In this session, Tod Beardsley (runZero) and Casey Ellis (Bugcrowd) explore the evolving role of bug bounties in a world increasingly shaped by artificial intelligence. Ellis explains that while AI has lower the barrier for entry for both offensive and defensive players, the fundamental spy versus spy dynamic remains, with human intent and agility still being the primary drivers of security research. The conversation touches on the "defender's dilemma," where attackers can iterate quickly and risk failure without major consequences, while defenders must secure entire environments and face severe operational impact if their automated "agents" cause a production outage.
The discussion shifts to the intrinsic value of vulnerability research and the importance of standardizing disclosure practices across the internet. Ellis highlights his work with disclose.io, a project aimed at making vulnerability disclosure "suck less" by providing standardized legal boilerplate and a vendor-agnostic database of disclosure policies. He notes that while some organizations have reached a maturity model where they actively encourage and protect researchers, many still rely on compliance-driven box-ticking exercises that do little to actually reduce risk in a meaningful way.
Meet Our Speakers
todb
VP of Security Research, runZero
Get the latest news and expert insights delivered in your inbox.
