Name: Why Isn’t Anyone Paying Bounties for Zero Days?
Start: 2023-01-10T17:00:00Z
End: 2023-01-10T17:00:58.000Z
Location: BrightTALK
Rating: 4.7

HackerOne pinpoints the most critical security flaws across an organization’s attack surface with continual adversarial testing to outmatch cybercriminals. HackerOne’s Attack Resistance Platform blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to reduce threat exposure and empower organizations to transform their businesses with confidence. Customers include Citrix, Coinbase, Costa Coffee, General Motors, GitHub, Goldman Sachs, Hyatt, Microsoft, PayPal, Singapore’s Ministry of Defense, Slack, the U.S. Department of Defense, and Yahoo. In 2023, HackerOne was named a Best Workplace for Innovators by Fast Company.

In this panel session from the 2024 Cybersecurity Summit, you'll hear from experts from HackerOne, Google Cloud, Ping Identity, Automox, and HID about how to manage your attack surface, plan for the continuing influx of AI tools and technology, and protect your organization against ransomware, DDoS attacks, and more.

2024 and the Biggest Threats to your Business

Talent shortages, launch delays due to skillset and staffing gaps, and challenges in retaining seasoned pentesters. These all create serious barriers to running successful and consistently effective pentest programs. 

Inefficiencies in everything from coordinating schedules to monitoring coverage, tracking remediation, and maintaining a cadence of communications for high-risk issues can undermine productivity and reduce security effectiveness. 

Watch this on-demand demo (the first 10 mins) followed by a Q&A to see how the security industry’s leading Pentest as a Service (PTaaS) platform, combined with talented and thoroughly vetted pentesters, can create a responsive program filled with meaningful findings that deliver on its ROI promise.

Beyond Traditional Testing: Elevating Cybersecurity with HackerOne Pentests

Exploited vulnerabilities are the most common root cause of the most significant ransomware attacks in the financial services sector. At the same time, nearly half of security professionals say that testing too late in the development cycle remains a major source of frustration. So why are we still failing to catch vulnerabilities earlier? The structure and priorities of development and security teams remain at odds for most organizations. In fact, few “shift left” initiatives have successfully gone to plan. 

Developer productivity is still often measured on speed of deployment, at the expense of security. Failing to catch vulnerabilities before code is released overburdens small security teams, stalls code production, and increases the risk of costly data breaches that erode brand trust.

In this on-demand recording from the December 2023 Finance & Risk Cyber Security Summit, HackerOne's CTO, Alex Rice, will demonstrate how we can reframe our thinking, team structures, and culture to recognize that security is a process, not a destination. Security teams must adopt an advisory role for development that embraces how developers work and supports developer-first initiatives to drive secure outcomes.

Shift Left Is Dead: A Post-Mortem.

Gain invaluable insights on quality-driven pentesting from our virtual "Ask Me Anything" (AMA) session, tailored for security leaders skeptical about the impact and results of community-driven pentesting. You'll have direct access to the representatives from the elite top 10% of pentesters from HackerOne's 2 million-strong ethical hacking community, selected for their proven skills in rigorous testing environments. Address your doubts in this hour-long interactive panel, dissecting everything from web app vulnerabilities to compliance intricacies, all through the lens of methodical, results-oriented pentesting.

Who Should Join

This session is essential for security decision-makers who are weighing the benefits of community-driven pentesting against traditional models. If you're seeking to understand how collaborative security efforts can align with and enhance your business's security posture, this AMA will provide the clarity and reassurance needed to make informed decisions about your security strategy.

Check out this on demand webinar to see how structured, community-driven pentesting can yield quality outcomes and provide ongoing security assurance!

Truth Behind the Hack: Elite Pentesters Tell All in a Live Q&A

With the 2024 election right around the corner, security and integrity are on the minds of U.S. constituents. 

In this on-demand webinar, cybersecurity and election integrity subject-matter experts from The Elections Group and HackerOne discuss the success of a 2023 hacker challenge conducted by the Election Security Research Forum and leading voting technology providers—and give some tips on how state and local government leaders can leverage the findings to improve their security stance. The webinar also discusses the intersection of IT infrastructure and cybersecurity and how CVD can help election officials improve internal processes while building trust with constituents.

Ready for 2024: How CVD/VDP Can Boost Election Integrity and Public Perception

Hackers gather in London, U.K. to partner with the Salesforce security team as they work to keep their digital landscape and users safe. Hosted by HackerOne in June, 2023.

H1-4420: Salesforce's Live Hacking Event in London

Learn how the global talent of the ethical hacker community can help you with your preemptive security, delivered via Pentest as a Service (PTaaS), to streamline validation and fix vulnerabilities fast. See how PTaaS can help you:
- Reduce risk in real-time.
- Find more critical and high vulnerabilities.
- Accelerate pentest results to find and fix security issues faster. 
- Go above and beyond compliance. Satisfy requirements for SOC 2 Type II, PCI DSS, ISO 27001, HITRUST, FISMA, SOX, and GDPR.

The Power of Pentesting as a Service (PTaaS)

Recent Enterprise Strategy Group (ESG) survey data from Jon Oltsik, Distinguished Analyst and Fellow, indicates that for 87% of respondents, ensuring secure and available applications is a top priority. 

Though the importance of app security is paramount, ESG also noted the following persistent roadblocks:
• Maintaining security consistency across data center and public clouds where cloud-native apps are deployed
• Use of multiple cybersecurity controls that increase costs
• And lack of visibility into public cloud infrastructure where apps are hosted.

Jon Oltsik showcases 9 advantages of continuous penetration testing to enhance your company’s app security, as well as 5 ways to improve pentesting itself, in this custom ESG webinar. 

Join the discussion to view Oltsik’s vendor-neutral analysis of the state of app security, glean ESG’s latest survey data, and overcome your own app security challenges.

ESG Analysts on the Value of Continuous Penetration Testing

A well-designed and purposefully run bug bounty program can have a tremendous impact on your organization's attack resistance. A few fundamental steps will help you hit the ground running, so you can successfully launch and maintain a high-performing bounty program.

In this webinar, HackerOne’s field experts will walk you through what you need to know, drawing on their firsthand experience planning bug bounty programs for organizations ranging from federal governments to SMBs and global enterprises. You’ll learn how they set up customers for success and how mature programs operate to derive maximum value.

Key takeaways:
- Pre-launch steps for an effective public or private bug bounty program
- Day-to-day operational practices to ensure consistent results and maximum ROI
- Real-world examples of how bug bounty programs drive hacker engagement and track results 
- How HackerOne Bounty can help reduce recurring vulnerabilities by up to 98% and enable organizations to release secure products faster

Frontline Tips for Managing a High-Performing Bug Bounty Program

2023 is panning out to be another challenging year for security leaders. Between the looming recession, ongoing tech layoffs, and climbing security incidents, uncertainty looms large.

Get tips for recession-proofing your security strategy from seasoned CISOs who’ve been through this before. HackerOne’s CEO will lead this roundtable discussion with CISOs from Cisco Security Business Group, Xerox, and Sumo Logic to learn about:
—Lessons learned from past recessions and what security leaders can do to prepare
—Tips for consolidating and investing strategically for the best security outcomes
—How to adjust your security strategy if you face resource constraints

Recession-Proof Your Security Program

Grammarly Shares How It Pinpoints the Most Critical Flaws in Its Attack Surface with Help from Ethical Hackers.
As a company selling writing assistant software to enterprises, Grammarly understands that product security is not a one-and-done initiative. Join this executive fireside chat to hear directly from Grammarly’s CISO about the value they get from adversarial testing via the HackerOne platform and its legion of ethical hackers.

Alex Rice, CTO and Co-founder at HackerOne and Suha Can, CISO at Grammarly will discuss how bug bounty and penetration tests fit into Grammarly’s preemptive security programs and how Suha measures the value of these solutions.

Register for the webinar to discover:

-How to effectively leverage bug bounty and pentesting in your application security strategy.
-The value of working with a crowdsourced security platform.
-How to prove the value of preemptive security initiatives to your non-security stakeholders.

The Impact of Preemptive Security

Only 10% of IoT vendors disclose timelines for acknowledging and resolving reported threats—and a staggering 73% of consumer IoT companies are in breach of the Product Security and Telecommunications Infrastructure (PSTI) Act, with no vulnerability disclosure policy (VDP) at all.

David Rogers, MBE, chair of the Fraud and Security Group at the GSMA, and Laurie Mercer, Director of Solutions Engineering at HackerOne, discuss the state of vulnerability disclosure in global consumer IoT, and strategies you can adopt to implement a transparent, productive, and compliant VDP at your organization.

Key Takeaways:
-Understanding VDP policy trends and projections and how they affect you
-Learn which companies pass the disclosure threshold test (and which ones fail)
-Get policy recommendations for incentivizing security researchers
-Discover how IoT leaders like Samsung, Apple, and Panasonic structure their VDPs

The Critical Need for Vulnerability Disclosure in the IoT Security Landscape

Achieving actual attack resistance is hard. Security teams are stretched thin, attack surfaces are expanding, and digital threats are increasingly difficult to detect. Automated security can find vulnerabilities in unknown assets. However, visibility alone doesn’t drive meaningful remediation. Findings from automation often lack context and force security teams to spend time combing through false positives to find the few critical vulnerabilities that require fixing. In this session, Chris Evans, CISO and Chief Hacking Officer, and Alex Rice, CTO, will discuss his security strategy for combining the power of automated scanning with the security expertise of ethical hackers to drive down risk and achieve Attack Resistance Management for HackerOne.

How Human Experts Give you a Security Advantage

For the past six years, HackerOne has been surveying ethical hackers to get their perspective on the cybersecurity landscape, the evolution of risk, and what motivates them to help. The 2022 Hacker-Powered Security Report shines a light on the risks organizations face from an ever-expanding attack surface—and the trends uncovered by the most diverse community of security experts in the world.

Watch our webinar on-demand, featuring ethical hacker Jonathan Bouman and HackerOne’s Chris Evans (CISO), and Alex Rice (CTO) as they break down the report's findings—plus go beyond the report with specifics (and answers to your questions!) about how hackers can help you understand and protect your full attack surface.

Key takeaways:
—What motivates hackers and how do they approach finding vulnerabilities and reporting them to organizations.
—How HackerOne Top Ten Vulnerability data is evolving—and what that means for your security priorities.
—Benchmarking data on median and average bounty prices in your industry to inform your own program.
—Insights into the risks hackers find in key industries—from software to financial services, retail, automotive, and pharmaceuticals.

Live Analysis: 2022 Hacker Powered Security Report: Insights and Takeaways

Join this fireside chat with Howard Holton, CTO of GigaOm, to learn how Pentest as a Service (PTaaS) aligns to modern digital business cycles and fits into a broader strategy for building resistance to attacks by cybercriminals. 

GigaOm’s Radar Report states that “PTaaS represents the revolution in the pentesting space that was long overdue.” PTaaS builds on the efficacy of penetration testing methods and adds modern SaaS-like features, such as an interface that clients access to review centralized findings—vulnerabilities that have been exploited, potentially in real-time, direct communications with pen testers, standardized testing methods, and integrations with other technologies.
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. 
Key takeaways:
-Today’s business practices require modern approaches to application security that can keep pace with changing digital landscapes and evolving threats, which is especially important for penetration testing.
-PTaaS is an emerging solution that benefits security operations teams with a SaaS platform for more efficient program and engagement management.
-Certain PTaaS providers leverage crowdsourced communities of ethical hackers, including vetted and certified pentesters, for greater diversity and scale in the pentester pool.

How Pentest as a Service Fits Into a Modern Application Security Strategy

On July 4th, 2022, Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), DoD Cyber Crime Center (DC3), and HackerOne publicly launched the Hack U.S. bug bounty challenge, allowing ethical hackers from around the globe to earn monetary rewards for reporting of critical and high vulnerabilities from within the DoD Vulnerability Disclosure Program (VDP) published scope.
 
Watch this webinar to hear Corben Leo, a security researcher from the Hack U.S. program, discuss:
-How the Hack U.S. Bug Bounty Challenge was performed
-Results of the Hack U.S. Bug Bounty Challenge
-Key differences between VDP's and bug bounty programs
-How both VDP's and bug bounty programs can benefit your agency

How Security Researchers Strengthen the DOD's Security

In this session, some of world’s top ethical hackers share everything you've ever wanted to know. Hear about their most exciting find, learn about their strategies for identifying the most critical bugs to your organizations, and find out about what makes a successful ethical hacking program from their point of view.

Key takeaways
- Understand what motivates ethical hackers
- Learn their strategies for identifying the most business-critical bugs
- Get the tips for running a program that top ethical hackers will want to work on

Ask a Hacker in 2023

52% of security-conscious enterprises in a recent HackerOne survey don’t know how much of their attack surface is secured, and not one respondent was confident their organization was fully in control of its attack surface.

Any veteran security leader can confirm that organizations rarely know the full extent of their IT infrastructure, but the use of hybrid and multi-cloud environments, adoption of microservice architectures, and inherited assets from mergers and acquisitions make the shortfall more extensive than IT teams could have imagined in the past.

In this webinar, cybersecurity veterans Michiel Prins, co-founder and head of professional services at HackerOne, and Naz Bozdemir, senior product marketing manager at HackerOne, demystify how organizations can gain control over their full attack surface and minimize exploitable risks.

This discussion will cover:
-The consequences of an expanding attack surface and incomplete visibility into it
-The role of Attack Surface Management (ASM) in modern security programs
-Important considerations when selecting an ASM partner
-The impact of combining automation with human security expertise

Outsmart Cybercriminals with Proactive Attack Surface Management

What’s your definition of a zero day? Exactly what a zero day is, and how one should be tackled when it comes to bug bounty, has been a contentious issue for years. Drawing on his experience at Project Zero and as a longstanding member of the hacking community, Chris will explore the evolution of zero days, from Stuxnet to Log4j. He will explain why zero days are not usually rewarded in bug bounty programs and why Log4j was unique in this regard, drawing on hacker and customer data and stories from the incident. Chris will share his philosophy on a ‘pay for value’ approach to zero days and how progressive CISOs can work alongside the hacking community to reduce the risk from zero-days, in whichever definition applies.

Why Isn’t Anyone Paying Bounties for Zero Days?

Cyber Attacks

Hackers

attack surface

Cloud Security

Ransomware

security vulnerabilities

Log4j

Hackerone

Stuxnet

Risk

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Why Isn’t Anyone Paying Bounties for Zero Days?

Presented by

About this talk

More from this channel