Bug Bounty Hunters: Lessons From Darth Vader presented at BSidesDC 2014

by Jake Kouns,

URL : http://www.youtube.com/watch?v=vpgZfvN3AL8

Summary : Darth Vader was a ruthless leader and considered by many to be one of the all-time greatest villains. But in fairness to Lord Vader, he set clear expectations for his staff, expected results, and was an early adopter when it came to the usage of bounty hunters to accomplish goals when his internal team wasn’t effective. The security industry, IT professionals, and developers have been failing for several decades by writing insecure code, not providing practical solutions, and generally failing the public. Yet, for some reason we have yet to be force-choked out of the industry. Lord Vader would find the lack of results disturbing.
This talk will discuss Lord Vader’s management tactics and how they can be applied to security teams today when implementing a bug bounty program. Further, the talk will provide analysis of aggregated vulnerability bounty information over the past several years as well as some profound insights on security researchers, quality of research, vendor disposition, disclosure trends, and the value of security vulnerabilities. Finally, it will cover what constitutes a solid bounty program as well as provide some thought-provoking insight that will lead to serious discussion about the state of bug bounties and the associated bounty hunters. Are they in fact living up to the hype of being an amazing resource for software security? Or will we realize that Admiral Piett was correct in what he said to Darth Vader; "Bounty Hunters. We don't need that scum."