BSidesSF 2018

Bug bounty programs are nearly ubiquitous today, but that wasn’t always the case. When the Zero Day Initiative (ZDI) was founded in 2005, bug bounty programs were considered to be a rare and somewhat controversial commodity. Now they are seen as an indispensable means for companies to acquire bug reports. Our initial goals were similar. The ZDI program extended our own research team by leveraging the methodologies, expertise, and time of others around the globe. Imagine adding more than 3,000 independent researchers from around the world to your team. Having the program asymmetrically enhanced our research capabilities through vulnerability acquisition. The program also provided the data needed to protect our customers while the affected vendor worked on a patch. Since that time, the program has awarded more than $15 million USD while ensuring nearly 4,000 0-day exploits were patched by vendors, all of which makes the computing landscape a safer space and makes ZDI the world’s largest vendor-agnostic bug bounty program.
 
Even if you don’t participate in a bounty program, they impact you and the systems you defend. Over the last decade, mature bug bounty programs have evolved from simply acquiring bug reports to providing real insights into vulnerability and exploit trends. Bug submissions to the available bounty programs had the unintended consequence of effectively crowd-sourcing vulnerability intelligence by showing industry trends and state-of-the-art exploitation methodologies. Bounty programs impact the exploit marketplace while disrupting exploit efforts of advanced threats and persistent actors. These programs have tracked the rise and fall of bug classes over the years, and they’ve tracked the rise and impact of government regulations in different regions of the globe. As shown in recently leaked government documents, bug reports that come through bounty programs disrupt various pieces of the exploit market and force bad actors to change their exploit techniques. When combined with top-tier, in-house researchers, the best programs are capable of predicting the next major attack surface that will become popular based on what bugs are submitted to the program.

Join ZDI Director Brian Gorenc as he covers the current landscape of bounty programs and the winding, often controversial road that led us here. We also cover the vulnerability economy and the role bug bounties play in shaping the exploit marketplace. Finally, he’ll show how effectively run programs have disrupted exploit usage in the wild.