Launching a bug bounty program is hard. Running and maintaining a successful bug bounty program is even harder. Though bug bounty programs are becoming increasingly popular, a poorly managed bug bounty program can paradoxically introduce more risk. If properly run, however, the security benefits of a responsive, efficient, and empathetic bug bounty program are priceless.
Using real-world stories of both failure and success, Alexandra Ulsh details how Mapbox’s security team used tools, processes, automation, and empathy to decrease response time by 90%, reduce noise, and improve average report quality for its bug bounty program. Alex walks you through how Mapbox launched its bug bounty program—first privately, then publicly—and how the company used this emerging cornerstone of application security to improve product security, mitigate risk, and save money, all while maintaining the work-life balance of a relatively small security team. You’ll hear real stories about ways the bug bounty program failed and what the team did to fix it.
Using popular SaaS collaboration and incident response tools you may already be using, such as HelpScout, PagerDuty, GitHub, and Slack, Alex show you how to create an effective, responsive, and complete bug bounty workflow, from report submission all the way to public disclosure. These tools, as well as other processes Mapbox implemented, drastically improved average time to first response from upwards of a week to within 12 hours. Alex also shares architecture diagrams and code samples for how these tools were integrated so that you can practically implement these solutions at your own organization along with practical tips on how to use automation and clear program guidelines to both reduce noise and increase the average quality of reports.
You’ll learn how empathy, vulnerability, and transparency with security researchers leads to higher hacker engagement and mutually beneficial collaboration, how to take the final nerve-wracking step of security vulnerability public disclosure, and how improving Mapbox’s bug bounty workflow process led to a radical overhaul of its security incident response process, culminating in a formal security incident response framework.
Alexandra Ulsh is an information security engineer at Mapbox, a mapping platform that supports more than a quarter billion end users worldwide, where she makes sure the company’s cloud infrastructure is secure, stable, and able to perform under high demand in any part of the world. A founding member of Mapbox’s security team, Alex launched the company’s public bug bounty program and works on everything from application security to platform security on AWS to making sure every team member has a password manager and knows how to use it. Previously, Alex built, configured, and secured large SharePoint-based intranets for the Department of Defense with a specialization in automating the entire DIACAP STIG process via PowerShell scripts. Alex is a director of Women Who Code DC and an active organizer and participant in the larger DC Tech community, including DCFemTech and Code for DC.
Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?
Join the conversation here (requires login)
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org