Hackers of India

Should all ciso promote hall of fame” within their organizations

By  Burgess Cooper   Durga Dube  , Thom Langford  , Harish Pillay  on 02 Mar 2018 @ Nullcon


Presentation Material

AI Generated Summarymay contain errors

The conversation revolves around bug bounty programs, A bug bounty program is a platform where organizations offer monetary rewards to security researchers and ethical hackers who discover vulnerabilities in their systems or products. The discussion highlights the benefits and challenges of implementing such programs.

Key points:

  1. Internal vs. External Experts: Organizations should leverage internal experts who have knowledge of operational arrangements and structures to identify vulnerabilities, for greater benefit.

  2. Whistleblower Policy: Many corporations already have institutionalized whistleblower policies that encourage employees to report security concerns.

  3. Bug Bounty as a Side Hustle: Security professionals may engage in bug bounty programs on the side, which can create conflicts of interest if not managed properly.

  4. Non-Compete Agreements: Employers should consider including non-compete agreements to prevent employees from exploiting vulnerabilities for personal gain.

  5. Official Time vs. Personal Time: The line between official working hours and personal time can become blurred when employees engage in bug bounty activities, making performance reviews crucial.

  6. Managed Approach: Bug bounty programs require a disciplined approach to ensure that they do not distract from primary job responsibilities.

  7. Open Source Debate: There is an ongoing debate about the value of bug bounty programs in open-source environments, with some arguing that they are less effective.

  8. Responding to Vulnerabilities: Organizations must respond promptly to reported vulnerabilities to maintain trust and prevent public disclosure.

  9. Non-Disclosure Agreements: Employers should consider including non-disclosure agreements to protect sensitive information.

  10. Hall of Fame: Recognizing security researchers who contribute to bug bounty programs can be an effective motivator.