Risky Business #268 -- Outsource your bug bounty program?

A novel approach to crowdsourced security QA...
February 8, 2013 -- 

This week's feature interview is with Casey Ellis of BugCrowd.com -- a new business that runs outsourced bug bounty programs. It's a great idea and it's one that I personally think will really take off over the next couple of years.

This week's show is brought to you by our good friends at Adobe.

Adobe's director of product security and privacy Brad Arkin will be along a bit later on with an update on the phantom 0day issue the company experienced last year, as well as filling us in on some efforts designed to combat spearphishing attacks that use dodgy Flash objects embedded in Office files. It's more interesting than it sounds!

Adam Boileau is back in the news seat for a chat about recent headlines. You can find links to all the articles we discussed here.

Comments

adrianfabilar's picture

Bounty programs are the most effective way find vulnerabilities in your code, but they’re inherently inefficient as well.
Crowdcontrol was built to make this process more efficient. buy youtube subscribers

simondoul's picture

There are plenty of make sale haters available. You might even be 1 yourself. I know it's not hard to dismiss probably the most clichéd, the majority of over-done, most dreaded of all of the fundraisers within the known world. But, I'm here to protect the lowly make sale. www.grownupbaking.com

droplar's picture

The bounty program has been doing pretty well. They will have to get used to with it. - Lindsay Rosenwald

Anonymous (capital A)'s picture

LOL so no comment by Adobe's lolsecurity director on the entirely non-phantom Coldfusion 0day they definitely didn't get compromised with themselves?

Bobby's picture

Welcome back, great stuff as always!

What is the music at the end of the show? It's awesome :)