HOW TO START IN BUG BOUNTY IN 2020

Casey Ellis
Casey Ellis
Founder of bugcrowd

▪️

October 25, 2020

About This Episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

HOW TO START IN BUG BOUNTY IN 2020

October 25, 2020
Season 1
Casey Ellis

Casey Ellis

Founder of bugcrowd

About this episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

Episode Description

What We Discuss with Casey Ellis:

  • CrowdSource security as a service model & Bug Bounty.
  • How to make people feel comfortable with the concept of crowdsource security?
  • Is bug bounty only for big companies?
  • How can people get into the Bug Bounty Space? Can anyone get into it?
  • How can we foster a safer environment to talk about Bug Bounty openly?
  • When Bug Bounty goes wrong?
  • How do economics and game theory play into the crowdsourcing bug bounty scene? Do researchers look for other outlets? How do companies find the sweet spot of payments?
  • Is it better to disclose a bug to a third party or the actual company?
  • And much more…

THANKS, Casey Ellis !

If you enjoyed this session with Casey Ellis, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Casey Ellis on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Recommend a topic

Partner with us

Join the team

Share

Facebook
Twitter
LinkedIn
Pinterest
Reddit
WhatsApp
Email
Skype

Transcript

Ashish Rajan: So I’ve got someone who’s really special and fortunately he’s Australian as well. we have a local time zone, that worked out. Hi Casey, How are you?

Casey Eliis: Good morning. How are you?

Ashish Rajan: Good. Well should I say good day, mate, considering you probably do it much better than I do, but I think it’s definitely a warranted because I definitely crave more Australian guests to come in.

So this has been really good.

Casey Eliis: I think the times the time zone crossover between our countries is pretty convenient. So there is that

Ashish Rajan: so I’m going to start with something, which I guess I doubt people don’t know who Casey is considering the amount of, if they just Google search you there’s so many interviews that come up. And, I feel you obviously are pretty well known in this space, but for people who may not know who Casey is. Who is Casey Eliis and how’d you get into

cybersecurity?

Casey Eliis: Who is this guy? Sure. So basically my role, what I do for work is I’m the chairman, founder and CTO [00:01:00] of the company Bugcrowd. Bugcrowd was the first to basically start this idea of, or to launch this idea of crowdsource security as a service. So we didn’t invent bug bounties of vulnerability disclosure, but the idea of basically putting a platform and a group of people in the middle to help make it work.

Work. That was, that was something that we kind of initiated and it’s grown quite a bit since, both for us as a company and with all those actually joining into the space. the other thing I’m working on at the moment is a thing called the disclose.io project, which is essentially, you know, legal standardization, a bunch of open source tooling to support.

Vulnerability disclosure and just, you know, have companies really get used to this idea that, you know, being on the internet actually involves taking security feedback from the outside world. So how do get them ready for that and give them tools that they need, whether they work with Bugcrowd.Or whether that, you know, just figuring out how to do it themselves or however else.

So that’s what I’m working on now. I got into security. I kind of tripped over and fell into it. To be honest, I, Yeah. As a kid, [00:02:00] I kind of grew up like messing with technology of all sorts. My father was a science teacher, so I had computers around. and then out of high school, I got into network engineering.

As an apprentice and basically started packing stuff straight away and realized that, Oh, well, the idea of being able to, you know, give security feedback, to organizations and actually help them understand what they need to improve is valuable. there’s a career in this at which point, kind of all my Christmases came at once.

Cause it’s like I get to think like a criminal, but not be one. and then it kind of went from there. Really? Yeah. I got to the point through a couple of different roles where I got it in my head that I wanted to become an entrepreneur. So, you know, quit, my job started doing that and, and eventually had the, like the core concept for Bugcrowd.Started working on, on that.

And, you know, here we are.

I’ve got a few hellos coming in. Yeah. that’s

Ashish Rajan: I’m glad you stumbled into cyber security.

I love the fact that you brought up a very interesting thing about the whole disclosure thing, which I definitely want to [00:03:00] peel a few layers of as we go into this, but. I was going to start with hardest someone stumbling, sub security, but I’m going to, I’m not going to go into that question cause I think we’ll be here for hours.

Casey Eliis: I will say to that, that it is a pretty common story. I think, especially in sort of my generation of people that are working in this space, we just. We’re doing other things, then all of a sudden cybersecurity bubbled up as a viable career path.

I think it’s less true now because it’s so much more obvious for people to it’s something that they can directly pursue. but if you wind back a little while it’s like, Oh yeah. Okay. I can, you know, I can think defensively or I can think offensively and in context of it, there’s, there’s there’s room for that.

Ashish Rajan: nowadays it’s security is about, it was a gated community. You kind of have to have the set path but your point, no one necessarily started off in cybersecurity, like directly in cybersecurity.

A lot of us came from a very different background.

Casey Eliis: that’s true. Most of the time. Yeah, absolutely. Yep.

Ashish Rajan: I just wanted to clear that myth out because a lot of people may just go down the assumption that everyone has to be from cyber security. one of the guys who’s, I spoke to actually he’s I [00:04:00] think he’s online as well.

Sam, he’s a PhD holder and he was doing AI before AI was a thing. you talk to people and you don’t ask about the background and like, Wow. I mean, people like this are in cybersecurity, why didn’t I know what you did before this. Its a Super cool field to be in. cause I’ve got a cloud security focused audience as well.

And I remember the first time I’d talked to you about this. I loved how you spoke about how cloud. Security so what does cloud security mean for you? I’m just curious to know your response.

Casey Eliis: I think cloud security means it means different things, depending on, you know if the company’s cloud native or not.

and I think when we’re talking, this is, you know, an analogy or a kind of a mock-up that I use, that, that seems to hold true. There’s almost this concept of like, Pre Facebook or post Facebook from a date standpoint, like Facebook was founded, I think 2008 companies that were founded around then or after then, have a tendency to be [00:05:00] like cloud, like truly cloud native.

So cloud first in their approach, which means they’re also more likely to be doing things like CI/CD and you know, just approaching how they deploy technology in a way that is different to those that were basically started before that period of time, you know, for the companies that are, that are pre-Facebook.

we’re at the point where I think now, you know, everyone’s basically doing something that’s like cloudy, 10 years ago. I think everyone was talking about it, but you know, only a small fraction were actually doing it. We’re now at a point where everyone’s doing something so.

Yeah, cloud security means different things for those two groups, because for the, for the post Facebook group, it’s all about how do you improve things like, you know, DevSecOps, how do you, you know, tighten kind of build a breaker feedback loops for your organization. So they’re getting security feedback and are able to improve,

whereas for pre-Facebook it’s really, how do we make it digital transformation transition as an organization in a way that’s deliberate in a way that’s secure in a way that takes [00:06:00] advantage of existing governance models. but also is like embracing of the, the future of how these sort of things get done from a security standpoint.

So there’s a whole different set of considerations. There’s a lot of the same kind of plumbing ends up being what you use, but how you get there. I think it’s very different.

Ashish Rajan: That’s an interesting answer as I love the Facebook analogy as well, because it’s almost like one of those ones where people haven’t really thought about it that way.

that’s why I thought it was a great answer because it kind of is true as well. Suddenly people cared about scale once Facebook became problem also on a problem and it’s still a problem, but you know, you know what I mean?

Casey Eliis: A consideration . what I like about it is it diffuses?

cause there is a bit of an us and them, or there has been historically a bit of an us and them mindset. Where, you know, folks to the cloud native feel superior, or, you know, the folks that aren’t are somehow irrelevant or obsolete. And then on the other side, it’s like, Oh, you guys are doing this like crazy stuff that you don’t [00:07:00] understand what running a big, big business looks like or whatever else.

And whenever you end up in that position where you got two camps, Like failing to learn from each other because they’re so busy talking about how much better their thing is. there’s a lot of lost opportunities associated with that. So I think just tying it to a point in time actually diffuses that and okay.

What do we need to get done? It makes it more of a productive conversation, I think.

Ashish Rajan: Yeah. I think actually a great segway into this whole space of crowdsourcing security as a service and bug bounty. for people who have not heard about this space, they always hear about bug bounty being this concept only for kids or even for people who are CISOs listening to this, what is this space of crowdsourcing service?

Like a security as a model? What is the space.

Casey Eliis: I think , that’s a really important question for actually, for everyone. when Bugcrowd.Started, it was basically Facebook and Google making a big bunch of noise about their vulnerability reward program back in 2011, 2012, you know, some folks within the security [00:08:00] industry, observing that and becoming interested in it.

And, you know, one of the reasons that we took advantage of frankly, some of the noise, that they were creating was, it was just a very fast way to explain the model like the challenge I think that we have sometimes these days is that bug bounty, As a, as a term of like art is actually a pretty specific thing.

but it gets used as a term that describes all of it, which can create some term confusion. So to your question around crowdsource security, really what it is is this idea that. as an organization, as a defender, you’ve basically got the job of like outsmarting your entire infrastructure development.

I mean, even marketing sales to everyone within your organization that that potentially contributes to your attack surface, they’re all amazing. And do really great work, but they’re all also human, which means they make mistakes sometimes. So when those mistakes create like a vulnerable condition, you’ve got to outsmart that first.

Then you’ve also got [00:09:00] to outsmart all of the creativity that exists in this cloud of potential adversaries that want to mess with your stuff that have lots of different skill sets, lots of different motivations, and really more of a drive to create a result, and to find one of those weaknesses so they can do what they need to do.

your job as a defender is to. Basically outsmart all of the possible failure States of those two things. And you’re using automation, which can help you, but it’s never going to cover all of it. Cause it’s not as it doesn’t have that creative capability that both of those groups do. yeah.

And you’ve got, you know, Jill and Bob, the pentester who are awesome, but they’re going to lose at some point because of the math at the setup, it’s actually not their fault. It’s the fact that you can’t basically. you fighting an army was with an individual, that’s got a completely different set of rules of engagement.

So what crowdsourced security does is it takes this latent talent and this latent potential that exists in the good [00:10:00] faith hacking community around the world. and it plugs it in to that gap. It’s like, okay how can you basically level the playing field out with the amount of creativity that you’ve got available?

to stay ahead of the adversary when it comes to making yourself more resilient.

Ashish Rajan: So when people ask you about bug bounty where do you it’s almost like a slither of the space.

Casey Eliis: to me, the superset concept is actually a vulnerability disclosure program, which is where an organization goes out and says, all right, internet.

If you see something, say something, yeah, it’s not incentive. It’s not engaging. Or you really doing, is actually going out and saying, Hey, if you found a security issue, here’s how to get that information to us. Here’s what you can expect from us, in terms of how we respond to you and how we work with that information.

and thank you very much, basically. There’s accountability associated with that and all sorts of things. That’s one of the things with. Know, Bugcrowd. Facilitates that through the platform, because obviously you’ve got to handle the information, get it to the right places, inside your business and make sure that, you know, you’re spending more time [00:11:00] dealing with signal and noise.

but part of what we do with disclosure, as well as to make sure that, you know, things like safe Harbor are put in place for both sides, because you know, We’re working with 30 years of backstory of this just being illegal by default. so when you get to the point where you’re actually wanting to try to get the information from the good guys, how do you do that in a way that helps you feel like you’re staying safe from a legal standpoint and how can they do that without feeling like they’re going to get their door kicked in.

So that’s full disclosure, right? Bug bounty is when you add basically a reward to that. so it’s still the open internet. but what you’re doing is you’re adding a reward to basically say, Hey, if you’re the first to find a unique issue, you’ll get paid for that issue depending on how impactful it is, how important it is.

And, you know, that’s, it’s partly a thanks thing, but it’s also partly to drive and encourage like proactive testing. So you’ve switched from just listening reactively to actually becoming proactive and incentivizing it. Right? [00:12:00] Both of those examples, really what it looks like is you’re actually going out to as broad an audience as possible and saying, Hey, tell me stuff.

when you get into crowdsource security, that’s where. What you starting to do is to take what companies like Bugcrowd. Understand of what skill sets exist in the crowd, like who can be trusted to do what, you don’t necessarily want like an enthusiastic rookie getting privileged access to do security testing.

Cause they might not have the professionalism to actually. Conduct themselves properly. Like they might not be malicious. They might just not be mature enough for that kind of responsibility yet. So there’s all sorts of examples. It’s really our job to actually understand who sits, where, on which spectrums, and then to be able to say, okay, here’s the thing you need to get done.

Here’s a group of people that are best suited to do it based on the data that we have. Let’s engage them and, and get you, you know, security feedback, according to what you need.

Ashish Rajan: That’s an interesting one. Casey for me, because I found it always now, since NIST has added [00:13:00] responsible disclosure has always made it even more better people.

Some people not for everyone, but for some people it’s still some people who are on the fence, they’re like , how do I control this? Where do they end?

For people on the fence, like, how do you go? I guess make them comfortable

Casey Eliis: yeah. And I’ve spent a lot of time really making people comfortable and helping be prepared to do all this stuff.

Well, I think, did a really good job. I actually wrote up an article about it. cause I know a bunch of the policy, people that were working behind the fence on actually putting that together. And I think they did a really good job of actually explaining the true nature Of vulnerability disclosure in general, like vulnerability disclosure is a superset concept.

Crowd knows things. Company needs to know things. How do you make that successful? and one of the things they call out in there is that vulnerability research from both bad actors and good actors is going to happen, whether you solicit it or not. So I think, you know one of the pieces that. I spend a lot of [00:14:00] time trying to get people to kind of understand is that you actually can’t control what the internet does I think a historical mindset that if you just tell the internet not to do something, it’ll listen, and that becomes a viable way to control its behavior.

I don’t think it ever really was true, but it’s becoming more obviously untrue as we go along. hackers are going to find where your problems are really, whether you ask them to or not, is there’s a group of them that are actually doing that in order to try to help you out and then not malicious?

yeah. How about you? Try to. Get the report. So you can do something about it. That’s, that’s kind of the starting point. to me it’s almost more of a physics problem than, than one of like, do I want to. Decide to engage or not. It’s like, no, as a security practitioner, I think even as a cloud engineer, at some point in your career, you’re going to have to deal with figuring out how to receive proactive or sorry, reactive security input from the outside world.

Like I’m just. Convinced at [00:15:00] this point that that’s something that everyone’s going to have to figure out what to do about at some point in their career. So you can either choose to wait until that happens, and figure it out on the fly and possibly under duress. Or you can choose to start to get proactive about it and figure out how to, you know, build what you do with that information into your development cycles and all those other good things that can happen.

So that’s how I, that’s how I talk about the public stuff. Yeah.

Ashish Rajan: it’s only one of those ones where you keep your friends close but the enemy closer kind of a thing. you know how hackers have that. negative space that, Oh, here’s the hacker.

That’s definitely a bad guy or girl, I guess.

Casey Eliis: it can be helpful to think of it like that. a train of thought to give some comfort, because there’s this idea that it’s like a locksmith , versus a burglar.

if you can manipulate a security control on a house, there is a well understood good faith use case for that knowledge that we all trust because locksmiths have been a thing for a couple of hundred years, right? The, the whole idea of the digital equivalent of that. [00:16:00] Collectively, we’re all pretty early in the process of getting used to that.

and, you know, historically I think partly because it’s more interesting to write about, bad people doing bad things than it is to talk about, the good fights there’s this assumption that hackers are automatically bad people, which is fundamentally untrue. To me, it’s more around this idea of like when you talk about neighborhood watch, that’s one of the reasons I use that as an analogy to try to get people.

Conceptually across what’s actually going on because it’s like, yeah, this is actually not about whether they good or bad, like the incident, honestly, your software doesn’t care. Whether the people who find a bug in a good or bad, like it’s agnostic to that. It’s really a question of if that’s coming from, someone who’s acting in good faith who actually wants to help you, are you able to receive that information so you can act on it?

That’s, that’s the part that matters. Yeah,

Ashish Rajan: I love the analogy of a neighborhood watch. once you mentioned the locksmith concept, made me think that actually the locksmith professional would’ve gone through a similar thing. Like we’re not burglars trying to [00:17:00] figure out your lock beforehand.

I am just here to help.

Casey Eliis: Yeah. I mean, doctors went through the same thing. there’s all sorts of examples in history where there’s been a skill set or an understanding of things that. Has been novel and immediately dismissed as either quackery or like sorcery or something that’s just dangerous.

and it’s had to go through this period of basically education where people really, that’s just a normal part of how things work. Like how do we actually take advantage of that? I feel like hacking like offensive computer security skills have really seen a lot of action in that area over the past, you know, five or six years in particular.

Ashish Rajan: even Uber has challenged the norm, like people used to teach us don’t sit in a strangers car but now we sit in a stranger’s car

we welcomed the opportunity and pay money to do this. So it looks like, yeah.

Casey Eliis: And then you got, COVID we’ve all been forced into this. the great zero trust experiment is how I’m referring to COVID in some ways, because there’s a lot of people getting. [00:18:00] A crash course in how to become comfortable with technology in a way that they were able to delay until March of this year.

And now we’re. Yeah. Pretty much on a level playing field. So it’s, it’s I think really challenging, existing assumptions of what trust actually means and how to engage it, as well as, understanding, how critical and kind of integrated technology is into everyday life. It’s like, this is just a part of the fact that you can’t necessarily hit someone over the back of the head with a newspaper of discouraging out doesn’t mean that you can’t trust them.

and I think a lot of people are having those assumptions challenged at the moment, which ultimately is a good thing. It was going to end up that way. Anyway, it’s just the pandemic to me has accelerated that process.

Ashish Rajan: it definitely

has. And I think maybe it’s worthwhile calling out aswell, so we spoke about bug bounty, vulnerability disclosure, but.

Is this like only for big companies. Like if I’ve got a few folks in here who have their own startups, who are some of them have cyber security startups as [00:19:00] well? Like, is this a concept which is only for the big companies like the banks or can someone who’s a startup today can start on this as well and take advantage.

Casey Eliis: vulnerability disclosure, I think is ultimately look at, you look at NIST, you look at the, you know, binding operational director of 2001 in the United States, which is talking about every federal agency running a vulnerability disclosure program. You look at stuff coming out of the EU and even some of the things that are being talked about in Australia around like IOT policy, It’s very quickly at this point, I think from a top-down pressure standpoint, becoming an expected part of being on the internet.

And it really comes down to almost like a core product safety principle. It’s like you’ve got a product. If there’s a way of identifying that there’s an improvement that needs to be made to the safety of that product. It’s your responsibility as an organization to be able to actually get that input.

And then figure out how you’re going to act on it. yeah, it’s kind of heading in that direction. Right. So I think vuln [00:20:00] disclosure. Is is relevant. and ultimately should be proactively engaged by companies of any size, because it’s just going to be a part of being on the internet it’s quickly moving in that direction.

Now, I think for bug bounty, that’s a subset. Like I actually don’t believe that, the idea of like proactively doing the, like come at me, bro, thing to the entire internet , is a good decision for every company to make. to the general public, because you know, you might have work to do on your ability to remediate or your existing defenses or there’s all sorts of different reasons.

Why? I think that’s, that’s a decision that needs to be made far more carefully. We actually talk people out. Of of doing public bug bounty sometimes. Cause they come in all excited for the, for the tech crunch article and it’s like you’re really not ready for this. And you actually shouldn’t use it.

It’ll be a negative experience for everyone involved. and then this crowdsource security model that we talked about. So these three layers, VP, bug bounty, and then crowdsource security. I think crowdsource [00:21:00] security is something that pretty much any organization can actually get an advantage from because ultimately it’s hard to hire security people, but that was one of the reasons I started Bugcrowd.Was this concept of, we talked about the math of it before, the backdrop to that is that there’s just not enough security people to go around.

So how do you get better access to the talent that you need for the things that you need to get done? Yeah,

Ashish Rajan: Just on that, I’ve got a question from David here. How do you make sure you’re not painting a big bullseye on your back by inviting the internet on your site?

Casey Eliis: I think there’s two things.

we already talked a little bit about the fact that like, this is happening anyway. If you look at your, if you look at your logs, if you look at your software, like people are hacking it right now that there just, isn’t a way for them to get the information about what they find to you necessarily.

So I think it’s important. To, give that concept a nod as a precursor. There’s a couple of ways, like how not to paint a big bullseye on your back. what we really strongly [00:22:00] advocate is this idea of like crawl, walk, then run. so to be able to start slowly, you know, either using a private program as an on-ramp or just not promoting it you can launch a vulnerability disclosure program and create an intake channel without , putting it up on a aggregation site, like Bugcrowd.Or, or doing it.

Big article about it. You don’t have to do that. So it’s like, it gives you an opportunity to kind of ramp up, figure out what your risk posture actually looks like. You know, what your remediation ability looks like, all of those sorts of things before you start the dial up and let people know it’s there.

that’s really, I think a big, a fairly important consideration in terms of the transition. And then yeah, if you’re talking about bug bounties and crowdsourcing, it’s really this idea of being able to basically incentivize input from experts so that you can close these vulnerabilities off, ultimately if you do that ramp period, right then.

Yeah, you’re actually getting it’s like the crowds got your back at [00:23:00] that point. Like what they’ve given you is according to the intelligence and the fire power that exists in the good faith community, which should put you in a more resilient position when the, when the bad actors rock up.

Ashish Rajan: To your point earlier it’s not just a big company thing as well. Crowd sourcing may not be the first obvious step you should take, because it’s a lot of work that comes with it as well. So you kind of need like, should I run my startup or should I, manage a resposible disclosure program.

You probably want to balance that out, , there are a few things people can do to begin with. is there like things that don’t take too much effort, but you at least have almost like a door slightly open to say, Hey, I I’m okay with you disclosing.

That I have vulnerability but just do not attack me and do not go come at me, bro. As Paul mentioned.

Casey Eliis: I mean security.text is good. I think having an active, security @mailbox. and then, and then honestly, you know, finding some sort of way to, to check it, [00:24:00] and having a process for that, because usually those things get set up and then promptly ignored because they do get a lot of like spam and Croft.

I actually don’t think that’s a good way, but if you’re talking about for a startup that just needs to do something, it’s, , fairly cheap. Do something , kind of step to take. I think from a policy standpoint, you know, disclose IO part of what that is vulnerability disclosure, policy standardization.

So, so we’ve set it up in a way that, you know, if your legal team has, Has, you know, they’ve got to get their head around this whole concept is it creates a really good starting point for that, but for organizations that can afford to just copy and paste, it’s good to go for that, for that use as well.

so that, that becomes really your terms of engagement and there’s stuff in there. Like. Don’t DDoSs my site to try to test it. Like you’re not proving anything. please don’t, and you know, different things like that, where, you know, you starting to set expectations on your end. Yeah, I do think there’s also this idea of basically saying, Hey, this is [00:25:00] reactive.

I’m not actually authorizing you to test. But what I am saying is that if you, if you find something, can you send it to me? This is how you can expect me to behave. you know, I think actually going out and authorizing testing is, is a safer place for you as an organization and for the researchers, because at that point they’re actually not necessarily breaking most of the anti-hacking laws that exist to try to help you out.

And there’s no fear of that. Even if they found a bug like. By accident, which is a thing as well. yeah. Yeah, those that sounded so security text, an inbox, you know, Bugcrowd works with startups as there’s, you know, things that you can do to, to wrap platform and process around it in a way that can help you actually administer these programs.

But you’re absolutely right. as a, you know, as an early startup, you’ll your biggest risk is your next payroll not necessarily like watching a vuln disclosure programs? Yes.

Ashish Rajan: so we’ve kind of spoken about the good and the bad, possibly the ugly of bug bounty programs, what comes with [00:26:00] it.

If you’re not prepared to start up a bug bounty. Now, if you’re starting, I’ve got folks who are new to cybersecurity space as well. And now they’re like, they’ve Googled this. They’ve seen all the Twitter images, all these 16 year old kids with a Maserati and all that. So where do people,

Casey Eliis: like two of them, it’s just, they get promoted a lot.

Ashish Rajan: So fair enough go. , is that only a new kid in the block thing? Or can all folks like myself and others can join in.

Casey Eliis: we like helping people celebrate when they find a really good issue and they get paid well for it.

Cause it’s, it’s awesome it’s an achievement and you should be able to, you know, get excited about it. I think like doubling down on it and, and, you know, de anonymising young people and telling the world about how wealthy they are. I think that’s actually pretty unwise. because frankly, when I was that age , I probably wouldn’t have known quite what to do with that.

Cause it’s, it’s one of those things where it’s like, no, that’s objectively awesome and you should be proud of it. [00:27:00]

but there’s so much kind of success bias in how that stuff gets amplified or promoted, that it kind of implies that this is all super easy and all you gotta do is like watch a few YouTube videos on how to hack. And all of a sudden you’re going to be a 15 year old with a Maserati, which is not, that’s not how it works.

Yup. So I think managing that the sort of expectation gap is really important whilst also, you know, giving credit where credit’s due and, and letting these folks out there have their day in the sun. So it’s a, it’s a weird one. but yeah, I mean, for starting out, I think it really comes down to, understanding what parts of offensive security, you’ll best at that excite you the most, you know, some folk come in like this whole idea of, of being able to spray the entire internet for XSS and make a bunch of money out of bug bounty programs.

Yeah, we’ve been doing that for long enough. Now that the Internet’s figured out that it needs to solve its XSS problem, which was the original goal in the first place. So those sorts of things are becoming more difficult. [00:28:00] Like low-hanging fruit gets kind of progressively cleared out. As new folks join into the space as, as new kind of systemic issues get identified by the crowd.

And then, you know, people start to teach each other, everyone starts doing the same thing. The problem gets kind of shaken out at a systemic level and then it gets difficult and people move on to a new thing. That’s sort of how it works. So like recon for example, when we started, I think, you know, security folk have always known that people don’t know where they’re.

Their assets are on the internet. There’s like this combination of legacy assets that have been forgotten and shadow it and stuff like that, which is more of a cloud security problem. that was a known issue. What wasn’t obvious was how bad it was. and one of the incentives in a bug bounty model in particular is to be the first to find a unique vulnerability.

So what you ended up with was all these researchers, creating tooling and workflows to. Pretty much like look for assets that have most likely been forgotten and there was a [00:29:00] lot there. So this is where this whole kind of recon space was actually born. it was a bunch of bounty hunters realizing that it was a great way to make money and identify vulnerable assets.

Yeah. and it’s still an issue. I think it’s actually a really good space. It’s a really good place for people to start. because there’s, I think going to be a never ending shortage of, things on the internet that have been put there, hastily or carelessly, because we we’ve got to build our businesses and get stuff done.

So sometimes we do that in ways that have, you know, security wise, not as a high priority. and there’s a lot, there’s a lot to find, right. that’s a practical way for people to get started and just understand kind of internet scour research, but then dive into things like if, you know, people that one of my favorite things is when people come in from like an engineering background or like a, IT networking like electrical engineering, you know, radio, like people that have built cars their entire life and then suddenly realized that car hacking is a thing.

And the, I typed [00:30:00] this like contextual technology experience, marry it with security and this kind of, I love hacking stuff. Cause it kind of feels like a game. And then all of a sudden they’re really good at, at a particular niche domain. That’s actually really valuable. Like that’s, I love it. I love it when that happens.

Cause it’s just, you can’t, we try as hard as we can to encourage it, but you can’t necessarily always predict when it’ll happen. so I think for people wanting to get in, it’s just a matter of like understanding what switches you on, what are the things that you enjoy the most and where are you going to be most productive?

Ashish Rajan: I think it’s a great advice. I was looking at all the different segregation that you guys have as well, where you have web API cloud. I was talking to a bug bounty Hunter who basically just looks for bounties in Google cloud space.

that’s her focus and what she was telling. Her name is Kat and Kat was telling me, that the space of finding bugs in Google cloud is only nine [00:31:00] months old. That that whole space is just nine months old, bounty hunting. And so it’s for people who are listening in to this world, like a bug bounties, only if you’re great at the crosssite scripting or CSRF or SSRF, or like, but there’s almost like exactly what you said.

There’s almost like these niches where you’re really good at car hacking that that’s an niche right there. You can still reach out to Ford or whoever and tell them about the vulnerability they have .

Casey Eliis: We’ve got a ton of embedded programs like working with.

Yeah, the netgears of the world and, and folk like that on the consumer IOT side, but then doing hardware work with the department of defense, you know, there’s this incredible variety of domains, where you can apply this and even, you know, this whole idea of like , SAS, misconfiguration, that , your friends talking about, like, again, it’s this.

Area of like systemic failure or systemic risk that exists on the internet. And, you know, it’s like having its oh shit moments. So it’s like, Oh wow. A lot of people have made that mistake. [00:32:00] How do we go out and find when that’s happened and actually try to give them a heads up so that they can fix it?

this is why I keep on drilling into this idea of like finding the things that you enjoy most. And that you’re best at, you know, partly it’s, collision avoidance from a competitive standpoint in the same way as you do when you are trying to figure out a career path, right?

It’s like, I’m not going to go to university to study, to do the exact same thing that everyone else is doing, because that’s going to make it more difficult for me when I go to get a job. there’s a similar principle, I think, in play here because there’s. You know, a lot of folks that, that bone up on kind of core, you know, almost like basic web apps, security, which is great.

It’s a good starting point, but there’s a lot of people doing that. So if you want to be in a position where you can kind of find some clear air and actually operate on, on domains that are interesting to you, then finding your niche, I think is a really good thing to do.

Ashish Rajan: I 100% agree, great advice there as well, man.

, it definitely makes me feel anyone can join in as [00:33:00] well because all of us, especially the experienced folks have found a niche already. Like that’s why you’re getting paid for what you’re doing as well. It’s just a matter of going, looking around and like, Oh, I can do bug bounty in this space.

Cause a lot of people have these side projects. I know folks who are always tinkering with one of those, a LG television with internet connections and IOT devices as a space as well. And you almost go, wow, you can just go bounty hunting at any space because it’s still, it’s A, it’s exciting because you’re already interested in it. So you just go on to the next level, like, how do I go about breaking this? So I think that’s a great advice, man.

Casey Eliis: The same is true if you’re just getting started, you know, I think like I’m a big believer in. the product of nature and nurture everyone has, has their own set of wirings that, that fit best into particular things that are just going to work for them. and if you’ve got an appetite, you know, if you get a sparkle in your eye, when you talk about hacking things, that’s a really good starting point.

it then becomes a question of, [00:34:00] okay, you know, where are the different areas of expertise and like practically how I use that best fit in with how I’m wired as a human being. it’s gonna make me feel fulfilled and satisfied, be productive, and actually do, you know, create valuable output, all that sort of stuff.

Like the pursuit of your potential is something personally. I, I really believe in and it fits into this, I think quite neatly.

Ashish Rajan: Yep. And I’ve got a few comments coming in as well. Paul, I’m always disappointed when I approach companies for security issues. I’ve found organically, especially true here in Australia, or obviously this is outside the scope of a company that is involved in a bug bounty program, which influenced the key means the company is being proactive.

So how do we start. To fix the ostrich head in sand mentality for these less mature organization outside of the increased regulatory fines, because I think it has got a follow-up just to saying Mandatory notification here in Australia and for the matter globally is a joke and there’s mostly ignored. Any thought on that.

[00:35:00] Casey Eliis: Yeah. That’s shout out to ostrich risk management. That’s a phrase I use a lot. and it’s nice seing it pop up. yeah, I think. Yeah, to me like something that, this is another thing I like about, you know, vulnerability, disclosure and public bug bounty models. Is that. You know, they are a security concept that the average consumer has a hope of understanding.

Like if you talk about, you know, EDR or, you know set up Kubernetes governance, frameworks for security other more technical stuff. You’re going to lose, you know, Joe and Jane internet fairly quickly. But this idea of like, yeah, no, we’ve got this like army of, of.

People that work in good faith. and we’ve basically set up neighborhood watch for our stuff to keep you as the user safer. that’s a concept that , the average customer can understand. So I think, you know, one of the things that, that I spend a lot of time [00:36:00] thinking about how to like double down on.

In my space, but I think in cyber security, just in general is like, how do we actually stop all of this activity, being an insurance policy to protect the downside and actually start to turn it into something that, that is a carrot and not necessarily a stick , a lot of security spends its time being the stick.

And we should, like, I’m not saying that that’s wrong, but it clearly is limited in its effectiveness. otherwise. You know, things like what Paul just called out. Wouldn’t be as true as they are. So it’s like, how do you, how do you turn it into something that, you know, a company can actually use to basically differentiate itself?

Like how can they go out and say, Hey, here are the different things that I’m doing, you know, mr. Mrs. Customer, like when you’re choosing between me and all of the other options you’ve got. If you’ve got data safety and security and the security of your product in the back of your head, maybe you should choose mine.

I feel like we’re at a point where that’s actually starting to work. You know, this is it. And it wasn’t true five or six [00:37:00] years ago, but we’re now at a stage where, you know, the average citizen on the internet is vaguely concerned about being hacked. That they might not necessarily know what that means or how it works, but they know that.

Like worried about it. and what they lack is the ability to, what they lack is the ability to actually change their behavior in order to take control of that concern and actually manage that risk. So I think all of that to say that, I do think, you know, vuln disclosure and, and bounty, like the public signaling stuff is a really good way to.

You know, basically help customers, become more confident in your product, which then becomes an easiest sell to an organization. At that point, they’re like, Oh, okay, you’re going to help me sell more stuff. All of a sudden that becomes a far more productive and interesting conversation to have as a security champion.

Then, you know, our usual starting point of like, We’re going to make ourselves less likely to get hacked a little bit [00:38:00] more if we do this thing, do you know what I mean?

Ashish Rajan: I’m going to probably flip the table a bit on this for people who are our peers and colleagues who are listening to this as well.

We include everyone. Who’s listening. All the thousand thousand guys and girls are going to listen to this as well. Like how can we help? In making this like a safer space that people can come on and talk about this, I guess, without feeling that Oh, I’m disclosing everything about my company.

Casey Eliis: there’s a lot of education that still needs to take place. I think, you know, going back to this idea of ostrich, you know, risk management.

Ashish Rajan: I love it.

Casey Eliis: Yeah. I think, I think one of the fundamental issues that organizations and the internet just in general has, is, this idea that I can’t admit to having any weaknesses or any.

Any issues in my stuff, like I’ve got to operate with this, communication and with the security model that, that suggests that I’ve got absolutely everything buttoned down and anything that’s changing is because I’ve decided that it should change [00:39:00] that’s just untrue. Like it goes back to what was saying at the start way.

Like people write code people, deploy software, we do all we can to facilitate it. And if we’re negligent or if we’re making the same mistakes over and over again, then yeah. that’s a problem. Like you shouldn’t be doing that, but this core idea of like, it, things are gonna happen that are outside of your control.

how do you. Figure out when that happens, how to actually, you know, tactically mitigate the risk and then how to learn from it to actually improve your resilience, moving forward on a ongoing basis, which of course goes back to the pre and post Facebook conversation we were having before. Cause it’s easier for posts, Facebook companies.

I think that’s where we need to kind of try to drive and encourage people’s mindsets to, to end up,

the companies that you associate with being really secure are almost always companies that have actually gotten across this hump.

They’re like, okay. Transparency and continuous feedback into our security process, even from the outside world [00:40:00] is a part of being intellectually honest about how difficult it is to build software perfectly. yep. And that’s okay, here are all the things that we’re going to do about that. And this is how we’re going to continually improve on this.

the sooner we can get to a point where that’s a normal way that folks think, I think launching a vuln disclosure program in particular like offering safe habour of researchers, what that signals and what I love about it so much apart from the fact that it stops my buddies from going to jail or feeling like they might, Is that it kind of validates the fact that, yeah.

Okay. This used to be criminal, but we’re actually creating a carve out for people that are trying to do this type of thing in order to help us, as long as they stay within the guidelines that we set, that, that define what good faith actually looks like. that even that as a statement is, is almost like an admission of, of like, okay, yeah, this is a team sport.

We actually need help. We want to operate with transparency. You know, that actually becomes something that I think a company can turn into a [00:41:00] really, Assertive statement of, of, you know, where things are up to in the role. The hacker community plays really is the Internet’s immune system in identifying where, where weakness exists and being able to provide that feedback.

So I think to your question, how can we help it’s the more of that that can happen the better, and obviously, you know, Bugcrowd can help with that Bugcrowd benefits from that there’s, there’s a degree of companies’ self-interest, directly. In that advice. but I think more broadly than that, we benefit from it because it just becomes a thing where, you know, companies are comfortable with hackers and the input that exists out in the community.

and honestly, it’s the things that I just want to see happen from, from principal’s standpoint. It’s something that I believe in very deeply.

Ashish Rajan: I think I agree with you on this. And I understand the fact it’s not easy as well to kind of jump into the space because you also spoke, touched on the fact that there’s a lot of work involved as well.

Moment you come out. Or you don’t have to even announce yourself by nature of being on the internet. You’re already being [00:42:00] spammed by people. I have a vulnerability. Do you want it? And it’s almost like are you trying to blackmail me or, you know, I joke about that thing, but for a lot of people, it’s the reality and, I guess.

It’s also a space where people kind of like the more they share among each other as to, . But I do want to look out for people who are genuinely sharing something, which is valuable and all they want to do is they want to do the right thing, not trying to blackmail you.

Casey Eliis: A hundred percent.

And it’s you, you call out an interesting phenomenon. This is, this is something that, you know, Bugcrowd done a lot of work on. in like educating people that are engaged with us from the community on our platform. but also just trying to basically, you know, foster this concept of like what good sportsmanship looks like , in the hacker community in general, you know, the problem that you end up with is, is folks that come in, they’ve got really good intent that then there’s not a malicious bone in their body.

but their [00:43:00] enthusiasm actually trips them over and, and can be interpreted as, potentially hostile on the receiving side. And that happens all the time. Cause because if like organizations aren’t ready to have this conversation, if you come in. Yeah. Without some of the empathy for what is involved in building and maintaining software, looks like, then it’s pretty easy to just, Oh, I found the XSS like, this is the most important thing on the planet.

You need to drop everything and listen to me right now. and , it’s frustrating because that’s actually coming oftentimes from a pretty well-intentioned place, but it’s inappropriate. It’s immature. It actually, you know, Frankly, disrupts the discourse because you were doing something else before that email came in.

so how do we educate the community it’s scaled to have a better understanding of what it’s actually like to run a company, to build software, to do all that sort of stuff, and to be on the receiving end of these things. I think honestly, empathy, empathy, and expectation alignment is, is [00:44:00] almost.

Every time, the key to making this stuff successful and productive, and it just takes time. it takes effort on, on everyone’s part to actually invest in that. which, you know, given all of the other stuff we’re busy with is not always, not always easy to do.

Ashish Rajan: Yeah. And I think it’s really interesting because I always find, I mean, it’s such a human psychology thing as well into this.

Right. I joke about the fact that they’re 15, 16 year old kids who are driving our own Maseratis and as an adult while they’re adults as well. But when you see them, you’re like almost, you’re like, Oh, I could have that as well. It should be easy and you go on Google or YouTube and like start searching bug bounty

you kind of go into that rabbit hole. And to your point, you’ve learned a few tricks from some of those tutorial videos, and you’re just basically spamming the internet. And to your point, the lack of empathy also comes from the fact that they’re not thinking long-term at that point. So if someone’s listening to this, there’s almost like a longterm play here as well.

Right. You don’t want to just do it once and never do it again.

Casey Eliis: Yeah, absolutely. [00:45:00] Right. you want to be in a position where you develop a reputation that. That serves you well from a career standpoint. And so you can keep your lights on, do all the things that you want to do.

but also that, you know, helps the actual problem itself. And ideally that, that becomes something that, you know, your peers and, and, and people that are kind of coming in behind you from an experience standpoint can learn from. I think if you can nail all three, those things, then you like right down the center lane and actually being a very powerful contributor to all of this, in a way that , it’s gonna make you money.

It’s gonna like further your career. It’s gonna do all of the things that, that we all need to think about from a self-interest standpoint and, and keep in the mix. But also that can add a bunch of good on top of that. I think. I think optimizing for that kind of win is, is something that, you know, everyone can do.

And it’s pretty difficult to,

Ashish Rajan: yeah, I think, I had Daniel Miessler in my last episode, we spoke about continuous monitoring. And how do you do bug [00:46:00] bounty at scale? Yeah for people who may not have checked, I’ll definitely recommend checking that episode out because he spoke about the fact that you don’t have to have.

like a really super P4 level bug, you can have like multiple P2, P3 level bugs and still make decent income out of it. I’ve got another question here. Can you share more about bug bounties? The one that went wrong? If any? Ooh, I don’t know. Can you,

Casey Eliis: I can talk in general terms, most of the examples I can think of when it’s going wrong. when you know, organizations have kind of gone off half-cocked, or not align themselves internally , that’s a big one.

So the idea of like, okay, we’re going to start a program. This is security team. That or product team that go go gung ho Oh, actually the worst is when it’s the marketing team driving it. Cause they want to. They want to go out and do the big press announcement, but they haven’t necessarily clued in the legal support team of, of what’s about to whole, it’s, it’s those sorts of things where like the internal alignment around.

Yeah. We’re going to start to, you know, this is specifically for [00:47:00] bug bounty. We’re going to start to like actively solicit security feedback from the outside world. So everyone needs to be. You know, aware of that, it’s not like, Oh my God, batten down the hatches. It’s more just like, make sure everyone’s everyone’s across that.

Otherwise they’re all going to think that. You know, it’s the invasion and they’ve got to like, you know, get the Dukes up and get the guns out that that still happens. it used to, it used to happen a lot. I think, when, you know, bug bounty kind of got a pretty big tailwinds and, and got very topical all of a sudden, you know, around sort of 2015 or so.

at which point there was a whole lot of this going on, those people just jumping in and doing stuff. and not necessarily, you know, planning ahead and thinking it through in a way that was gonna get them the best output from it that they could get, but also be respectful of the community that’s trying to help out.

yeah. So does that, I mean, I think, you know, one of the funny stories I tell from, from early Bugcrowd days was, we, ran a charity program. [00:48:00] So I got approached by a charity saying, Oh, you know, Can you help us out? Oh yeah. We’ll, we’ll do it for free, but what are you going to offer? What are you gonna offer the crowd?

Like, we don’t have anything to spend on this. So we, we basically said, look, let’s experiment with the idea of like a charity point system or a charity badge for people to contribute. When, when it’s they know they’re not going to get paid. and it was, I, it was an organization that was involved in, Basically combating sex trafficking in Southeast Asia, which is, which is awesome.

Cause to support and to secure as well. and when we launched the program, like the response was so strong that we, we actually knocked them off the internet. it was, it was like, cause that was a small organization. It was. Like fairly underpowered, sites and different things like that. And we were pretty inexperienced in terms of running these things for smaller organizations at the time.

We’ve learned a lot about that since. but at this time I think it’s the third or fourth program. We like, we actually knocked [00:49:00] them over for a period of time and had to wave the white flag. So that was like, it’s a negative bug bounty story. But the reason I like telling it was that like, or these are like, Bad hackers, who you can’t trust and who want to blow up your computer and do all these nasty things to you that are turning up in such force to protect folk that are trying to fight sex trafficking, that they actually knocked that website off the internet.

I actually think that’s kind of cool. So,

Ashish Rajan: I think so as well. Yeah, I think it kind of goes to show as well the fact that. it’s already happening. You probably are better off just making like a friendly, welcome rather than like, never find out about it until you get some kind of a brand, effect from it.

So, definitely it’s a great story, by the way. I want a question here from Sam as well. How do economics and game theory play into the crowd sourcing bug bounty scene Do researchers look for other outlets. When companies have bounties that feel aren’t fairly aligned with the value of the bug or the work. How do companies find the sweet spot of

payments?

[00:50:00] Casey Eliis: Yeah, for sure. it’s a fantastic question. the answer is yes. hunters, you know, hunters have. Their own kind of, you know, mental cost of activation for one of the better way of putting it. It’s like, okay, how much, how much is it going to take to get me out of bed?

And, and, and working on this

on a Monday on a chart,

or, you know, like 50 bucks for XSS or there’s a, there’s a spectrum. Right. and I think, it’s different for every individual because they’ve all got different. Like personal economic circumstances, like purchase power parody comes into play, you know, someone who’s, who’s doing this out of.

You know, India or the Philippines is more impacted comparatively by a $500 payout than someone who lives in Melbourne or San Francisco. And that’s just, that’s like arbitrage and global economics in play that. So it’s, you know, there’s those sorts of things that factor into it, but then there’s also, [00:51:00] you know, the awareness a Hunter has of how valuable or rare their skillset might be.

So people that can do really sophisticated work, On on, you know, unique targets or even sophisticated work on, on kind of more common targets like cloud environments and web, you know, over time they get to actually know that. and they’ll start to basically self-select. So it’s effectively a marketplace.

when you’re talking about game theory, like vulnerability economics is I. Geek out for hours on that. And I won’t do that right now, but you know, other than to say that it is a marketplace, where really the job is to create an incentive, that’s going to attract the skill, like ultimately a marketplace, like the value of the things determined by what the seller will sell that thing for based on what the buyer’s paying.

That’s. How, you know, marketplace value gets set. So the question of like, how do you find the sweet spot? yeah, really becomes a matter of, you know, we, we do a lot of work on this [00:52:00] around yeah. Vulnerability rating, taxonomy that. Brackets of vulnerability impacts with a second piece that we use called the defensive vulnerability pricing model, based on the type of organization you are, this is roughly where you should be thinking you should start.

that’s kinda how we do it. one of the reasons for that is that you can always put your prices up. it’s much more difficult to. To put them down, especially in a public program. you want to try to avoid that gap and expectation. It is possible if you need to do it, but it’s better if you can avoid it.

So what we recommend is working out where to start in a way that’s going to get. The ball rolling. And then from that point, you figure out, you know, what you need to increase. So if for a period of time, you know, you’re getting a whole bunch of like priority one issues, and your price is set at $5,000 and then that starts to taper off.

As you [00:53:00] fixing things, you make it more difficult to find a priority. One issue. all of a sudden you end up in this spot where that it’s like a, you know, a fireproof safe rating. It’s like you buy a fireproof safe, you know, this passport a passport in this thing will last for six hours at 1400 degrees Fahrenheit.

And I’m still in Fahrenheit because I’ve been in San Francisco.

whats that

Ashish Rajan: in celsius ?

Casey Eliis: I don’t know anymore. It’s the thing. It’s hot, it becomes, you know, a proxy for resilience, so, okay. If, if now that. Yeah, you’ve made your fireproof safe, more fireproof. Okay.

How hot does it need to be to, to burn the passport? that’s when you put your rewards up. So this is, this is something that, you know, the platform helps with from a data standpoint, something that we help with as a team. I talk about this a lot, just around, you know, offensive versus defensive vulnerability economics.

Cause in certain areas you’ve got, you know, attackers that want to. Figure out the answer to this question as well. That’s not [00:54:00] true all the time, but, you know, for some products in some organizations, it is there’s, there’s a lot to it. yeah,

Ashish Rajan: it kind of goes really well into the next comment that came from Sam as well, where he’s curious about the juicy bug being well, how am I better off disclosing it to a third party versus disclosing to the actual company?

Like, you know, there is kind of like how to find a balance there as well. So thoughts on that?

Casey Eliis: this is one I keep have kept a really close eye on in terms of just, you know, keeping company with folks in the broker space to understand the mechanics of that and understanding usage probably the big thing is that, you know, vulnerabilities that exist in, in platforms.

So, so in places where. Yeah, there’s one point of detection and one place for fix there. Hasn’t historically been an active offensive market for those things up until about two or three years ago. And it’s starting to become a thing now, but it’s still very, it’s still very early. It’s a different story for products.

[00:55:00] So if you’re talking about, you know, a mobile handset, you’re talking about, like, you know, Adobe software, Microsoft software, like Oracle, you know, Java, like all of those different things that you hear about as, as target for a nation state actors in particular, or even for, for kind of garden variety, cybercriminals.

there is a, there is a pretty mature and active offensive market for those types of vulnerabilities. Cause obviously they can, they can monetize them for whatever you know, monetization means. If it’s a nation state, you’re completing your mission. If you’re a cyber criminal, you’re able to use it to make a bunch of money.

So. Yeah, understanding kind of the nature of the offensive market is, is I think one of the things I always try to point people towards when, when I get asked that question, cause it’s a lot, there’s a lot to it. but I think, you know, specifically if you find a juicy bug and the incentive is not high enough, what do you do?

Hmm. you know, part of what, what in particular, a competitive model, like a bug bounty does, is it kind of [00:56:00] invokes the prisoner’s dilemma? So if you and I have both found an issue in, in Sam’s site, you’re probably gonna. Report it to him and get the bounty. I’m thinking about doing something sketchy with it.

I also know that other people are looking, which means other people may have found the thing that I’ve found. And if you get to it first, I miss out on the opportunity to exploit as well as the bounty. So I think that dynamic, actually helps quite a lot with keeping that in check.

Ashish Rajan: even to your point about the street cred, which is quite important in that space too.

Casey Eliis: Well, there’s all that too.

Yeah. A hundred

Ashish Rajan: percent. Yeah, that’s right. It adds another whole layer, we’re towards the end. and I, if for people who obviously have follow up questions with you, where can they reach you? Where can they, I, I feel like, I should’ve renamed this to, how do I start in bug bounty from an experienced professional or the kind of questions we’ve gone down, but, for, you’ve given all of us some hopes, which is always a good thing.

Where can people reach you? If you have any follow-up questions or want to connect with you?

Casey Eliis: Yeah, [00:57:00] sure. On, on Twitter, Twitter is usually the easiest and you know, obviously LinkedIn Casey Eliis, Twitter, Casey, John Ellis. I’ve also got like a blog personal blog on cje.io. yeah. any of those conversations that are bug crowd related, we’ll have that conversation connect you up with the right folk around that, but always, always keen to talk about just general security stuff as well.

Bugcrowd is @bugcrowd.com, on, on Twitter at, you know, just @Bugcrowd

Ashish Rajan: yeah, I do want to touch on this disclose.io As well, a bit, cause we never got to touch on that. So, for people who don’t know, cause you’re kind of quite behind it, you’re trying to make it, make it a thing. So maybe if you can touch quickly touch on that as well.

If you don’t mind. Yeah,

Casey Eliis: for sure. So, disclose IO, it’s just disclose. IO. I went a bit naughty on the dot on the IO domains when they first came out.

Ashish Rajan: Oh, you’re the reason why that’s expensive to have a.io domain.

Casey Eliis: No, I think that’s the, I think that’s the registrar’s fault, not mine, but I’m probably one of the reasons why some of the good names are [00:58:00] missing.

so. Yeah. So what disclose IO is a set of open source tooling to facilitate and to reinforce, best practice in, in vulnerability disclosure. And some of the stuff that we’ll talking about earlier in the show around, like, how do we turn this into a thing that, that actually helps companies.

You know, sell products and, and, you know, reinforce, the effort that they’re putting into this security program. Not just, here’s this other thing, this other security thing that you have to do. So, yeah , it’s basically a list of every program that’s, that’s known, it’s all open source and, and common criteria fall.

So you can use it for whatever you need to or contribute to it. yeah. It’s the list. It’s the, the open source vulnerability disclosure policy like Tums. so dire terms is that repo. which is, you know, things that, like VDP terms that you can just copy and paste. So you can use as a basis for, for putting a disclosure policy together.

We translate that into a bunch of different regions. We’re actually looking for help [00:59:00] making sure that we’ve got it nailed down against the Australian and New Zealand law. So if anyone’s interested in helping out with that, To figure, shout out, and then a seal. So if you go through all of this and you actually, put safe Harbor provisions into your, your VDP, there’s the disclose IO seal, which you get to basically put on your, on your site to say, Hey, this is the thing that I do.

Ultimately, the goal was for that to become almost like the green padlock. For, for Vuln disclosure. and I say that fully mindful of the fact that the green padlock has now disappeared. Like, I would love that to be a future state where such a normal thing. And you don’t have to say it anymore, but for where we are right now, it’s, you know, how do you.

How do you make implementing this as simple as possible for, for vendors and then for the hunters, how do you make it as simple as possible for them to have an understanding of what they can and can’t do, and for what they do and don’t have legal protection to do as a hacker, that was really one of the starting points for it.

Is that, you know hackers dont read [01:00:00] the brief.. That don’t go in the same way that you don’t read through a ULA when you it’s one of those things where like we’ll should, , at scale people, generally, aren’t doing that. So given that, plus the fact that lawyers, aren’t usually very used to writing this type of contract language and end up.

Generally producing something that looks like war and peace. How do we simplify all of that to make it as, as useful and as frictionless for as broad an audience as we can. So that’s what the disclose.io Project is the other piece that we’ve just started working on is a, is a community, you know, basically a community forum portal type of thing.

which, which is serving two purposes. Currently, one is to. you know, when folks are trying to disclose or report a, an issue, a vulnerability, a privacy lapse, or an incident that they’ve discovered, and they’re having difficulty getting contact with people on the receiving side, it’s basically bringing in.

You know, like trying to turn that into a [01:01:00] conversation where folks can, can step in and assist. cause that’s pretty much how it works. If you don’t have a program is like myself and a few dozen other people that are just the guy that knows everyone, that the people end up calling if they need help with that sort of stuff.

So, you know, I got to thinking like, how can that scale and how can we turn it into something that’s more community palette. I

Ashish Rajan: love the initiative and I, I definitely would definitely be talking a lot more about it as well, but, Casey, thank you so much for coming in. I can’t wait to kind of bring in more layers into this space and I bring you back in again, man.

But thanks so much for this. It’s really, really awesome for me.

Casey Eliis: Likewise. Yeah. Thank you for having me. It’s been a fun chat.

Ashish Rajan: Thanks.

Enjoying our content? Don't forget to subscribe!