Running an efficient bug bounty program and PSIRT function
Garrett McNamara, Jeff Guerra
BSidesSF 2026 · Day 2 · AMC Theatre 13
In this insightful talk from BSides SF, Garrett McNamara of ServiceNow and Jeff Guerra of OnePassword (formerly GitHub) delve into the critical components of establishing and maintaining effective **bug bounty programs** and **Product Security Incident Response Team (PSIRT) functions**. Their presentation highlights the inevitability of security incidents and offers practical, experience-driven strategies to make these "fires" more manageable, rather than attempting the impossible task of eliminating them entirely. The speakers emphasize the importance of automation, robust incident response processes, meaningful metrics, and strategic engagement with the researcher community.
AI review
Competent operational talk from practitioners who've clearly done the work — building PSIRTs from scratch, integrating bounty platforms, automating triage workflows. Nothing here will surprise anyone who's run a mature program, but it's honest, experience-grounded, and useful for orgs still figuring out the basics.