Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months

Black Hat USA 2019

Presented by: Gregory Caswell, Brett Goldstein, Josh Jay, Shannon Sabens, Jarek Stanley
Date: Thursday August 08, 2019
Time: 11:00 - 11:50
Location: Mandalay Bay CD

Ever want to talk to someone that runs a bug bounty program and trade best practices and horror stories? Join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.

Jarek Stanley

Jarek Stanley is the Senior Program Manager leading Microsoft’s Bug Bounty Program. His role and research focus on the communities and economies underlying vulnerability research and disclosure. Prior to joining Microsoft he led the R&D program for the Bluetooth SIG and received his Master of Arts in International Economics from Johns Hopkins University SAIS.

Shannon Sabens

Shannon Sabens has 20 years of experience managing programs in security, anti-malware and software vulnerability research and response coordination. Shannon’s long history in the industry has taken her to Symantec, HP, Microsoft and Trend Micro, managing partner and customer relationships, and prioritizing day-to-day work in the labs. Currently, she is the Security Program Manager for Trend Micro’s Zero Day Initiative, where she has purchased vulnerability reports/exploits and coordinated vulnerability disclosures for over 4,000 cases. During her tenure, the Zero Day Initiative has arguably grown to be the largest known curated collection of vulnerability reports and exploits globally.

Gregory Caswell

Greg Caswell is an engineer at heart who enjoys helping make software systems slightly less terrible. For the past five years he has been building and managing an application security team at Indeed, responsible for teaching security concepts to developers, assessing the security of 1000’s of applications, triaging bug bounty submissions, and automating as much as they can in the process. He holds degrees in electrical and computer engineering. Outside of security, he enjoys bee-keeping, aquaponics, and cooking.

Josh Jay

Josh Jay is an ethical hacker and researcher based out of Los Angeles California. He began his career in social engineering and interal and wireless network penetration testing before pivoting to application security. In his previous role at a fortune 100 he designed, built, and managed aviation's first public bounty program which subsequently won multiple awards. Josh now manages application security for a major film studio.

Brett Goldstein

Brett Goldstein is the Director of Defense Digital Service, where he leads a team of technologists focused on high-impact problems at the Department of Defense. Throughout his career, Brett has served in a range of mission-driven leadership roles across government, the private sector, and academia. He is deeply committed to improving government through data and technology, and by creating tools and new approaches for smarter decision making and better services. Brett began his technology career at OpenTable, where he helped grow the company from an early stage startup to a multinational corporation. He later joined the Chicago Police Department where he led the department's efforts at predictive analytics. He became Chicago and the nation's first Chief Data Officer and later Chicago's Chief Information Officer. Brett continues to serve as a Senior Fellow and Special Adviser for Urban Science at the University of Chicago.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats