Loading…
BSidesSF 2018 has ended
View analytic
Sunday, April 15 • 3:30pm - 4:00pm
Data Driven Bug Bounty

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
In a single sentence: if you're not collecting metrics from your bug bounty program then you're missing out on half of the value - it's not enough to simply triage, assign, and resolve individual bugs.

You should collect as much data as you can - things like first response/triage/payout/resolution time, what components are vulnerable and what bug classes are they vulnerable to, which teams are bugs originating from, how often do vulnerabilities go past SLA, and so on. This data can then be used for:
- assessing your company security posture
- figuring out which teams are fast responders and which teams consistently go past ticket SLA, and why
- starting dialogs with problematic teams, and getting alignment on resolving issues
- figuring out your security weak spots, and addressing those areas (feeding the data into your quarterly planning process)
- measuring improvement (or lack of improvement) over time

In this talk I'll share some of the metrics and graphs that we collect, and how we use them internally to improve our security process.

Presenters
avatar for Arkadiy Tetelman

Arkadiy Tetelman

Staff Application Security, Lob
I'm an application security engineer, currently at Lob and and previously at Airbnb/Twitter/CardSpring. I'm passionate about all things application security, including running bug bounty programs, static analysis, building secure-default frameworks, vulnerability management and prevention... Read More →


Sunday April 15, 2018 3:30pm - 4:00pm
AMC - IMAX