1 00:00:08,610 --> 00:00:14,850 The question still persists whether you should go for public programs or private programs. 2 00:00:16,080 --> 00:00:23,070 No matter how you choose the structure, the bug bounty program, it can be entirely private, blatantly 3 00:00:23,070 --> 00:00:26,720 public or anywhere between now. 4 00:00:26,730 --> 00:00:30,120 I would like to tell you the main difference between these two programs. 5 00:00:30,570 --> 00:00:39,000 Private programs are known only to those hackers that companies choose to invite based on their skills, 6 00:00:39,600 --> 00:00:43,470 experience, location or other attributes. 7 00:00:44,580 --> 00:00:52,440 But every report, participant, bounty and other aspect of this program is totally private. 8 00:00:53,010 --> 00:00:57,120 For example, let us take the example of Amazon now. 9 00:00:57,120 --> 00:01:05,190 Amazon is searching freelance hackers, which are not the employees and who have a great amount of experience 10 00:01:05,190 --> 00:01:06,620 in the bounty programs. 11 00:01:07,180 --> 00:01:13,080 They have exceptional ethical hacking skills, which you will also be learning in the schools, and 12 00:01:13,410 --> 00:01:17,250 they are available for the period, according to Amazon. 13 00:01:18,220 --> 00:01:25,240 So Amazon does is the invite a group of, let's say, five hackers into the company and tell them to 14 00:01:25,240 --> 00:01:33,870 test this software or this service and then, if possible, report a successful vulnerability in such 15 00:01:33,880 --> 00:01:34,250 case? 16 00:01:34,510 --> 00:01:41,110 Amazon has invited these five people based on their skills, location and experience. 17 00:01:41,770 --> 00:01:49,750 And then all the details of this bug bounty program, including what to find, how to find methodology, 18 00:01:49,990 --> 00:01:54,000 rewards, etc., is hidden from the outside world. 19 00:01:55,080 --> 00:02:02,490 This is an example of a private bug bounty program, not public, but bounty programs are open to all 20 00:02:02,490 --> 00:02:09,900 hackers and can maximize both the program's visibility and the volume of participants and their varying 21 00:02:09,900 --> 00:02:10,410 skills. 22 00:02:11,130 --> 00:02:13,880 For example, let us take the example of Google. 23 00:02:14,490 --> 00:02:19,260 Now, Google has made an update to Jimmy Andalus, publicly known. 24 00:02:20,390 --> 00:02:27,980 So what is Google sees is this big bounty program is available to everyone and we want hackers to hack 25 00:02:27,980 --> 00:02:35,480 and find the vulnerabilities if exist and just let us know the vulnerability report we will award them. 26 00:02:36,080 --> 00:02:43,850 In this case, Google is allowing all the entire hacker community to test their applications and report 27 00:02:44,150 --> 00:02:45,050 the vulnerability. 28 00:02:45,710 --> 00:02:53,510 The public bug bounty programs give you a better coverage and exposure to hackers and can also be publicized 29 00:02:53,510 --> 00:02:58,010 to show your customers how much effort you're putting into security. 30 00:02:58,550 --> 00:03:04,910 This was quoted by Hacker one, which is the top platform for bug bounty hunters, and I was discussing 31 00:03:05,210 --> 00:03:06,890 Hacker one in upcoming lecture. 32 00:03:07,250 --> 00:03:09,830 But even public programs are customizable. 33 00:03:10,430 --> 00:03:17,420 Bug reports can remain private and redacted, then awards can be disclosed and vulnerability can be 34 00:03:17,420 --> 00:03:18,050 disclosed. 35 00:03:19,530 --> 00:03:26,310 Private bug bounty programs currently make up to 79 percent of all the bounty programs on Hakka one. 36 00:03:27,560 --> 00:03:34,940 You can see more statistics and analysis on the website and you might now have a question, what is 37 00:03:34,940 --> 00:03:35,580 HÃ¥kon? 38 00:03:36,020 --> 00:03:43,370 Well, in the next lecture we will be discussing about HACA one and we will also see a fully managed 39 00:03:43,370 --> 00:03:45,020 Hakka bug bounty program.