@AdamSurak
Penetration testing
Quality varies
Very detailed and understandable outcomes
Higher price*
One shot -> outdated in few hours
Slide 5
Slide 5 text
@AdamSurak
Responsive disclosure
[email protected]
“Give me money!”
“Give me money or I will not tell you what I’ve found!”
How do you send money to India, Pakistan, … ?
Slide 6
Slide 6 text
@AdamSurak
Public Bug Bounty Program
HackerOne, Bugcrowd, …
All the reports in one place
Protects both reporter and site owner
Clean accounting
Possible swag-only
Slide 7
Slide 7 text
@AdamSurak
1 year with HackerOne
Slide 8
Slide 8 text
@AdamSurak
1 year with HackerOne
12.2%
42.2%
23.2%
22.4%
Slide 9
Slide 9 text
@AdamSurak
All-time vs last 6 months
12.2%
42.2%
23.2%
22.4%
18.2%
22.9%
13.5%
45.3%
Slide 10
Slide 10 text
@AdamSurak
1 year with HackerOne
Slide 11
Slide 11 text
@AdamSurak
All-time vs last 6 months
All-time Last 6 months
Response time 2 days 1 day
Resolution time 21 days 11 days
Bounties $10,125 $4,000
Slide 12
Slide 12 text
@AdamSurak
Learnings
PenTesters think differently
Beginning is hard
Have patience with communication
You can’t do it best effort
There will be noise
No matter what, they will use automatic scanners
Slide 13
Slide 13 text
W
e are hiring in Paris and SF
QUESTIONS?
Build Unique Search Experiences
[email protected]
@AdamSurak