October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Hacker quantified security

Alex Rice (HackerOne)
3:50pm–4:30pm Wednesday, 11/02/2016
Bridging business and security
Location: Mercury Ballroom Level: Non-technical
Average rating: ****.
(4.50, 2 ratings)

Prerequisite knowledge

  • Basic knowledge of the security development life-cycle, vulnerability coordination, and incident response

What you'll learn

  • Understand the various types of programs companies are creating to coordinate with and provide incentives to hackers
  • Discover the types of organizations and industries that are creating programs, the challenges they face, and how they are overcoming them
  • Explore present aggregate vulnerability trend data from 500+ programs, why a company would or wouldn't incentivize the discovery of vulnerabilities, and how to ensure these incentives generate positive returns
  • Learn how organizations leverage this continuous external testing as a means to measure and quantify their security posture, how these programs can be applied to open source and critical Internet infrastructure, and how these programs can become a highly leveraged recruitment channel


After many years of friction, software organizations and hackers are finally working together to find, report, and fix vulnerabilities using a wide range of bug bounty and incentive programs. The leading organizations embracing this collaborative approach have seen dramatic improvements to their security response capabilities. Enabling a distributed pool of talented hackers to augment their internal teams helps offset a significant shortfall in the security workforce. These organizations recognize that bulletproof security is a delusion and adopt a continuous, collaborative approach to improvement.

But how effective are these programs? Alex Rice offers an overview of an advanced framework for assessing the performance of these programs and quantifying their impact on your security development life-cycle based on a weighted index that looks at six dimensions—hacker breadth, depth, vulnerabilities found, response efficiency, reward competitiveness, and signal ratio analysis—drawn from an analysis of aggregate vulnerability coordination data from over 500+ organizations. Whether you already run an active bug bounty program or still have your security@ address route to /dev/null, Alex will help you shed blind dogma; you’ll walk away armed with an analytical approach to building a highly effective vulnerability coordination program.

Photo of Alex Rice

Alex Rice


Alex Rice is a cofounder and chief technology officer at HackerOne, which provides a platform that enables organizations to build strong relationships with a community of security experts. Alex is responsible for developing the HackerOne technology vision, driving engineering efforts, and counseling customers as they build world-class security programs. Previously, Alex worked at Facebook for over six years, where he founded the product security team, built one of the industry’s most successful security programs, and introduced new transport layer encryption used by more than a billion users. Alex also serves on the board of the Internet Bug Bounty, a nonprofit organization that enables and encourages friendly hackers to help build a more secure Internet.