Ellis
05/01/2023 Your License for Bug Hunting Season
Speakers
James DenaroAttorney, Founder of Cipher Law
Casey EllisFounder & CEO, Bugcrowd
05/01/2023 Your License for Bug Hunting Season
AgendaRisk & Reward of Bug BountiesAddressing Two Main Areas of Concern:
1. Uncertainty2. Liability
Questions
05/01/2023 Your License for Bug Hunting Season
Is it safe in the water?
05/01/2023 Your License for Bug Hunting Season
What are we really talking about?
By W.carter - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=34979655
Uncertainty
05/01/2023 Your License for Bug Hunting Season
Uncertainty FAQs• How do I budget for a bug bounty?• How do I know good hackers will test my apps?• How do I know I’ll get good results?
Top concerns for individuals looking into running a bug bounty program in next few years
05/01/2023 Your License for Bug Hunting Season
Uncertainty: Results & Talent• Crafting your Program:– Program Type• Public vs. Private• Ongoing vs. On-Demand
How are researchers invited to private programs? measured by accuracy, activity, impact and trust
05/01/2023 Your License for Bug Hunting Season
Uncertainty: Results & Talent• Crafting your Program:– Bounty Brief• In-Scope & Out-of-Scope• Rewards• Rules
05/01/2023 Your License for Bug Hunting Season
Additional Uncertainties• Budgeting• Processes• Getting internal buy-in• Legal questions
Liability
05/01/2023 Your License for Bug Hunting Season
#1 Most Frequently Asked QuestionWhat happens if a hacker goes rogue?• Logical• Procedural• Emotional• Legal
By YBS 999 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
05/01/2023 Your License for Bug Hunting Season
Additional Liability/Legal Concerns• Contracts & NDAs• Who has liability for loss of data/business assets?• Personal liability?• Who has jurisdiction?
Questions?