To Pay or Not to Pay? The Battle Between Bug Bounty & VDPs
Aaron Guzman
Bug Bounty Village @ DEF CON 33 · Day 1 · Bug Bounty Village
In "To Pay or Not to Pay? The Battle Between Bug Bounty & VDPs," Aaron Guzman, a Program Owner at Cisco, delves into the intricate challenges and strategic imperatives of managing both bug bounty (BB) and vulnerability disclosure programs (VDPs) within a large enterprise. The talk addresses the inherent complexities faced by security teams in processing a high volume of vulnerability submissions, particularly when dealing with diverse product scopes and varying levels of criticality. Guzman, drawing from his extensive experience as a researcher, pen tester, and program manager, highlights the "cognitive dissonance" researchers often experience when trying to determine the correct submission channel for their findings.
AI review
Competent program-management talk from someone who clearly lives this work daily — the dual BBP/VDP architecture rationale is well-argued, and the PIIR framework plus the Researcher Toolkit are concrete deliverables that lift it above pure war-story territory. But it never escapes the gravitational pull of 'here's how our program works,' and nothing here would surprise anyone who's run a mature disclosure program.