TRENDING:

Governance & Risk Management , IT Risk Management , Legacy Infrastructure Security

4 Bug Bounty Myths Dispelled

HackerOne's Laurie Mercer Takes Down Common Misconceptions Mathew J. Schwartz (euroinfosec) • June 20, 2019    
Laurie Mercer, security engineer, HackerOne

Bug bounty myths: All such programs must be public, run nonstop, pay cash to bug-spotters and allow anyone to join.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

Laurie Mercer, a security engineer at HackerOne, says that, in fact, bug bounty and vulnerability disclosure programs are often run as private, invitation-only and time-limited endeavors. In addition, while the average program reward is $600 for finding a significant bug, sometimes simply publicly thanking bug hunters or offering cool swag can suffice as rewards.

In a video interview at the recent Infosecurity Europe conference, Mercer discusses:

  • Bug bounty program common misconceptions and best practices;
  • The emergence of bug bounty millionaire ethical hackers;
  • Better integration with the software development life cycle.

Mercer is a security engineer at HackerOne. His primary focus is on responsible disclosure, vulnerability management and risk reduction for organizations of all sizes and security maturity levels. He's worked with customers as diverse as Queen Elizabeth II and the Chinese government in various roles involving software, security and education.

Previous
Cisco on Cybersecurity: Targeting Optimal Protection
Next
Filling the Cybersecurity Skills Gap

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.



Around the Network

What's Behind Disturbing Breach Trends in Healthcare?
What's Behind Disturbing Breach Trends in Healthcare?
How Generative AI Will Improve Incident Response
How Generative AI Will Improve Incident Response
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
Using AI to Separate the Good Signals From the Bad
Using AI to Separate the Good Signals From the Bad
The State of Security Leadership
The State of Security Leadership
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.