webinar: tips on building a world class bug bounty program from senior red team expert, mack staples

Building a World-ClassBug Bounty ProgramThe best hackers, the best bugs, the best security.

2

AGENDA

1. Introductions

2. Tip #1: Plan for the best,

expect the worst

3. Tip #2: Partner closely

with engineering

4. Tip #3: Recruit and retain

hackers will invest time to

understand and test your

logic

5. Tip #4: Maintain a

competitive and generous

bounty Program

6. Bonus Tips

3

Sr. Manager, Red Team

Mack StaplesMack Staples is a security professional with over 15 years experience in security encompassing both digital and physical security. For the last 10 years, he has focused on web application and mobile security. He started as a consultant and decided to transition to an in-house role when he connected with Zenefits and accepted a position managing their internal Red Team. Since then, he has guided and grown the Red Team and product security teams, andestablished a widely known and well respected BugBounty Program on HackerOne's platform.

Tip #1: Plan for the best, expect the worst

4

Tip #4: Maintain a competitive and generous bounty program

Tip #2: Partner closely with engineering and development teams

Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic

The Zenefits Bug Bounty Tips

5

It’s a culture of readiness and

awarenessCriminals are vigilant in

looking for that loophole, that forgotten flash file, that open

endpoint.

• When we started our Program, we had a great track record — still do!

• Remember: past performance does not indicate future success

• If you’re online, you’re a target

• Something can always go wrong

• “Act as if you’re going to get hacked today”



6





7

Water cooler security talks

Security must always be “on”, to respond to the dynamic

environment all companies are facing today. That’s why we

loop in our developers into the security process.

• Involve your developers early

• Share specific findings and reports only with the owners

• Pay attention to trends— positive and negative— and share those observations with the org

• Socializing your Program will help developers “think security” which will mean earlier security involvement in new features and code



8





9

Hackers gonna Hack

(hopefully)

The most severe - and therefore valuable -

vulnerabilities come from repeat and ongoing hacking

• The best results will come from repeated, manual testing

• The better your Program, the more repeat engagement you’ll see

• Researchers will get a feel for your product

• They may even know it better than you do



10





11

Stand out above the restTo attract the best hackers,

Zenefits set out to create one of the most attractive bug

bounty programs in the world.

• Maintain clear, consistent communication

• Keep your Program flexible - “Scope isn’t holy”

• Be transparent in decisions and the time to answer questions

• Consider special events like H1-702 hackathon in Vegas

• Keep bounties competitive and consider occasional “Multipliers”


12

Bonus Tips

Be Loyal

The quality of researchers will determine the success

of your Program. If you take care of them, they’ll

take care of you. Sometimes this means ignoring your scope, or

adding a bonus for an epic hack.

Celebrate the Creative Hack

Anyone can run an automated scanner. The

best hacks come from creative minds, thinking in

unexpected ways, and building new, custom tools. Recognizing these efforts

goes a long way.

Remember the ABC’s

Always

Be

Closing!

… bug reports. Momentum is key to keeping a Program

alive and well.


13




Let’s review: The Zenefits Bug Bounty Tips

Questions?

webinar: tips on building a world class bug bounty program from senior red team expert, mack staples

Business