2015 saw unprecedented participation in crowdsourced bug bounty programs, as big technology vendors like Google, Facebook and even Tesla have embraced the need for bug bounty programs. Across the board, bug bounties saw a sharp rise in both popularity and accessibility. For the first time, companies beyond the enterprise technology space have been able to participate in wide scale public or private bug bounties.

In this talk, Leif will outline the findings from a three year report that analyzes vulnerability and community data to demonstrate the rapid evolution of the bug bounty economy.

Drawing from more than 40,000 bug submissions and an ever-expanding researcher community totaling more than 20,000 researchers, attendees will learn about the top vulnerabilities found, the fluctuating value of a bug, who the researchers are and general trends observed like the growth of invitation-only programs. In addition, Leif will cover best practices for attendees looking to start their own bug bounty program.

This presentation was given at Structure Security 2016 and BSides SF/LA/Portland/Raleigh 2015. BSides SF 2015