Jake Kouns – Bounty Hunters: Was Admiral Piett Correct?
Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the Open Source Vulnerability Database (OSVDB.org). Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2’s CISSP, and ISACA’s CISM, CISA and CGEIT.
If you want to understand security research and disclosure, just like in most other industries all you have to do is follow the money! The mass acceptance and proliferation of bug bounty programs has had a significant impact on the security industry. In fact, it has become clear that Bug Bounties are all the rage. Researchers love them as they are finally getting compensated for all that free QA and security testing they have done over the years! Vendors at the moment appear to love them as well. Bug Bounties are so sexy that even notorious holdout Microsoft has a bounty now! If you are a vendor or organization and don’t have a bug bounty yet, or think you can’t handle one yourself, never fear! There are now multiple companies that have formed with the sole business model to run a bounty program on your behalf.
This talk will provide an analysis of vulnerability information over the past several years, provides some profound insights on security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities. Finally it will cover what makes up a good bounty program as well as provide some thought-provoking commentary that will lead to serious discussion about bug bounty programs. Are they in fact living up to the hype of being an amazing resource for software security or will we realize that Admiral Piett was correct?