Slides Here: /redirect?q=https%3A%2F%2Fwww.defcon.org%2Fimages%2Fdefcon-22%2Fdc-22-presentations%2FKouns-Eiram%2FDEFCON-22-Kouns-Eiram-Screw-Becoming-A-Pentester-Bug-Bounty-Hunter-UPDATED.pdf&v=759ZalgD1vg&event=video_description&redir_token=c18lmjGhyRtvbnYkQ3KitntbMip8MTUzNzM5NTg1M0AxNTM3MzA5NDUz
Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!
Jake Kouns CISO, RISK BASED SECURITY
Carsten Eiram CHIEF RESEARCH OFFICER, RISK BASED SECURITY
Everywhere you turn it seems that companies are having serious problems with security, and they desperately need help. Getting into information security provides an incredible career path with what appears to be no end in sight. There are so many disciplines that you can choose in InfoSec with the fundamental argument being whether you join Team Red or Team Blue. Most people tend to decide on the Red team and that becoming a professional pentester is the way to go, as it is the most sexy (and typically pays well). However, with bug bounties currently being all the rage and providing a legal and legitimate way to profit off vulnerability research, who really wants to be a pentester, when you can have so much more fun being a bug bounty hunter!
Researcher motivation in the old days and options for making money off of vulnerabilities were much different than today. This talk analyzes the history of selling vulnerabilities, the introduction of bug bounties, and their evolution. We cover many facets including the different types of programs and the ranges of money that can be made. We then focus on researchers, who have currently chosen the bug bounty hunter lifestyle and provide details on how to get involved in bug bounty programs, which likely pay the best, and which vendors you may want to avoid. What constitutes a good bug bounty program that makes it worth your time? What do you need to know to make sure that you keep yourself out of legal trouble?
Ultimately, we’ll provide thoughts on the value of bug bounties, their future, and if they can be a full-time career choice instead of a more traditional position such as pentesting.
Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the OSVDB.org and DataLossDB.org. Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.
Carsten Eiram is the Chief Research Officer of Risk Based Security and previously worked 10 years for Secunia, managing the Research team. Carsten has a reverse engineering background and extensive experience in the field of Vulnerability Intelligence, referring to himself as a vulnerability connoisseur. He has deep insights into vulnerabilities, root causes, and trends, and is also an avid vulnerability researcher, having discovered critical vulnerabilities in high-profile products from major vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, Blue Coat, and Trend Micro. Carsten has been interviewed for numerous news articles about software security and has presented at conferences such as FIRST Conference, RSA Conference, DEF CON, RVAsec, as well as keynoting Defcamp 2013. He is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board and FIRST VRDX-SIG.