This March I had the opportunity to travel to India and speak at the Nullcon security conference as part of the first Bounty Craft Track - 1.5 days devoted entirely to the art of bug bounty hunting with researchers and members of the security teams from Bugcrowd, Microsoft, Google, Facebook, and Mozilla. This was a great opportunity for vendors and researchers to engage in interactive conversations, and to share techniques and war stories. And it was awesome to meet dozens of our Crowd members in person, including two of our 2016 Buggy Award winners, Harie_cool and Vishnu_Vardhan_Reddy!
To kick off day two of the Bounty Craft Track I gave a 30 minute presentation on "Writing Vulnerability Reports that Maximize your Bounty Payouts," which we've recorded in a live webcast for anyone who was not able to attend Nullcon. Finding vulnerabilities is a resesarcher's strength, but writing their findings up for the customer to quickly process isn't always as easy. In this presentation I give three simple but important tips to help researchers write up vulnerability reports that can be quickly triaged and rewarded. To keep this grounded in the real world, I use four examples of submissions we've received at Bugcrowd to explain the sorts of mistakes we sometimes see.
BUT WAIT THERE WAS SO MUCH MORE!
Bugcrowd's Faraz Khan, an Application Security Engineer on our Technical Operations team gave a talk on tools and techniques for finding web application vulnerabilities, Microsoft, Google, Facebook and Mozilla all presented information about their programs, Bugcrowd hosted a 2 hour web CTF (pictured right), and I had the opportunity to meet a group of amazing women in India's information security industry at the Winja Breakfast Panel.
The enthusiasm and engagement of Nullcon attendees was infectious, it is easy to see why India is such a substantial contributor of vulnerability reports to Bugcrowd customers.
Can't wait until Nullcon 2017!