In this session, Tod Beardsley (runZero) and Casey Ellis (Bugcrowd) explore the evolving role of bug bounties in a world increasingly shaped by artificial intelligence. Ellis explains that while AI has lower the barrier for entry for both offensive and defensive players, the fundamental spy versus spy dynamic remains, with human intent and agility still being the primary drivers of security research. The conversation touches on the "defender's dilemma," where attackers can iterate quickly and risk failure without major consequences, while defenders must secure entire environments and face severe operational impact if their automated "agents" cause a production outage.
The discussion shifts to the intrinsic value of vulnerability research and the importance of standardizing disclosure practices across the internet. Ellis highlights his work with disclose.io, a project aimed at making vulnerability disclosure "suck less" by providing standardized legal boilerplate and a vendor-agnostic database of disclosure policies. He notes that while some organizations have reached a maturity model where they actively encourage and protect researchers, many still rely on compliance-driven box-ticking exercises that do little to actually reduce risk in a meaningful way.
Watch more sessions from runZero Day
| Session Title | Guests | |
|---|---|---|
| Watch Session | A CVE quagmire: Quality versus quantity | Jerry Gamblin, RogoLabs |
| Watch Session | Predicting exploitation: A practitioner's guide | Jay Jacobs, Empirical Security |
| Watch Session | Signal vs slop: Journalists on the evolution of research-driven reporting | Bill Brenner, CYBER.SEC.Community Dennis Fisher, Decipher Steve Ragan, 1Password |
| Watch Session | On the frontlines of investigative journalism in cybersecurity: An insider's perspective | Joseph Menn, Author & Investigative Journalist |
| Watch Session | From risk to resilience: Navigating OT security in a converged world | Mary Gannon, GuidePoint Security Patrick Gillespie, GuidePoint Security |
| Watch Session | Force multiplied: Community-powered vuln detection | Rishi Sharma, ProjectDiscovery |
| Watch Session | Mute the sirens: Prioritizing vulnerability noise | Mark Lambert, ArmorCode |
| Watch Session | The network edge: EOL and exploitation | Kimber Duke, VulnCheck Patrick Garrity, VulnCheck |
| Watch Session | Bug bounties in the age of AI | Casey Ellis, Bugcrowd |
| Watch Session | Perimeters and pathways: Protecting the complete attack surface | HD Moore, runZero Jared Atkinson, SpecterOps Zakir Durumeric, Censys |
| Watch Session | The infinite eye: How AI threat intelligence gives defenders an asymmetric edge | HD Moore, runZero Jonathan Cran, Mallory |
Meet Our Speakers
todb
VP of Security Research, runZero
Get the latest news and expert insights delivered in your inbox.
