Black Hat and DEF CON (and to some extent, the surrounding conferences taking place during this same week in Las Vegas) are research-driven, red-team oriented, and contain pen-testing rich content. Therefore, as one might expect, it attracts people from around the world who want to experience all that these events have to offer for these topics.
Sean Martin had a good long chat with Jason Haddix, VP of trust and security at Bugcrowd. They talk about the conference scene, the researcher community, and how to make the most of the trainings, presentations, and conversations.
The first part of the conversation is available now: tips and tricks for Hacker Summer Camp newcomers. Part two will be available on Tuesday the 7th of August ... so stay tuned!
Part 1: Tips for Hacker Summer Camp Newcomers
Researchers Advice from Jason Haddix
Sean Martin asked Jason Haddix, VP of trust and security at Bugcrowd, what recommendations he has for researchers who have not yet made their way to Hacker Summer Camp in Las Vegas. Tip number one: plan/scope ahead of time what you'd like to see.
Tune in to this 5-minute podcast for more quick tips for Black Hat and DEF CON newcomers from someone who knows!
Part 2: When We Train, Support And Protect The Research Community, It Thrives
There’s so much being built today and even if companies want to staff cybersecurity researchers to test everything they’ve built, they just can’t hire all the people needed. Therefore, we need a community of people who are available to jump in and join the good fight.
In the past few years, companies have surfaced that provide bug bounty platforms and this community only continues to grow. And as more people join it, they’re beginning to share with each other and collaborate and build tools that the community can use to help the greater good.
In Part 2 of this podcast, Jason Haddix and Sean Martin talk about this situation. To further help the researcher community, Bugcrowd has announced disclose.io: “a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research.” It is an open-source template that provides a safe harbor for researchers in which the terms of service – that are typically found with bug bounty programs – still leave researchers open to legal liability.
They're also creating a Bugcrowd University to train the community on best practices for research, tools and how to write a good submission. And leading off the university stuff, they’re also working with Cal Poly Pomona to create escape rooms based on cybersecurity where you have to hack your way out to escape.
The bottom line is that bringing more people into the community is essential and having a university is one way to do that.
About Jason Haddix
Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry's relations with researchers. Jason's interests and areas of expertise include mobile penetration testing, black box Web application auditing, network/infrastructural security assessments, and static analysis. Before joining Bugcrowd, Jason was the director of penetration testing for HP Fortify, and also held the #1 rank on the Bugcrowd leaderboard for 2014.
Find Jason on Twitter: @JHaddix