 So, thank you very much for having me. First of all, I wanted to take a moment to talk about hackers. A lot of the previous presentation was about how cyber is represented in the media and how hackers are represented in the media is often that they are evil and that they are equated with criminals. So, I'm going to talk about some of these new incentive programs or bounty programs and the ways that you can attract well-intentioned hackers to your cause of defense. A lot of people when bounties first started thought about bounties as an extortion mechanism for hackers and in fact it's quite the opposite. So what does a hacker really look like to you? This is actually a picture of me hacking on a video game system back in the days when Alex Damos and I used to be penetration testers. This was the way that people with hacking skills used to make money about a decade or a decade and a half ago. So, your idea of what a typical hacker looks like may be very different from the gentlemen, from the army cyber command in the backstage area who started thanking me for this event, who thought I was one of the event planners. So, you know, I challenge your assumptions in this area. What is a bug bounty really? So how many of you are familiar with the concept of bug bounties? Okay, so it's in general, it's paying people for vulnerability information and I actually consider this term bug bounty, specifically the word bug, to be a misnomer in this case. It's really about incentive programs and it's really not about extortion or paying for things in order to keep information quiet but it's actually attracting the right eyes to the things that you want to consider. So before I was at hacker one, I spent seven years at Microsoft. Before that was the seven years spent as a penetration tester and we won't go even further back except for maybe at the karaoke bar later tonight. However, I'm going to talk about the bounty programs that I started at Microsoft in June of 2013. So these were very interesting incentive programs. Only one of them was actually paying for individual vulnerabilities in a single product. And that was the bottom one that was up to $11,000 for IE11 bugs in the beta release of IE11. We're gonna go into these programs in more depth. But to date, since June 2013, over half a million dollars has been paid by Microsoft to well-intentioned hackers who have come forward with not just vulnerability information about individual bugs, but also about new defense techniques. And the $100,000 prize has been paid out several times for brand new attack techniques. These aren't just any kind of attack. These are what we call mitigation bypasses. So if you think of a mitigation as a shield across the entire platform, it protects all the applications on the platform that opt into those technical mitigations and it also protects even third party applications that opt in to some of those platform level mitigations. What they're designed to do is break individual exploits. So make individual exploits harder to exploit on the platform, hence that shielding effect. So paying $100,000 for a brand new technique that breaks that shield was something that was worthwhile for the company to do and to learn about. So before we dive into how these programs actually did in real life, let's talk a little bit about how the markets work. So in general, you can divide the markets for vulnerabilities and exploit information into three categories. And I like to categorize them based on their intended purpose. You could easily categorize them based on the price points, where the defense market pays the least. The mixed use market pays a little more. And of course the offense market pays the most. But really if you think about it, the incentives that you're trying to create here, you cannot compete directly with that offense market with money. If you try to do so, it gets what's gonna happen. The offense market is just gonna rise. In general, those are going to have, and no pun intended, those are going to essentially have unlimited budget and unlimited resources if the markets go up in the defense zone. So you have to think about it in a different way and create your incentives accordingly. Mixed use is mixed use. It's essentially those markets are either creating vulnerabilities and exploits for defensive purposes. So looking for zero day vulnerabilities and selling them as a subscription to people who want to build custom signatures to protect their networks. It's also being used in the offensive sense. The interesting thing about the offences market is that, among that market, that market pays the most because it wants those vulnerabilities to stay secret for the longest amount of time. The defense market is pretty much the only market that wants to see those fixed. So in creating these incentive programs, this was the very first $100,000 check. Actually the only $100,000 check I've personally ever written. But it was to James Forsha, a researcher out of Britain, who came up with the very first mitigation bypass technique that qualified for $100,000. People said that we would never be able to outbid the black market. But in reality, who were we actually bidding against? The black market doesn't need a new mitigation bypass. They have techniques that work. They don't need to buy the next generation of it. Only the vendor responsible for building the next version of the platform more securely actually had a use for this information. Similarly, you are looking at a diagram that actually convinced the Internet Explorer team to buy their own bugs. This is actually what I showed them. And it was a projection. So the blue line is the real data from IE10. That low little squiggle is how many bugs IE10 got during the beta period, not many. Lots of big spike at the end after it was released to manufacturing or after code was frozen. Why is that? Because none of the markets were trading, not even the hackers who would come to Microsoft for free. Because essentially, their only incentive was getting 12 point aerial font credit and thanks in a bulletin. If that bug was fixed during the beta period, no bulletin. Everyone was holding. So the only way to get them to come forward was to create an incentive at the beginning of the beta period. So that was the projection. Actual results, 18 bulletin class issues were delivered to Microsoft during the first 30 days of the IE11 beta. So what does that mean? How much do you think we paid? Anyone have a guess? It was up to $11,000 per. Do you think we paid $11,000 per? $28,400 was spent on those 18 bulletin class issues. Each one of them would have fetched six figures in the offense market. So if your goals are to try and disrupt the marketplace, disrupt your adversaries, you would bounty a new attack. You would bounty defense. Those are things that the offense market doesn't need. In addition, you look for gaps in your market to take advantage of places where nobody is buying. So you set the price. So no matter what you do, you need to invest the most security in your proactive security efforts and build security in from the ground up. But at the end of the day, all code has security bugs. So the models, as they stand, don't need you to think in this two-dimensional plane of trying to outbid when you really need to outthink. And in that dimension brings us to something that is near and dear to my heart, the Computer Fraud and Abuse Act. And the president's words about strengthening some of the punishments. I personally have never met a criminal who thought to themselves, gee, I'm going to step away from the keyboard because the minimum sentence went from five years to 10 years. But I have met plenty of legitimate security researchers, a.k.a. friendly hackers, who have stepped back from reporting vulnerabilities to those who need to fix them because they are afraid of prosecution. So if you care about vulnerability research and if we're talking about public-private partnerships, I think we should have a conversation about carving out safe haven for researchers who want to come forward. We're essentially going to need all hands on deck, no matter what they look like, no matter how they seem to you at first, whether or not they fit some of the admiral's criteria for hiring directly into Cyber Command. We need all hands on deck and the hackers are among them. Thank you.