Presentation Material
Abstract
Bug bounties weren’t always popular, especially not at Microsoft. As Microsoft celebrates 10 years of its bug bounty program, join the creator of its bounties and the current CVP and Deputy CISO to hear never-before shared tales of overcoming institutional and industry-wide reluctance to pay for bugs, lessons learned over the years, and how best to evolve bounties in the future.
AI Generated Summary
The talk focuses on the history and evolution of bug bounty programs, specifically at Microsoft. The speakers discuss how bug bounties have become a widely accepted practice in the industry, with Microsoft’s program starting in 2013. They share lessons learned from their experiences, including the importance of engaging with security researchers, using bug bounties as a signal to identify broader security issues, and incorporating bug bounty data into the security development lifecycle.
Key findings and techniques presented include the use of bug bounties to drive security investments, the importance of timely communication with researchers, and the need to acknowledge and reward researchers for their work. The speakers also emphasize the importance of having a growth mindset, being nimble, and being gracious to the research community.
The talk highlights Microsoft’s approach to bug bounties, which includes paying researchers promptly, deploying detections and mitigations, and conducting variant hunting to identify related vulnerabilities. The speakers also discuss the importance of metrics, such as average time to fix and bug severity, in evaluating the effectiveness of bug bounty programs.
Practical implications and takeaways from the talk include the need to establish clear goals and metrics for bug bounty programs, ensure that internal processes and people are in place to support the program, and feed bug bounty data into the security development lifecycle to drive improvements. The speakers also emphasize the importance of being mindful of the outcomes desired from a bug bounty program and using the program as a way to engage with the security research community, rather than just as a way to control the flow of vulnerability information.