Continuous Security - Paris.rb

B6e65829cc035d58fe399073e4244c6a?s=47 Adam Surak
October 04, 2016

Continuous Security - Paris.rb

Talk about how we use public bug bounty program to continuously test our security and our experience with HackerOne for more than a year.

B6e65829cc035d58fe399073e4244c6a?s=128

Adam Surak

October 04, 2016
Tweet

Transcript

  1. 1.

    Build Unique Search Experiences Adam Surak SRE & Security Engineer

    adam.surak@algolia.com @AdamSurak Continuous Security
  2. 5.

    @AdamSurak Responsive disclosure security@algolia.com “Give me money!” “Give me money

    or I will not tell you what I’ve found!” How do you send money to India, Pakistan, … ?
  3. 6.

    @AdamSurak Public Bug Bounty Program HackerOne, Bugcrowd, … All the

    reports in one place Protects both reporter and site owner Clean accounting Possible swag-only
  4. 11.

    @AdamSurak All-time vs last 6 months All-time Last 6 months

    Response time 2 days 1 day Resolution time 21 days 11 days Bounties $10,125 $4,000
  5. 12.

    @AdamSurak Learnings PenTesters think differently Beginning is hard Have patience

    with communication You can’t do it best effort There will be noise No matter what, they will use automatic scanners
  6. 13.

    W e are hiring in Paris and SF QUESTIONS? Build

    Unique Search Experiences adam@algolia.com @AdamSurak