Discover and read the best of Twitter Threads about #bugbounty
Most recents (2)
Big spike in chatter about #bugbounty programs over the last 48 hours. That’s a very good thing. I would like to share my thoughts on this topic from the experience I’ve had leading security at a company with ~500 software engineers.
First, thanks to folks like @k8em0 & @caseyjohnellis and companies like @Hacker0x01 & @Bugcrowd - #bugbounty programs can built and managed much easier than they could 5 years ago. But if you are someone who is in a position that can implement a program...
the first question you should ask is: Are we mature enough to do this? That question should not be taken lightly as we saw from the @Uber situation even they were not prepare for the types of situations you will have to deal with.
Excellent post re hunting #bugbounties . These stats show the researcher's persistence & skilling up, & also inadvertently highlights problems w the #bugbounty ecosystem. What other security job only pays for 57% of your work?
"13% reward rate for 1st month, then 25%, then 57%."
"13% reward rate for 1st month, then 25%, then 57%."
I'm a fan of creating incentives. What #bugbounties have turned into is a misinformed (on both hunted & hunter sides) replacement for other security activities. Thoughtful incentives (including but not limited to bounties) creates win-win. The 1st MS bounties had no duplicates.
I love that bug hunters & orgs running bug bounties are using the programs to learn. That's great news. But is it improving security over time, or just outsourcing QA, encouraging sloppier releases & deployments, which lead to more low-hanging fruit, & therefore more duplicates?
