A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


An Oral History of Bug Bounty Programs - (BSides Nashville 2018) (Hacking Illustrated Series InfoSec Tutorial Videos)

An Oral History of Bug Bounty Programs

Dustin Childs

BSides Nashville 2018

Bug bounty programs are nearly ubiquitous today, but that wasn't always the case. From their inception, bug bounty programs created controversy as they touch on the topics of vulnerability disclosure, vendor responsibility, and the greater good. Understanding the history of bug bounty programs starts with investigating the nature of vulnerability disclosure and how various disclosure policies impact both vendor servicing and enterprise patch strategies. It also requires an understanding of the exploit marketplace and the various entities purchasing bugs and what happens to the bugs once reported. Even if you don't participate in a bounty program, they impact you and the systems you defend. Bounty programs impact the exploit marketplace. Like any open market, various factors can spur changes in supply and demand, and bounty programs can shape what types of research either becomes public or finds its way into an exploit kit. This presentation covers the current landscape of bounty programs and the winding, often controversial road that led us to here. We also cover the vulnerability economy and the role bug bounties play in shaping the exploit marketplace. Finally, we'll show how effectively run programs have disrupted exploit usage in the wild.

Back to BSides Nashville 2018 list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast