Hackers Hunt, Execs Fund : Measuring the ROSI of Bug Bounty Program to Win the Business Case

No ratings

Presented at BSides Cape Town 2025 by

Harry Grobbelaar

Security teams often need to balance what they want to implement with the security budgets available to them, running into the question “What is the ROI?” to sell the value to the business. This talk bridges the gap between hacking and the boardroom by showing how to measure the Return on Security Investment (ROSI) of a bug bounty program. Using real breach cost data from IBM, attack vectors from Verizon’s DBIR, security maturity insights from security maturity frameworks, and data from global bug bounty programs, this talk will walk you through a methodology to translate vulnerabilities into financial impact, avoided losses, and strategic value. Attendees will leave with a practical framework and examples they can use to justify, defend, or expand a bug bounty program inside their own organizations.