Brian Gorenc – From Bounties to Bureaucracy // Keynote Speech
iSpeech.org
Even if you don’t participate in a bounty program, they impact you and the systems you defend. Over the last decade, mature bug bounty programs have evolved from simply acquiring bug reports to providing real insights into vulnerability and exploit trends. Bug submissions to the available bounty programs had the unintended consequence of effectively crowd-sourcing vulnerability intelligence by showing industry trends and state-of-the-art exploitation methodologies. Bounty programs impact the exploit marketplace while disrupting exploit efforts of advanced threats and persistent actors. These programs have tracked the rise and fall of bug classes over the years, and they’ve tracked the rise and impact of government regulations in different regions of the globe. As shown in recently leaked government documents, bug reports that come through bounty programs disrupt various pieces of the exploit market and force bad actors to change their exploit techniques. When combined with top-tier, in-house researchers, the best programs are capable of predicting the next major attack surface that will become popular based on what bugs are submitted to the program.
Join ZDI Director Brian Gorenc as he covers the current landscape of bounty programs and the winding, often controversial road that led us here. We also cover the vulnerability economy and the role bug bounties play in shaping the exploit marketplace. Finally, he’ll show how effectively run programs have disrupted exploit usage in the wild.
2018-12-03 18:23:10
source
Gloss