data driven bug bounty
play

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda - PowerPoint PPT Presentation

Apr 06, 2023 •706 likes •930 views

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter, Airbnb Running a data driven program Methodology Questions Program Logistics - Twitter Single public program Soft launch

  1. Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt)

  2. Agenda ● Program logistics @ Twitter, Airbnb ● Running a data driven program ● Methodology ● Questions

  3. Program Logistics - Twitter ● Single public program ● Soft launch (unpaid), then moved to paid ● Triage by NCC Group ● ~4-6 appsec engineers, 1 week rotation ● $950,000 over 4 years, 850 resolved reports ● More stats: https://blog.twitter.com/engineering/en_us/a/2016/bug-bounty-2-years-in.html

  4. Program Logistics - Airbnb ● Started as 2 programs: public (unpaid) & private (paid) ● Merged into 1 public paid program (as of March 2018) ● Triage by Hackerone ● 4 appsec engineers, 2 week rotation ● $430,000 over 3 years, 430 resolved reports

  5. Running a data driven program Thesis: data provides half the value

  7. ● Immediately know your risk breakdown, focus your energy there ● Feed this into quarter planning Measure ROI ● ● Requires: internal taxonomy

  9. ● 10x difference between fastest/slowest teams ● Also track SLA Hold teams accountable ● ● Give positive reinforcement

  11. ● Notice a pattern? Lets security engineers know good/bad ● teams Helps drive conversations forward (but ● be careful!)

  13. ● Can be shared widely - be visible! Measure improvement (or lack of ● improvement) over time Use data to drive business goals ●

  15. ● ~50% reports from bug bounty, ~35% of reports from scanners ● Watch for changes, i.e.: ⇧ Scanner -> Invalid: tune false ○ positives ⇩ Bug bounty: is your program healthy? ○

  17. ● Most important for program health: time to response, time to bounty ● Least important to *collect* Benefits: ● ○ More researchers, better reports Researchers talk with each other ○ ○ Get early notice/access

  18. Methodology ● If launching a program: ○ start with a pentest, assess yourself ○ launch a private program w/ a few researchers & limited scope ensure program policy gives researchers safe harbor ■ grow slowly, tune your workflow ○ ○ go public when ready ● Starting/started a program: define taxonomy, tag vulnerability class / source / team, keep track of SLA ○

  19. Conclusion ● Data driven bug bounty: ○ Informs your security posture ○ Serves as input into security roadmapping Drives conversations with other teams forward ○ Lets you be visible in your organization ○ ○ Helps you run a healthier bug bounty program ● Methodology: Start small & scale out ○

  20. Questions Arkadiy Tetelman (@arkadiyt)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66 HUNTER STREET, SYDNEY NSW 2000, AUSTRALIA TELEPHONE: +61 417 654 090 WWW.BOUNTY.COM.AU 14 TH JUNE 2018 DISCLAIMER This investor Presentation

322 views • 16 slides
Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty program Essentially bribing strangers to tell us their facebook 0days Sometimes blows up in our face, most of time works pretty well

841 views • 25 slides
Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX Code: BUY Philip F Kelso - CEO Cooper Basin - Drilling Utopia 14 Bounty Oil & Gas NL Major Growth Projects with Production Base 2013

239 views • 19 slides
2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and services that differentiates Kaman Industrial Technologies from our competitors. Program Overview Goal: Increase account penetration

186 views • 7 slides
Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering Senior AppSec Engineer & Team Lead @ Bugcrowd Bug bounty Hunter Video Games Bsides Vienna 2016 Agenda What & Why

365 views • 34 slides
1 Data-dr Data-driven philosophy n philosophy Data-dr Data-driven: push n: push 7 8

1 Data-dr Data-driven philosophy n philosophy Data-dr Data-driven: push n: push 7 8

What What is is a a senso sensor network? network? 2 Tiny, untethered nodes with severe resource constraints Sensors, e.g., light, moisture, Tiny CPU and memory Da Data ta-Driven Pr -Driven Proc ocessing essing

177 views • 7 slides
Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015 ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Bounty Oil & Gas NL Major Growth Projects with Production Base Recent

334 views • 19 slides
Data-Driven Research Program Data-Driven Research Program Linked Longitudinal Retrospective

Data-Driven Research Program Data-Driven Research Program Linked Longitudinal Retrospective

VICTORIAN COMPREHENSIVE CANCER CENTRE Data-Driven Research Program Data-Driven Research Program Linked Longitudinal Retrospective Health care continuum Secondary use Bottom-up Data-Driven Research Program Hospital Primary Care Population

380 views • 22 slides
Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso Highlights Australia Bounty has successfully delineated and de-risked the Azalea Prospect in AC/P 32 (BUY 100%) Timor Sea, ready for farmout

552 views • 19 slides
Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine Transportation Maine Maritime Academy At first glance, the Bounty tragedy was a simple disaster. One bad decision took a vessel straight into

215 views • 6 slides
Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event Bug bounty? Responsible disclosure? Huh? Huh? Security Researchers Whitehats (Optional) The Hackers company

425 views • 38 slides
SCE Map Update: Data-Driven Spatial and E Field Maps Michael Mooney, Hannah Rogers Colorado

SCE Map Update: Data-Driven Spatial and E Field Maps Michael Mooney, Hannah Rogers Colorado

SCE Map Update: Data-Driven Spatial and E Field Maps Michael Mooney, Hannah Rogers Colorado State University ProtoDUNE Sim/Reco Meeting April 10 th , 2019 1 First Data-Driven Maps First Data-Driven Maps Brief presentation on data-driven

439 views • 14 slides
The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari 3 , and Jens Grossklags 4 1 University of Houston 2 Snap Inc. 3 Pennsylvania State University 4 Technical University of Munich 1 Bug-Bounty

553 views • 23 slides
Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 ,

Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 ,

Data-driven COVID-19 modeling Data-driven COVID-19 modeling 1 Cyprien Neverov th August 28 , 2020 1 Student at IMT Mines Ales and intern at FAU Erlangen-Nurnberg under the supervision of Prof. Enrique Zuazua. Table of Contents Table of

790 views • 43 slides
Data Driven Marketing the DNA of customer oriented companies 00101001 yes no Data Driven

Data Driven Marketing the DNA of customer oriented companies 00101001 yes no Data Driven

Data Driven Marketing the DNA of customer oriented companies 00101001 yes no Data Driven Marketing the DNA of customer orientated companies Executive summary 1. Data and marketing The Culture of Data Marketing decision making Telling

812 views • 80 slides
Data-driven Clustering via Parameterized Lloyds Families Travis Dick Joint work with

Data-driven Clustering via Parameterized Lloyds Families Travis Dick Joint work with

Data-driven Clustering via Parameterized Lloyds Families Travis Dick Joint work with Maria-Florina Balcan and Colin White Carnegie Mellon University NeurIPS 2018 Data-driven Clustering Data-driven Clustering Clustering aims to divide a

675 views • 53 slides
Lecture 1: Introduction to Computer Security RK Shyamasundar Aims Provide a thorough

Lecture 1: Introduction to Computer Security RK Shyamasundar Aims Provide a thorough

Lecture 1: Introduction to Computer Security RK Shyamasundar Aims Provide a thorough understanding of Policy (what are being protected) Mechanisms (authentication, authorization, auditing/monitoring, ) Attacks (vulnerabilities,

629 views • 33 slides
Sean Condon, CFP Chris Arndt, CPA Poll the A e Audi dience: What Does it Mean to Curate

Sean Condon, CFP Chris Arndt, CPA Poll the A e Audi dience: What Does it Mean to Curate

Sean Condon, CFP Chris Arndt, CPA Poll the A e Audi dience: What Does it Mean to Curate a Culture of Growth? How to C o Curate a C a Culture of of Growth Create a culture where all employees think and act like an owner.

306 views • 27 slides
UNDERGROUND ECONOMIES GRAD SEC OCT 17 2017 TODAYS PAPERS UNDERGROUND ECONOMIES

UNDERGROUND ECONOMIES GRAD SEC OCT 17 2017 TODAYS PAPERS UNDERGROUND ECONOMIES

UNDERGROUND ECONOMIES GRAD SEC OCT 17 2017 TODAYS PAPERS UNDERGROUND ECONOMIES Economics drives both the attacks and the defenses What is for sale? Who sells it? How? Defenders: Antivirus vendors, firewall vendors, etc.

781 views • 42 slides
detectify Go hack yourself or someone else will Frans Rosn @fransrosen Frans Rosn

detectify Go hack yourself or someone else will Frans Rosn @fransrosen Frans Rosn

detectify Go hack yourself or someone else will Frans Rosn @fransrosen Frans Rosn Security Advisor @detectify ( twitter: @fransrosen ) Blog at labs.detectify.com HackerOne #5 @ hackerone.com/thanks "The Swedish Ninja"

1.28k views • 91 slides
Earnings Release FY 2020 & Q4 2020 Results July 30, 2020 Business Results Fiscal Year

Earnings Release FY 2020 & Q4 2020 Results July 30, 2020 Business Results Fiscal Year

Earnings Release FY 2020 & Q4 2020 Results July 30, 2020 Business Results Fiscal Year 2020 IMMEDIATE PRIORITIES 1. Ensuring the health and safety of the men and women of P&G around the world. 2. Maximizing the availability of

912 views • 40 slides
Welcome to the Cyber Risk Insights Conference! Welcoming Remarks Rebecca Bole EVP &

Welcome to the Cyber Risk Insights Conference! Welcoming Remarks Rebecca Bole EVP &

Welcome to the Cyber Risk Insights Conference! Welcoming Remarks Rebecca Bole EVP & Editor-in-Chief Advisen Leading the way to smarter and more efficient risk and insurance communities, Advisen delivers: The right information into The

861 views • 60 slides
STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT

648 views • 47 slides
Contracting Tensor Network on a Noisy Quantum Computer Isaac H. Kim Stanford Institute for

Contracting Tensor Network on a Noisy Quantum Computer Isaac H. Kim Stanford Institute for

Contracting Tensor Network on a Noisy Quantum Computer Isaac H. Kim Stanford Institute for Theoretical Physics September 13th, 2018 arXiv:1703.02093, arXiv:1703.00032, arXiv:1711.07500(w. Brian Swingle(UMD)) + some unpublished tidbits Before

644 views • 33 slides

More recommend