1
00:00:08,690 --> 00:00:10,800
Welcome to a brand new lecture.

2
00:00:11,150 --> 00:00:15,760
And in this lecture, we are going to actually define a bug bounty program.

3
00:00:16,100 --> 00:00:20,520
The bug bounty program is the most advanced form of Hagop our security.

4
00:00:21,020 --> 00:00:26,630
It provides continuous security testing and vulnerability report from the hacker community.

5
00:00:27,760 --> 00:00:35,340
When a new book bounty program is launched in 77 percent of the cases, hackers find the forced venerability

6
00:00:35,350 --> 00:00:37,150
in the first 24 hours.

7
00:00:38,090 --> 00:00:38,850
Isn't it great?

8
00:00:39,280 --> 00:00:45,480
And that is how fast security can improve when hackers are invited to contribute.

9
00:00:46,060 --> 00:00:49,710
Bug bounty programs can be either public or private.

10
00:00:50,470 --> 00:00:56,650
Public Belmonte programs like Starbucks, GitHub and Airbnb are open to everyone.

11
00:00:57,320 --> 00:01:04,360
While private programs require organizations to invite hackers to participate in public programs and

12
00:01:04,360 --> 00:01:13,690
open to the widest range of hacker diversity and therefore produce superior results on an average public

13
00:01:13,690 --> 00:01:21,640
bug, bounty programs have engaged six times the number of hackers reporting valid vulnerabilities.

14
00:01:22,600 --> 00:01:31,300
That number nearly doubled in 2019, and it is going to triple in next year's private programs, make

15
00:01:31,300 --> 00:01:35,050
up to 79 percent of all bounty programs.

16
00:01:35,080 --> 00:01:39,070
There are public programs, make up the remaining 20 percent.

17
00:01:40,200 --> 00:01:46,710
But starting with a private program, security teams can then work with a smaller group of hackers to

18
00:01:46,710 --> 00:01:53,310
identify a known and easily found vulnerabilities as they optimize internal security processes.

19
00:01:53,640 --> 00:01:58,490
Bug bounty programs are very similar to vulnerability disclosure policy.

20
00:01:58,530 --> 00:02:02,550
That is Redzepi, which we have seen in the last lecture.

21
00:02:03,670 --> 00:02:10,810
LDP's are referred to as the see something, say something of the Internet type bug bounty programs

22
00:02:10,810 --> 00:02:18,070
include incentive structures and processes designed to encourage individuals with a range of experience

23
00:02:18,310 --> 00:02:26,260
and talent to identify and report potential security vulnerabilities so they can be safely resolved

24
00:02:26,260 --> 00:02:27,550
before they are exploited.

25
00:02:28,060 --> 00:02:34,690
No money changes hands until after the vulnerability is reported, once it is validated and determined

26
00:02:34,690 --> 00:02:40,520
to be in the line with the program terms as defined in the policy or security page.

27
00:02:40,840 --> 00:02:44,410
The hackers are paid bounties or rewards.

28
00:02:44,650 --> 00:02:51,160
A vulnerability disclosure policy will help bug bounty hackers to create the process for monitoring,

29
00:02:51,460 --> 00:02:56,230
managing, vetting and responding to fixing vulnerabilities.

30
00:02:56,830 --> 00:03:04,960
It's a great first step to dealing with incoming bug reports and building a team and process for handling

31
00:03:04,960 --> 00:03:05,830
those reports.

32
00:03:06,070 --> 00:03:13,360
In the next lecture, we will see which program should you go for with the public program or private

33
00:03:13,360 --> 00:03:13,930
program.