Jeremiah GrossmanOvjeren akaunt

Be passive. Be aggressive. Just don’t be passive aggressive. Pick a side!

Congratulations Richard! A BJJ BLUE BELT! A huge accomplishment and milestone. Hope to see ya again at BH in vegas for the 10yr smackdown anniversary!https://twitter.com/rejoiningthetao/status/1221952945509609473 …

This is why we predominately see Bug Bounty successfully deployed against the more mature (aka secure) organizations these days. /6

If priced right, there is point where the Bug Bounty model become more economically advantageous. A customer is able to model roughly how many vulns are expected to be found and going market rate for the crowd to look for them. /5

This is because the pricing model is essentially based on paying for 'effort' not 'performance.’ Over time there comes a point economically where they are comparatively very few vulns left to be found, and it makes more sense to pay for ‘performance’ (ie reported vulns). /4

In year 2, we'd expect the InfoSec program to mature and the number of reported vulns to decrease (less to be found), but the VA product licensing cost remains largely fixed. Consequently, the dollars-per-vuln metric actually inceases! Rinse repeat in year 3, 4, etc. /3

When customers license a VA product, it's typically an annual price. In newer InfoSec programs these tools will likely find A LOT of vulns. In year 1, if you divide the license cost by the number of vulns found over during the year, you get a dollars-per-vuln metric. /2

Many years ago I came to the conclusion that in many scenarios the "Bug Bounty" model was economically superior to the typical pricing model of VA vendors, especially as security programs mature. This is how I reasoned though it. /1

I wonder how many other security vendors, anti-virus or otherwise, are selling customer data similar to Avast. I mean, they can’t be the only ones in the industry can they?

Not to mention it’s incredibly rare for a breach to occur due to a vulnerability that a scanner failed to identify, or was incapable of finding.

Before setting out to build a ‘better’ vulnerability scanner, consider for a moment that a customer has never said, “It’d be awesome if my scanner found 10% more vulns in my network.”

In geo-politics, it feels like hacking has largely replaced dumpster diving.

When someone says they can do something, I believe them. When someone says they can’t do something, I believe them. That might be the only times I automatically believe anything without evidence.

On the other hand, even if the loss numbers are true, it would not appear that such a breach was an existential threat to the business. And as been discussed earlier, a breach can represent a buy-low-sell-high opportunity. Think about that.