Fad or Future? Getting Past the Bug Bounty Hype

Black Hat USA 2017

Presented by: Angelo Prado, Kymberlee Price, Charles Valentine
Date: Thursday July 27, 2017
Time: 09:45 - 10:35
Location: Lagoon DEFJKL

Ever want to talk to someone that runs a bug bounty program and get the real scoop on its impact to application security? Whether your company has a bounty program or is considering starting one, join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, handling conflicts and unsolicited disclosure, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.

Kymberlee Price

With over 13 years' experience in the information security industry specializing in application security incident response and investigations, Kymberlee Price got her start by pioneering the first security researcher outreach program in the software industry at Microsoft. Ms. Price was later a principal investigator in the Zotob criminal investigation, and analyzed APT's at Microsoft. She then spent 4 years investigating product vulnerabilities in BlackBerry's Security Response Team. After three years directing the efforts of Bugcrowd's more than 50,000 Crowd members in web application, mobile application, IoT and host infrastructure penetration testing, Ms. Price has returned to Microsoft and her passion for securing applications and services that utilize open source and third party libraries. Ms. Price previously co- chaired the Department of Commerce NTIA Working Group on Multi-Party Vulnerability Disclosure and speaks regularly on vulnerability management and product incident response best practices at events including Black Hat USA, RSA, Kaspersky Security Analyst Summit, Nullcon, and Metricon.

Angelo Prado

Angelo Prado is a Director, Product Security Manager at Salesforce.com and an independent security researcher. He has worked as a software and application security engineer for Salesforce, Microsoft, and Motorola. Mr. Prado has a proven record of leading engineering teams of highly trained product security engineers by providing effective application security and building a robust and respected security practice. He is directly responsible for launching and managing one of the largest bug bounty programs in the industry. Mr. Prado is one of the leading contributors to BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), a security exploit against SSL which leverages a compression side channel to derive secrets from the ciphertext in an HTTPS stream. As a thought leader of the security community, Mr. Prado frequently speaks at major conferences worldwide, including Black Hat USA, Black Hat Asia, ToorCon, SecTor, Hacker Halted, TakeDownCon, SC Congress, Comillas University, and Georgetown University. Angelo Prado holds a Master's degree in Computer Science from Universidad Pontificia Comillas, Madrid, where he currently teaches a graduate class (Master's Degree in Security & Telecommunications Engineering) as an associate professor. He has also attended University of Illinois at Urbana-Champaign. His passions and research include web application security, windows security, web browsers, machine learning, malware analysis and side channels. Some of Mr. Prado's recent disclosures include: "SSL, Gone in 30 Seconds -a BREACH Beyond CRIME" (US-CERT, MITRE: CVE-2013-3587) presented at Black Hat USA 2013 (Las Vegas). "Browsers Gone Wild" presented at Black Hat Asia 2015 (Singapore). Resin Pro improperly performs Unicode transformations (US-CERT, NIST: CVE-2014-2966). Mail in Apple iOS6 allows remote attackers to spoof attachments (US-CERT, NIST: CVE-2012-3730). Microsoft Security Researcher Acknowledgments for Online Services (TechNet: 2012, 2013, 2015). Internet Explorer Information Disclosure Vulnerability (CVE-2015-2414).

Charles Valentine

Charles Valentine is the VP of Technology Services at Indeed, the #1 global job search engine. Indeed currently operates in more than 60 countries and 28 languages, serving over 180 million monthly job seekers, from multiple data centers located around the globe, maintaining better than 99.999% availability and sub-second response times. Charles is responsible for Indeed's infrastructure operations and engineering, security, business intelligence, IT application development, and IT helpdesk. During his tenure, Charles has helped build and grow a global team of technology experts. Prior to Indeed, Charles was VP of Technology Services at XO Group, and was responsible for the technology and systems that ran theknot.com, thenest.com, and thebump.com, prior to XO Group Charles was the head of engineering and operations for texas.gov. Charles holds a Bachelor of Science in Electrical Engineering from Texas Tech University. He lives in Austin, Texas, with his family.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats