Sunday, 25 November 2012

On Bug Bounties...

I think bug bounty programs are awesome, as much as I can understand they are not for everyone (I think they required a bit of agility), they are really helpful and have a lot of pro if you use them smartly...

First, as someone who provides learning material, I think a bug bounty can be your first official pentest:

  • You don't need to pass a job interview.
  • You don't need to sell the gig to a company. 
  • You just need to participate and be respectful of the platform.

Furthermore, if you end up being listed in the some bug bounty hall of fame, landing a security job will be far easier...

For a company running a bug bounty program, I think you need to be careful and probably avoid to give access to your production (to avoid data leak) and get a pre-prod environment (AWS EC2?) with anonymised data dedicated to the bug bounty (unless your name is Facebook or Google). But other from that, I see that as a less-expensive/modern alternative to hiring a pentest company. And you may end up with a lot of testing from a lot of skilled people pretty fast and for a reasonable price.

If you're on twitter, you probably heard of bugcrowd, a new company who offers to manage bounty program for other companies. I think it's a great idea and I bet a lot of people are already looking into this. I hope they will create a "Private Bounty" program where only identified people (identity check) can participate, it will probably solve the problem of a lot of people afraid to run a bounty program because everyone will be allowed to attack all their systems (which is not true since most program have scope)...

1 comment:

Anonymous said...

They pay poorly.