Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

How to launch and run a successful bug bounty program: A security team perspective

Alexandra Ulsh (Mapbox)
11:20am–12:00pm Wednesday, November 1, 2017
Tools and processes
Location: Sutton South
Average rating: *****
(5.00, 1 rating)

Who is this presentation for?

  • Information security and application security engineers, decision makers, and security researchers

Prerequisite knowledge

  • Basic knowledge of bug bounty programs, vulnerability coordination, and security incident response procedures
  • Familiarity with common SaaS collaboration and incident response tools, such as PagerDuty, Slack, HelpScout, and GitHub

What you'll learn

  • Explore lessons learned from running a bug bounty program at Mapbox and learn how to apply them to your overall security incident response process


Launching a bug bounty program is hard. Running and maintaining a successful bug bounty program is even harder. Though bug bounty programs are becoming increasingly popular, a poorly managed bug bounty program can paradoxically introduce more risk. If properly run, however, the security benefits of a responsive, efficient, and empathetic bug bounty program are priceless.

Using real-world stories of both failure and success, Alexandra Ulsh details how Mapbox’s security team used tools, processes, automation, and empathy to decrease response time by 90%, reduce noise, and improve average report quality for its bug bounty program. Alex walks you through how Mapbox launched its bug bounty program—first privately, then publicly—and how the company used this emerging cornerstone of application security to improve product security, mitigate risk, and save money, all while maintaining the work-life balance of a relatively small security team. You’ll hear real stories about ways the bug bounty program failed and what the team did to fix it.

Using popular SaaS collaboration and incident response tools you may already be using, such as HelpScout, PagerDuty, GitHub, and Slack, Alex show you how to create an effective, responsive, and complete bug bounty workflow, from report submission all the way to public disclosure. These tools, as well as other processes Mapbox implemented, drastically improved average time to first response from upwards of a week to within 12 hours. Alex also shares architecture diagrams and code samples for how these tools were integrated so that you can practically implement these solutions at your own organization along with practical tips on how to use automation and clear program guidelines to both reduce noise and increase the average quality of reports.

You’ll learn how empathy, vulnerability, and transparency with security researchers leads to higher hacker engagement and mutually beneficial collaboration, how to take the final nerve-wracking step of security vulnerability public disclosure, and how improving Mapbox’s bug bounty workflow process led to a radical overhaul of its security incident response process, culminating in a formal security incident response framework.

Photo of Alexandra Ulsh

Alexandra Ulsh


Alexandra Ulsh is an information security engineer at Mapbox, a mapping platform that supports more than a quarter billion end users worldwide, where she makes sure the company’s cloud infrastructure is secure, stable, and able to perform under high demand in any part of the world. A founding member of Mapbox’s security team, Alex launched the company’s public bug bounty program and works on everything from application security to platform security on AWS to making sure every team member has a password manager and knows how to use it. Previously, Alex built, configured, and secured large SharePoint-based intranets for the Department of Defense with a specialization in automating the entire DIACAP STIG process via PowerShell scripts. Alex is a director of Women Who Code DC and an active organizer and participant in the larger DC Tech community, including DCFemTech and Code for DC.

Comments on this page are now closed.


11/01/2017 5:16am EDT

Many bug bounties are targeted at a small number of applications and a limited set of remediation teams. It would help to also know how bug bounties can improve security of dozens or hundreds of applications and teams.