Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / - - PowerPoint PPT Presentation

Running a Bug Bounty Program

Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event

Bug bounty? Responsible disclosure? Huh?

Huh?

“Security Researchers” “Whitehats” “Hackers” “Your children” Find a security vulnerability in a company Report it to a company and give them time to fix it before telling anyone else (Optional) The company gives a monetary award

The agenda!

• Part 2: Huh?
• The component parts of

these programs

• Where it fits, where it doesn’t
• Questions

Adam ‘rudd’ Ruddermann, Practice Director

Who is rudd?

Ok so, back to ‘huh?’

What is ‘responsible disclosure?’

• Researchers make a reasonable effort to contact the organization that can fix

the security vulnerability and provide them actionable data about the bug to enable a fix.

• Researchers give the organization a reasonable amount of time to fix the bug

and distribute it to their customers before disclosing it to anyone else.

• CCERT: 45 days
• Google: 90 days
• If the organization does not act in good faith or does not intend to fix the bug,

the researcher is reasonably enabled to publicly disclose the unfixed vulnerability.

Clearing the air on terminology

• Publicly published:
• Responsible disclosure rules
• Product scope and boundaries
• Legal safe harbor provisions
• A dedicated channel to submit bugs
• Thanks page and/or Hall of Fame
• Monetary and/or prize awards

Responsible Disclosure Bug Bounty

• Wait. How did we get here?

The component parts

I promise this won’t be too boring

The component parts of these programs Legal Public Relations Daily Ops

Engineering Partnerships

Award Payouts

The component parts of these programs Legal Public Relations Daily Ops

Engineering Partnerships

Award Payouts

Day-to-day Operations / Lifecycle of a Submission Initial Triage Decision Triage Fix Resolve

Day-to-day Operations / Lifecycle of a Submission Initial Triage Decision Triage Fix Resolve

• Engine room of the cruise ship
• Noise filtering
• Staff typically do not need to read code or be able to suggest fixes
• Unambiguous and well understood final decisions are made here
• Feels a lot like a help desk, but is much more technical

Day-to-day Operations / Lifecycle of a Submission Initial Triage Decision Triage Fix Resolve

• The captain of the ship
• The most technical person in the process
• Looks deep to understand root causes – including reading code
• Usually has day-to-day oversight of how things are going
• Everyone is supporting this person

Day-to-day Operations / Lifecycle of a Submission Initial Triage Decision Triage Fix Resolve

• Working with engineering teams to get it fixed
• Step 1: Let the team know
• Step 2: Agree on how impactful the vulnerability
• Step 3: Agree on resourcing and timelines
• Step 4: Track it!

Day-to-day Operations / Lifecycle of a Submission Initial Triage Decision Triage Fix Resolve

• Verify and land the fix, pay the researcher
• Make sure the fix actually works… or doesn’t introduce other problems
• Land it in production… does it break the product? (it happens)
• Let the researcher know and pay them (if you haven’t already)

Day-to-day Operations / Lifecycle of a Submission Initial Triage Decision Triage Fix Resolve

Program Operations Management

• This process can be as ad

hoc or refined as necessary for an org

• Good software – either built in

house or outsourced through a vendor – is critical

• Operational metrics will define

your success and failure

The component parts of these programs Legal Public Relations Daily Ops

Engineering Partnerships

Award Payouts

Legal

• Clear lines of communications and expectations with corporate legal teams
• Contract law
• EULA – exempt whitehats, precise carve outs, or fully require adherence?
• Program-unique terms
• Criminal law and legal safe harbors
• USA: CFAA, DMCA
• UK: CMA
• Corporate compliance
• Data privacy: GDPR, Privacy Shield, etc
• Sanctions and anti-terrorism: Various US and EU lists
• Diversity and anti-corruption: checks for verifying corporate policies

Public Relations / Communications “You’re the only engineers that regularly speak

• fficially on the behalf of the company that don’t

have time to clear every word with PR first.”

• Melanie Ensign (@imeluny)

Public Relations / Communications

• Communications training for

engineers and PMs

• Build a library of templated

responses

• Consensus on when to escalate

internally and when escalate to the Comms team

Engineering Partnerships

Product Management Software Engineering Corporate IT

Engineering Partnerships

• Coordinating scope changes

with the product roadmap

• Thoughtful prioritization of

low/mid severity bugs

• Software security education
• Very specific scope

considerations

• Managing potential false

positives on sensors

• This is Expert Mode bug bounty

Product Management Software Engineering Corporate IT

Paying out awards

• What?
• How much should you pay?
• How?
• PayPal, Payoneer, Bitcoin, Wire

Transfer, Airline Points (United), Gift Cards?

• Taxes!
• Withhold income tax?
• Require W8s?

The component parts of these programs Legal Public Relations Daily Ops

Engineering Partnerships

Award Payouts

”Ok, now what?”

Why this is worth it

• With good relationships,

leveraging researchers will enable you you scale your security team

• Think of it like QA: Dozens of

good testers will find more bugs than just 2 or 3 excellent testers

• Traditional pen tests are only

accurate for a point in time, bug bounty testing is continuous

Where this fits

• Products should have a security

architecture review and a traditional source code enabled pen test before considering bug bounty

• A small, private bug bounty is a

great safe way to give top hackers access to a product first before launching an open bounty

• Recurring source code enabled

pen tests to find deep, complex vulnerabilities

About those hacker parties…

Questions?

Adam Ruddermann

Practice Director, Bug Bounty Services

Email: rudd@nccgroup.trust Twitter: @adamruddermann