Read on Twitter
A look back & forward for bug bounties over the past decade, a thread.
History is important for newcomers & established folks alike.
Outcomes have been both positive & negative.
Some fears of the largest tech companies have come true & worse.
Huge opportunities & room to improve!
History is important for newcomers & established folks alike.
Outcomes have been both positive & negative.
Some fears of the largest tech companies have come true & worse.
Huge opportunities & room to improve!
Since this is just focused on the last decade, weâll skip the Netscape bounty of 1995, summarizing that the price was steady at $500 for 15 years, & go straight to Googleâs launch of their first bug bounty against Chromium.
$1337 was offered for bugs.
Later that year, $3133.7 .
$1337 was offered for bugs.
Later that year, $3133.7 .
That got some attention.
Mozilla who continued the Netscape bug bounty, now against Firefox, raised their bounty to $3000.
Why, if Netscape & then Mozilla had been doing this steadily for 15 years, was Googleâs entry into paying for bugs a disruptive big deal?
2 reasons.
Mozilla who continued the Netscape bug bounty, now against Firefox, raised their bounty to $3000.
Why, if Netscape & then Mozilla had been doing this steadily for 15 years, was Googleâs entry into paying for bugs a disruptive big deal?
2 reasons.
Prices going up from a previous high water mark was an obvious disruption - but not to offense market players, even though the false narrative was already starting back then that you needed to âcompeteâ with the offense market for bugs if you made software
Offense market be like
Offense market be like
The other disruption was Chrome itself. It was a brand new code base without big enterprise market share in 2010, & an update model that pushed silent patches.
Internet Explorer had about 60% market share, Mozilla had about half that, & Chrome was only around 9% of the browsers.
Internet Explorer had about 60% market share, Mozilla had about half that, & Chrome was only around 9% of the browsers.
This was significant in it allowed Google much bolder moves in bug hunting & publicity from putting up cash.
I was at Microsoft at the time & an exec had been quoted just 2 years prior saying that as long as he was there, MS would never pay for bugs.
Heâs still there, btw.
I was at Microsoft at the time & an exec had been quoted just 2 years prior saying that as long as he was there, MS would never pay for bugs.
Heâs still there, btw.
I was about to take a job at Adobe but my managers convinced me to stay.
Promotion? No. Raise? Nah.
I stayed because they asked me to work on how to possibly do bug bounties at the biggest software company in the world. The one that receives the most bug reports of anyone, still
Promotion? No. Raise? Nah.
I stayed because they asked me to work on how to possibly do bug bounties at the biggest software company in the world. The one that receives the most bug reports of anyone, still
So I embarked on that journey starting w MS bug & labor cost data.
Number crunching to estimate bounty budget, labor cost increases, & help decide initial scope.
The perfectly good 1st draft bug bounty would have checked a few boxes.
Wouldâve been biggest & covered more products.
Number crunching to estimate bounty budget, labor cost increases, & help decide initial scope.
The perfectly good 1st draft bug bounty would have checked a few boxes.
Wouldâve been biggest & covered more products.
At the time, it would have cost less in $5000 bug bounties for all bugs rated âCritical or Importantâ for Windows, IE, & Office for the latest versions plus 2 versions going back, than a single emergency patch process (called a SSIRP).
Avg SSIRP was ~$6M.
$1.8M was all I needed
Avg SSIRP was ~$6M.
$1.8M was all I needed
So why didnât they pull the trigger in 2010?
Even though we knew we wouldnât prevent all SSIRPs (Software Security Incident Response Protocol), this seemed like an easy win, right?
Because it wasnât about money.
It was about competing w a growing threat in the marketplace: Chrome
Even though we knew we wouldnât prevent all SSIRPs (Software Security Incident Response Protocol), this seemed like an easy win, right?
Because it wasnât about money.
It was about competing w a growing threat in the marketplace: Chrome
Only I didnât know that at the time. I also didnât yet fully comprehend the massive politics that money couldnât address fully:
Who would pay for the increase in triage volume?
MS Response already had high triage turnover
MS already received >200,000 non-spam email messages/year
Who would pay for the increase in triage volume?
MS Response already had high triage turnover
MS already received >200,000 non-spam email messages/year
I could keep this thread going longer w the Harvard biz professor-written economics papers, or MSR game theory papers that I commissioned over those next 2 years.
While they played a part in shaping the bounties, none of them got MS to pay for what it was already getting for free
While they played a part in shaping the bounties, none of them got MS to pay for what it was already getting for free
So what changed in 2013 that allowed me to finally announce the 1st MS bug bounties?
It happened back in 2011, after we had announced the largest defensive prize ever: $250,000 in prizes for new platform-wide technical exploit mitigations.
What happened?
Chrome overtook IE.
It happened back in 2011, after we had announced the largest defensive prize ever: $250,000 in prizes for new platform-wide technical exploit mitigations.
What happened?
Chrome overtook IE.
Weâd committed to run the BlueHat Prize for defense 1st tho.
(Google totes hired one of the winners, lol, good one guys!
)
But the bounty beast was still on my back to solve, so with my 12 slide deck, 1000 meetings later, I finally got a meeting w the head of IE April 4 2013
(Google totes hired one of the winners, lol, good one guys!
)But the bounty beast was still on my back to solve, so with my 12 slide deck, 1000 meetings later, I finally got a meeting w the head of IE April 4 2013
The plan was calculated for a crawl-walk-run approach in scope, with expansions planned in budget, staff, & products included projected over the next 3 years.
When we got to slide 2, he waved his hand & said:
Iâm going to make this easy on you.
How much?
It was the left slide https://twitter.com/k8em0/status/1008393048047226880
When we got to slide 2, he waved his hand & said:
Iâm going to make this easy on you.
How much?
It was the left slide https://twitter.com/k8em0/status/1008393048047226880
Not to recapitulate the thread I just quoted above, the move was strategic traffic shaping to get bugs early in the beta, instead of after beta was closed, which was generally bad for anyone.
It was deadly for a browser in market share decline against fast-patching rival Chrome.
It was deadly for a browser in market share decline against fast-patching rival Chrome.
Suddenly, we had money committed from the 1st targeted product team, & weâd built up additional internal staff capacity planning for increased labor costs in MSRC.
IE set timing: Weâd announce 1 week prior the IE11 beta release.
June 19, 2013.
June 5, this guy made headlines.
IE set timing: Weâd announce 1 week prior the IE11 beta release.
June 19, 2013.
June 5, this guy made headlines.
Everyone in MS security was on strict lockdown, total media blackout, no spokespeople talking to reporters, even on unrelated security news we wanted to share.
But the bounties couldnât wait.
So IE comms overruled TWC comms & thus, we were STILL ON to announce the bounties.
But the bounties couldnât wait.
So IE comms overruled TWC comms & thus, we were STILL ON to announce the bounties.
Thought I would do this in one history thread, but Iâm tired, this is long already, & we havenât even gotten to Hack the Pentagon yet.
Iâll let you all vote on the next installment & pause for now.
Next thread chapter should go through which branch of bug bounty history?
Iâll let you all vote on the next installment & pause for now.
Next thread chapter should go through which branch of bug bounty history?
Click on the above link to expand the tweet, see the poll & vote.
Iâm not doing write-ins for this. :)
I have a company to run, & though
The bounty weeds are lovely, dark & deep,
I have promises to keep,
And miles to go before I sleep,
& miles to go before I sleep.
Iâm not doing write-ins for this. :)
I have a company to run, & though
The bounty weeds are lovely, dark & deep,
I have promises to keep,
And miles to go before I sleep,
& miles to go before I sleep.
Ok I am going to leave the Twitter poll open for a day, but I just have to laugh at the early results that have peopleâs interest in the rise of bug bounty platforms on par with their curiosity about my homegrown lettuce 
Maybe their investors should look into hydroponics.
Maybe their investors should look into hydroponics.
9 hours left to vote on the next installment of This Old Decade - Bug Bounty edition.
Iâm still kind of dying over here that my aeropod lettuce garden is still steadily dusting Rise of Bounty Platforms.
The lettuce may well beat Regulatory Nincompoopery at this rate.
Iâm still kind of dying
over here that my aeropod lettuce garden is still steadily dusting Rise of Bounty Platforms.The lettuce may well beat Regulatory Nincompoopery at this rate.
Poll results are in! A clear majority want to know what happened next chronologically, followed by regulatory nincompoopery, then a lettuce garden update, then the rise of bounty platforms.
Where were we...
Right about to announce the first MS bounties in Bangkok at midnight
Where were we...
Right about to announce the first MS bounties in Bangkok at midnight
Why Bangkok at midnight?
April to June (from getting the green light from IE to the announcement) wasnât long, & I was already committed to speaking at the FIRST conference about upcoming ISO standards governing Vuln disclosure & handling processes.
So weâd have to announce there
April to June (from getting the green light from IE to the announcement) wasnât long, & I was already committed to speaking at the FIRST conference about upcoming ISO standards governing Vuln disclosure & handling processes.
So weâd have to announce there
I thought it polite to warn the FIRST board that I was about to do this radical change from my proposed ISO talk scheduled for the morning, so I briefed the chair of FIRST at the time, my friend Steve Adegbite. He & I shared it w the rest of the board, some of whom WERE FURIOUS.
The FIRST board contains employees of the largest companies.
One of them said âHow dare you break ranks & start paying?â
I responded by saying Iâd be happy to help him w talking points about why his company wasnât doing bug bounties.
I donât think he heard me through the rage.
One of them said âHow dare you break ranks & start paying?â
I responded by saying Iâd be happy to help him w talking points about why his company wasnât doing bug bounties.
I donât think he heard me through the rage.
Hereâs a good time to talk about fear.
He wasnât wrong to be afraid of what this meant for other companies of Microsoftâs size & age. MS had over 800 supported products, services, & even hardware, & tons of legacy code & hard to fix dependencies - & that was just current versions
He wasnât wrong to be afraid of what this meant for other companies of Microsoftâs size & age. MS had over 800 supported products, services, & even hardware, & tons of legacy code & hard to fix dependencies - & that was just current versions
Remember how Google got to start their bug bounty on a single new product w no legacy code & not enough browser market share to make it very risky for them then?
Yeah, completely different set of problems for older orgs.
So I designed the IE beta bounty & mitigation bypass bounty
Yeah, completely different set of problems for older orgs.
So I designed the IE beta bounty & mitigation bypass bounty
We set the mitigation bypass bounty at $100,000, the same top prize offered the same year at the @Pwn2Own_Contest .
One of the fears expressed by MS internally & this FIRST board member seething at me hours before we announced, was prices increasing past the point of feasibility.
One of the fears expressed by MS internally & this FIRST board member seething at me hours before we announced, was prices increasing past the point of feasibility.
Weâll get to the current million dollar bounties later. Sticking to chronological order, now I had to wait for 10 AM Redmond time, when my blogs & the official page with the bounty rules would go live.
I was in Bangkok.
Who did I know in Bangkok?
My friend @thegrugq , thatâs who!
I was in Bangkok.
Who did I know in Bangkok?
My friend @thegrugq , thatâs who!
My friends @l33tdawg & @BelindaChoong flew from Malaysia to check out FIRST, so after drinks w @thegrugq , @ChrisJohnRiley , & @mckeay , we headed back to my room to wait for the crack of midnight.
I called @dakami @0xcharlie @dinodaizovi & a couple others right before announcing
I called @dakami @0xcharlie @dinodaizovi & a couple others right before announcing
Martin & Chris were the official podcasters of FIRST & they got the very first interview about the new MS bounties. @mckeay wrote about it, describing me as âvibratingâ with excitement.
I MEAN...MS WAS REVERSING A PUBLIC BOUNTY BAN & OFFERING THE HIGHEST VENDOR BOUNTIES EVARR!
I MEAN...MS WAS REVERSING A PUBLIC BOUNTY BAN & OFFERING THE HIGHEST VENDOR BOUNTIES EVARR!
Midnight hit & I tweeted the announcement.
My phone started dinging, as the news spread around the world, retweet by retweet.
Soon, my phone had to be muted, but Dhillon @l33tdawg said No leave it on, itâs awesome!
He was right.
It was awesome.
So much hard work by so many.
My phone started dinging, as the news spread around the world, retweet by retweet.
Soon, my phone had to be muted, but Dhillon @l33tdawg said No leave it on, itâs awesome!
He was right.
It was awesome.
So much hard work by so many.
Thatâs it for todayâs installment! So much more bounty contextual history to cover.
Next chapter, weâll go into results of this sea change.
MS had to see if our incentive structure worked, so I reached out personally to make sure researchers I *knew* had skills would participate.
Next chapter, weâll go into results of this sea change.
MS had to see if our incentive structure worked, so I reached out personally to make sure researchers I *knew* had skills would participate.
Time to wrap up.
The $100k mitigation bypass bounty was hard, so it was safe to run for at least a year.
For bounties to continue for individual products, past 30 days of IEâs beta bounty period, weâd have to prove that if you bountied it, they would come.
Some just had babies.
The $100k mitigation bypass bounty was hard, so it was safe to run for at least a year.
For bounties to continue for individual products, past 30 days of IEâs beta bounty period, weâd have to prove that if you bountied it, they would come.
Some just had babies.
Enter the baby onesie - black with a blue hat on it, sent to some of the best hackers in the world, who happened to also be literally taking care of their newborn hackers w their partners.
But the 30 day bounty period was fixed in time, & we had to ask them to please hack now!
But the 30 day bounty period was fixed in time, & we had to ask them to please hack now!
Neither newborn hackers were the 1st in their families, so hacker parents had a fighting chance to get their submissions in.
Baby bottle in 1 hand, IDA Pro in the other, they did it!
We were incredibly fortunate. We got Critical IE bug submissions with full PoC from both of them https://twitter.com/fjserna/status/380490185747607553
Baby bottle in 1 hand, IDA Pro in the other, they did it!
We were incredibly fortunate. We got Critical IE bug submissions with full PoC from both of them https://twitter.com/fjserna/status/380490185747607553
At the time, critics hurled potent napalm of conspiracy theories & fail fantasies at me as we spoke about the new bounty programs at other conferences
âYouâre not competitive with âblack marketâ prices!â
Case volume before our bounties was already huge & that was all free bugs.
âYouâre not competitive with âblack marketâ prices!â
Case volume before our bounties was already huge & that was all free bugs.
It didnât help that lots of media at the time bought into this overly simplistic mono-dimensional thinking about price as the only lever by which defenders could attract excellent offense work.
The biggest criticism & paranoia though was that we were buying these to give them to
The biggest criticism & paranoia though was that we were buying these to give them to
Nobody on my team, myself included, were cleared - so Snowdenâs revelations were news to us as well.
We had no idea about PRISM & the collaboration btwn many US companies & NSA.
Speaking about the bounties got...weird sometimes.
âSo youâre buying these as a broker of the NSA?â
We had no idea about PRISM & the collaboration btwn many US companies & NSA.
Speaking about the bounties got...weird sometimes.
âSo youâre buying these as a broker of the NSA?â
So that tightrope was also an existential threat to the new bounties, one we could not have anticipated in all of our otherwise meticulous planning.
We were going to have to prove it with success.
So how did we do? My original blog for this is gone, so.. https://securityledger.com/2013/07/microsoft-set-to-pay-first-bug-bounty-for-ie-hole/
We were going to have to prove it with success.
So how did we do? My original blog for this is gone, so.. https://securityledger.com/2013/07/microsoft-set-to-pay-first-bug-bounty-for-ie-hole/
We got 18 IE bugs, Critical or Important severity, for around $28k total.
We pivoted internal testing to find even more bugs based on areas those submissions highlighted for further work.
We successfully focused our friendly hackers on exactly what & *when* we need help most.
We pivoted internal testing to find even more bugs based on areas those submissions highlighted for further work.
We successfully focused our friendly hackers on exactly what & *when* we need help most.
The best was yet to come!
1 hacker, who had blown us away w 4 sandbox escapes in the IE bounty, I knew I wanted to go for the $100k mitigation bypass bounty.
First, I had to convince him.
Heâd not yet researched Windows.
(To read the story about those IE finds, buy his book!) https://twitter.com/tiraniddo/status/942734129526923265
1 hacker, who had blown us away w 4 sandbox escapes in the IE bounty, I knew I wanted to go for the $100k mitigation bypass bounty.
First, I had to convince him.
Heâd not yet researched Windows.
(To read the story about those IE finds, buy his book!) https://twitter.com/tiraniddo/status/942734129526923265
Many friendly beers in London later, time off from consulting granted by his UK employer, in weeks we had in our hands the 1st new mitigation bypass submission, eligible for $100,000
Outside bldg 26 cafeteria on the MS campus, teeth clattering w excitement, I called @tiraniddo
Outside bldg 26 cafeteria on the MS campus, teeth clattering w excitement, I called @tiraniddo
History
Was
Made
We not only launched bounties that were strategically different than any before, bigger than any before, at the biggest software company in the world BUT
HACKERS HACKED AND GOT PAID!!
For every person on that journey, even the most vicious critics, THANK YOU.
Was
Made
We not only launched bounties that were strategically different than any before, bigger than any before, at the biggest software company in the world BUT
HACKERS HACKED AND GOT PAID!!
For every person on that journey, even the most vicious critics, THANK YOU.
I gave a guest lecture at a symposium jointly run by Harvard Kennedy School & MIT Sloan later that year.
My presentation on game theory, Econ theory, complexities of developing a bounty while suffering from legacy code, hundreds of products, caught @sultanofcyber âs attention.
My presentation on game theory, Econ theory, complexities of developing a bounty while suffering from legacy code, hundreds of products, caught @sultanofcyber âs attention.
He invited me to brief the Pentagon for the first time.
From there, over the next couple of years, I had many mor chats with folks at Old Five Sides.
Real heroes in all this were @ljwiswel & @charley_snyder_ who drove the internal process to create #HackthePentagon
Incredible!
From there, over the next couple of years, I had many mor chats with folks at Old Five Sides.
Real heroes in all this were @ljwiswel & @charley_snyder_ who drove the internal process to create #HackthePentagon
Incredible!
Nearly 3 years from MSâ 1st bug bounties, we launched not just the 1st bug bounty program of DoD, but 1st among all militaries in the world, by the strongest military in world history.
This sparked great things!
And horrible things.
#Bounties were accepted as âbest practicesâ.
This sparked great things!
And horrible things.
#Bounties were accepted as âbest practicesâ.
More later. Final stretch.
Next weâll cover the good, the bad, the bounties over the years since launching Hack the Pentagon.
Next weâll cover the good, the bad, the bounties over the years since launching Hack the Pentagon.
As some of you know, nobody from h1 set foot in the Pentagon except me in the lead up to the launch of Hack the Pentagon.
They *only* got that contract because I happened to work there.
This is important in where we find ourselves with most bounty implementations since 2016.
They *only* got that contract because I happened to work there.
This is important in where we find ourselves with most bounty implementations since 2016.
I launched my company @LutaSecurity officially a couple of weeks later.
(OMG weâre almost 4 years old!)
My company co-bid w h1 & also w BC for the next pentagon bounty contract, because DoD needed a vuln disclosure program
H1 + Luta was the winning bid & we launched Hack the Army
(OMG weâre almost 4 years old!)
My company co-bid w h1 & also w BC for the next pentagon bounty contract, because DoD needed a vuln disclosure program
H1 + Luta was the winning bid & we launched Hack the Army
We more importantly launched the ongoing vuln disclosure program for DoD.
This was tricky legalese.
Thereâs no such thing as âsafe harborâ no matter what you put in your vuln disclosure/bug bounty terms.
Hackers can only be reassured that the target entity wonât seek legal action
This was tricky legalese.
Thereâs no such thing as âsafe harborâ no matter what you put in your vuln disclosure/bug bounty terms.
Hackers can only be reassured that the target entity wonât seek legal action
Today, itâs been very popular to mislabel the legal language in VDP/BB programs as âsafe harborâ.
Why is this a problem?
BECAUSE NOBODY CAN GRANT IMMUNITY FROM GLOBAL LAWS.
Whatâs legal in the US isnât legal everywhere & vice versa.
This is especially true with data breaches.
Why is this a problem?
BECAUSE NOBODY CAN GRANT IMMUNITY FROM GLOBAL LAWS.
Whatâs legal in the US isnât legal everywhere & vice versa.
This is especially true with data breaches.
Case in point:
Uber data breach they tried to cover up by using their bounty platform h1 to launder the extortion payment of $100,000 to criminals who downloaded 57 million records.
I testified before the Senate that the market we are creating for defense was harmed by this.
Uber data breach they tried to cover up by using their bounty platform h1 to launder the extortion payment of $100,000 to criminals who downloaded 57 million records.
I testified before the Senate that the market we are creating for defense was harmed by this.
Link to my Congressional testimony: https://twitter.com/k8em0/status/1093144091796357121?s=21
Link to the same criminals, trying the same extortion trick on another company: https://twitter.com/k8em0/status/1070974477457084416?s=21
Link to new evidence that all that data probably wasnât erased by the criminals after all: https://twitter.com/k8em0/status/1190323634130305030?s=21
Link to the same criminals, trying the same extortion trick on another company: https://twitter.com/k8em0/status/1070974477457084416?s=21
Link to new evidence that all that data probably wasnât erased by the criminals after all: https://twitter.com/k8em0/status/1190323634130305030?s=21
The data classification problem in VDP & bug bounties was recognized by the US DoJ.
Penetration testing contracts are fundamentally different than bug bounty or VDP language.
Protected classes of data (eg HIPAA or PII) are not ok to be seen/transmitted/stored by random hackers!
Penetration testing contracts are fundamentally different than bug bounty or VDP language.
Protected classes of data (eg HIPAA or PII) are not ok to be seen/transmitted/stored by random hackers!
Many donât understand that VDP/BB program terms DO NOT make it âthe same as a pen test contract wrt data.â
If it did, there would be no reason to create this:
https://www.justice.gov/criminal-ccips/page/file/983996/download
My sweet summer children, donât be fooled by BB platforms willfully ignoring data breaches.
If it did, there would be no reason to create this:
https://www.justice.gov/criminal-ccips/page/file/983996/download
My sweet summer children, donât be fooled by BB platforms willfully ignoring data breaches.
That includes BB platforms denying their own data breaches.
Itâs well known that âunauthorized accessâ to sensitive customer data (unpatched bugs for multiple BB programs in this case) is a breach.
If a BB platform canât be trusted w your data, move triage & tracking in house.
Itâs well known that âunauthorized accessâ to sensitive customer data (unpatched bugs for multiple BB programs in this case) is a breach.
If a BB platform canât be trusted w your data, move triage & tracking in house.
Historically, Hack the Pentagon was an important milestone, normalizing the idea that hackers can help you if you let them.
But BB companies used this to over market bug bounties & even VDP, RUSHING everyone else in what
took
MS & the Pentagon
years
to
prep
for
operationally.
But BB companies used this to over market bug bounties & even VDP, RUSHING everyone else in what
took
MS & the Pentagon
years
to
prep
for
operationally.
The European Union caught bug bounty fever & funded bounties for open source software.
They completely neglected the fact most open source projects have extremely limited resources, mostly unpaid volunteers.
This is unbalanced & inefficient.
So my co refused to bid on these. https://twitter.com/k8em0/status/1061377748038340608
They completely neglected the fact most open source projects have extremely limited resources, mostly unpaid volunteers.
This is unbalanced & inefficient.
So my co refused to bid on these. https://twitter.com/k8em0/status/1061377748038340608
Predictably, this over saturation of bounties in orgs that arenât ready, the mingling of bounty hunters among contract triage support workers, the abundance of unpaid hacker labor in the form of duplicates, has resulted in the current malformed labor market.
Been saying for years
Been saying for years
But even with older studies of the labor market for bugs, done by my colleagues Dr. Ryan Ellis et al & me, including updated CORROBORATION of the relative success stats, we still see a discouraging & unsustainable stratification of bug hunters wrt earnings. https://twitter.com/k8em0/status/975458601631342592
Some bounty platforms consider my company a competitor.
Why?
We donât run bug bounties.
How could a company that helps orgs get solid w internal vuln handling processes be anything but good for bug bounty platforms?
Because we emphasize efficient resource allocation, internally.
Why?
We donât run bug bounties.
How could a company that helps orgs get solid w internal vuln handling processes be anything but good for bug bounty platforms?
Because we emphasize efficient resource allocation, internally.
Most often, the roadmap we help develop includes building better INTERNAL bug discovery, resolution, & prevention processes.
Rushing to âbug bounty Botoxâ only masks internal negligence w the *appearance* of diligence.
Itâs often a diversion of resources more efficiently spent.
Rushing to âbug bounty Botoxâ only masks internal negligence w the *appearance* of diligence.
Itâs often a diversion of resources more efficiently spent.
So here we are today.
Modern CISOs still have to balance risk w resources.
Bug bounties are a flavor of external bug discovery just like pen testing - doing it alone wonât help you become secure.
Itâs not as easy as outsourcing your crowdsourcing either.
https://twitter.com/k8em0/status/1219356858076368897?s=21 https://twitter.com/k8em0/status/1219356858076368897
Modern CISOs still have to balance risk w resources.
Bug bounties are a flavor of external bug discovery just like pen testing - doing it alone wonât help you become secure.
Itâs not as easy as outsourcing your crowdsourcing either.
https://twitter.com/k8em0/status/1219356858076368897?s=21 https://twitter.com/k8em0/status/1219356858076368897
Hereâs my proposed pivot for the future, having personally nurtured, grown, & protected this ecosystem of my fellow hackers in our quest to stay out of jail & get paid:
1. Orgs should be adept at vuln management before attempting to deal w outside reports
1. Orgs should be adept at vuln management before attempting to deal w outside reports
2. Hackers (& everyone) should not be working for free, or for the hope of being 1st to report the same bug. Hackers should be paid as pen testers, not exploited for âcrowdâ numbers.
3. Security labor markets are made, not by accident.
Letâs focus the future on outcomes, not hype
3. Security labor markets are made, not by accident.
Letâs focus the future on outcomes, not hype
