2025-09-19 –, Tesla
By crowdsourcing vulnerability hunting, bug bounty programs add an essential security layer as a last line of defense to catch what slips through conventional controls. Over the past 15 years, platforms like hackerone and bugcrowd have played a major role in legitimizing and popularizing the concept, opening up bug hunting to a broader audience while corporate adoption steadily increased. However, as the ecosystem grew, so did the misalignment between the interests of hackers, companies, and platforms, creating unintended consequences, conflicting incentives, and sometimes working against the very security these programs aim to improve. In this talk, I'll share my observations on these dynamics from running the self-managed bug bounty program at Swisscom for the past 4 years.
The talk will cover the following topics:
* Introduction to the concept of bug bounty
* What do organizations gain from bug bounty programs?
* What gap do they fill, where conventional penetration testing fail short?
* What modes of programs exist?
* The emergence of bug bounty platforms
* Their contribution to the bug bounty ecosystem
* How they defined the rules, standards and expectations
* Their business model
* Financials & Overview of Bug rating models
* CVSS and alternatives
* Who profits from the generated value?
* Who are the hackers?
* Skewed demographics & performance statistics
* Lessons learned from the Swisscom Bug Bounty Program
After completing his Master's degree in Computer Science at ETH Zurich, Antoine has held various security-oriented IT roles as a system administrator, software developer, penetration tester, and security analyst. He joined Swisscom in 2019 in the Computer Security Incident Response Team (CSIRT) and took on the technical lead of the Bug Bounty Program in 2022.