I recently spoke at TConf 2017, an Australian quality assurance conference about how bug bounty programs can be a great control to reduce security issues within your web applications. It covered how to run a bug bounty program, their pro’s and con’s and an update on seek.com.au’s program including a show and tell of a few recent bugs that have been reported! This was a slightly updated and shortened talk to the one i presented at NDC 2017 this year.
What would happen if we allowed 50 hackers from around the world to hack into our web applications? Is this a crazy idea? We don’t think so, as that’s exactly what we did and it was a great success!
Its called a bug bounty program, and is quite a new concept in the industry but gaining traction as it significantly reduces the cost of performing security testing on websites, increases the quality of bugs identified and provides a way to continuously test web apps! In this talk I will take you through an overview of how the program went, lessons learnt and how this program fits into SEEK’s wider application security vision.