On the surface, public bug bounty programs look like a no-brainer. You invite a number of
security researchers to find security issues in your application and you only pay for valid results. Who can say no to that? However as we explore in this talk, for many organizations, launching a public bug bounty program is a buggy idea. It’s like storming the castle before gathering systematic intelligence and planning strategic attacks.
In this talk we will look at some of the challenges of public bug bounties such as:
- Low signal to noise which drives up the cost per bug
- Significant program management needed to run the program
We will look at the return on investment between running a public bug bounty program and engaging in more focused crowdsourced pen tests.
We’ll dive deeper into experiences drawn from the crowdsourced appsec industry over the last 4 years, as well as analysis of public accessible data in connection with data gathered from 200+ organizations running security programs on the Cobalt platform.