Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Security - Paris.rb

Adam Surak
October 04, 2016

Continuous Security - Paris.rb

Talk about how we use public bug bounty program to continuously test our security and our experience with HackerOne for more than a year.

Adam Surak

October 04, 2016
Tweet

More Decks by Adam Surak

Other Decks in Technology

Transcript

  1. @AdamSurak Responsive disclosure [email protected] “Give me money!” “Give me money

    or I will not tell you what I’ve found!” How do you send money to India, Pakistan, … ?
  2. @AdamSurak Public Bug Bounty Program HackerOne, Bugcrowd, … All the

    reports in one place Protects both reporter and site owner Clean accounting Possible swag-only
  3. @AdamSurak All-time vs last 6 months All-time Last 6 months

    Response time 2 days 1 day Resolution time 21 days 11 days Bounties $10,125 $4,000
  4. @AdamSurak Learnings PenTesters think differently Beginning is hard Have patience

    with communication You can’t do it best effort There will be noise No matter what, they will use automatic scanners