We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Bug Bounty Evolution: Not Your Grandson's Bug Bounty
Bug hunting has evolved, it's time for the industry to catch up. This talk challenges the status quo of bug bounties, calling for fair labor practices, transparency, and recognition of bug hunters' skills and contributions.
- Bug bounties should not rely on nondisclosure agreements (NDAs) to control the outcome, but rather involve fair labor practices.
- The industry should stop trying to control the outcome and instead focus on providing fair compensation and working conditions for bug hunters.
- Research has shown that many organizations are still using NDAs to keep bug hunters from reporting discovered vulnerabilities, which is unfair.
- Bug bounty platforms need to change their approach to bug finding, focusing on fairness and transparency.
- Organizations need to prioritize their security goals and commit to supporting their own security teams.
- The best approach to bug hunting involves a mix of bug bounties and internal security roles.
- Bug bounty programs should provide fair compensation and opportunities for growth and advancement for bug hunters.
- Organizations should recognize the duplicate rate and per bug duplicate rate to better identify and track vulnerabilities.
- Bug bounty platforms should focus on providing effective metrics for tracking and reporting.
- The industry should try to identify upcoming talent and create apprenticeships programs to support growth.
- The growth of the industry can be driven by the creation of a viable strategy for bug hunting.
- Bug bounty hunters should be recognized and respected for their skills and contributions.
- The industry should stop trying to control the outcome and focus on providing fair compensation and working conditions.
- Bug bounty platforms should provide effective metrics for tracking and reporting.
- Bug bounties should prioritize the discovery and reporting of vulnerabilities to provide better security outcomes.
- The industry should recognize the effectiveness of smaller, specialized teams over larger, more general ones.