Bug Bounty Overview
This half-a-day course offers a complete introduction to the world of bug bounty. Tailored for directors, CISO, team leader, this session covers everything from the history and structure of bug bounty programs to real-world vulnerability reporting and triaging. Through case studies, best practices, and industry insights, participants will leave equipped with a strong foundation to begin (or improve) their bug bounty journey, both from the hacker and company perspectives.
Targeted audience:
- Cybersecurity managers and security teams
- CISO and risk management professionals
- Organizations new to bug bounty
Educational goals:
- Understand what a bug bounty program is
- Learn how bug bounty fits into a security strategy
- Identify key roles and responsibilities
- Know how to handle vulnerability reports
- Evaluate your organization’s bug bounty readiness
Prerequisites:
- Basic understanding of cybersecurity principles
- Familiarity with vulnerability management and risk assessment
Program:
Welcome & icebreaker
- Instructor intro & participant backgrounds
- What to expect from the course
- What is bug bounty and why it matters
Understanding bug bounty: the ecosystem
- History and evolution of programs
- Roles and motivations: companies, platforms, hackers, 3rd parties
- Pentest vs bug bounty: key differences
Anatomy of a bug bounty program
- How programs are structured
- Public vs private programs
- What companies expect vs what hackers expect
Reports: triaging & managing conflicts
- Lifecycle of a report
- Handling duplicates and disputes
Policy & program management
- What companies should prepare before launching
- Program evolution: scope, rewards, privacy
- Common mistakes to avoid
Rules, ethics & real case studies
- The unofficial rules of bug bounty
- Safe harbor, disclosure policies
- Failures and successes: Verizon, Shopify, Zomato…
Wrap-up & Q&A
- Recap of the day
- Open Q&A and personalized advice
Gwendal Le Coguic - contact@glc.st - quotes on request - SIRET 79778302400038