running a bug bounty program
play

Running a Bug Bounty Program What you need to know Shpend TU - - PowerPoint PPT Presentation

Dec 09, 2023 •25 likes •365 views

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering Senior AppSec Engineer & Team Lead @ Bugcrowd Bug bounty Hunter Video Games Bsides Vienna 2016 Agenda What & Why

  1. Running a Bug Bounty Program What you need to know

  2. Shpend TU - Master in Software Engineering ● Senior AppSec Engineer & Team Lead @ Bugcrowd ● Bug bounty Hunter ● Video Games ● Bsides Vienna 2016

  3. Agenda ● What & Why ● Pre-launch ● Post-Launch ● Notable findings Bsides Vienna 2016

  4. Bug Bounty Programs

  5. Audience survey: Do you know what Bug Bounty means? Bsides Vienna 2016 Source (Hyperbole and a Half)

  6. The History of Bug Bounties: Abbreviated Timeline from 1995 to Present

  7. Why? Bsides Vienna 2016

  8. Should I invite random people to hack on my systems? Bsides Vienna 2016 Source (Hyperbole and a Half)

  9. Benefits to running a Bug Bounty Program Lots of Eyes ● Pay for results model ● Shows a more advanced security posture ● Better reputation ● Bsides Vienna 2016 Source (ESRB)

  10. Case Study: Instructure 2013 (Pentest) 2014 (Bug Bounty) 2015 (Bug Bounty) Critical 0 0 0 High 1 25 3 Medium 1 8 2 Low 2 16 5 https://www.canvaslms.com/security Bsides Vienna 2016 Source (Canvas)

  11. Who are these people? All ages ● All levels of experience & skillsets ● All over the world ● Users and and non-users ● Passionate about security! ● Bsides Vienna 2016 Source (ESRB)

  12. Researcher Incentive Cash! ● Reputation (Hall of Fame) ● Ranking (platforms) ● Passionate about security! ● Bsides Vienna 2016 Source (ESRB)

  13. The Value of Crowdsourced Testing Bsides Vienna 2016 Source (RedTeam Pentesting)

  14. How? Bsides Vienna 2016

  15. Before and After Pre-Launch as a Program Owner Post-Launch as a Program Owner ● ● Scope Handling Submissions (Manpower) ○ ○ Exclusions Communicating Effectively ○ ○ Environment Defining a Vulnerability Rating Taxonomy ○ ○ Access ○ Bsides Vienna 2016

  16. “Make a change, pay the researcher.” Bsides Vienna 2016 Source (Get A Life)

  17. Pre-Launch

  18. Scope Define target(s). ● Only webapp (www.example.com) ○ All subdomains (careful) (*.example.com) ○ All products & acquisitions (more careful) ○ Mobile? (Android, iOS, Windows Phone? j/k) ○ Human & physical ○ Bsides Vienna 2016 Source (Accurate Shooter)

  19. Scope Define non/rewardable findings ● No security impact (Logout csrf) ○ Best practice (Session management) ○ Full/partial poc? (XXE, SSRF,SQLI) ○ Define reward range ● Min and Max ○ Table based on vuln types ○ Define Disclosure ● Allowed or not ○ Bsides Vienna 2016 Source (Accurate Shooter)

  20. Exclusions You might not care about: ● (Low-impact) “low hanging fruit” ○ Intended functionality ○ Known issues (call out!) ○ Accepted risks ○ Issues based on pivoting ○ Bsides Vienna 2016 Source (Meme Generator)

  21. Environment Production vs. staging ● Make sure it can stand up to testing! ● Scanners ○ Contact forms ○ Pentesting requests ○ Special bounty types ● IoT/devices ○ Researcher environments ● Bsides Vienna 2016 Source (The Daily Mail)

  22. Access Easier = better (self-signup) ● Provide adequate resources for success ● E.g. sandbox credit cards ○ No shared credentials ● Bsides Vienna 2016 Source (Demotivation)

  23. Post-Launch

  24. Be Prepared ● High volume of submissions ● Scanners Manpower ● ● Communication Bsides Vienna 2016 Source (Meme Generator)

  25. Tips: Triage submissions ● Work oldest to newest ● Push back if unclear (ask more info) Tag valid findings ● ● Experience -> faster triage Bsides Vienna 2016 Source (Meme Generator)

  26. Tips: Triage submissions efficiently ● Check Domain/Bug for in scope ● Have multiple browsers ready ● Check for duplicates ● Keep burp open (you’ll need it) Reproduce (Replication steps) Have environment ready (XXE oob via ftp) ● ● ● Have accounts (with diff roles) ready ● Keep scope handy Bsides Vienna 2016 Source (Meme Generator)

  27. Communication is Key Researchers like: ● Concise, unambiguous responses ○ ESL ■ Short response time ○ Predictable reward time ○ Communicate issue being looked at ● Reply to researcher questions. ● Bsides Vienna 2016 Source (Profielwekstuk)

  28. Define a Vulnerability Rating Taxonomy For program owners: ● Speeds up triage process ○ Track your organization’s security posture ○ Arrive at a reward amount more quickly ○ For researchers: ● Focus on high-value bugs ○ Avoid wasting time on non-rewardable bugs ○ Alongside brief, helps build trust ○ Bsides Vienna 2016

  29. Discuss the VRT at a Roundtable Priority will change as your organization does ● Establish a regular meeting ● Review interesting bugs ○ Discuss additions ○ Propose changes ○ This is an ongoing process! ● Great learning opportunity ● Bsides Vienna 2016 Source (Wikipedia)

  30. Notable Findings

  31. Kernel Panic 2 Remote BoF kernel level (Cifs/NSF) ● Found in custom kernel modules ● Rewarded $10k each ● Timeframe: 2 weeks ● Bsides Vienna 2016 Source (Meme Generator)

  32. “You can’t see me” exposed! POS tablet (Android) ● Shipped to researchers for testing ● Winner takes all ($15k) ● Hacked via flashing ● Bonus bug: admin backdoor ● Bsides Vienna 2016 Source (Meme Generator)

  33. Login as anyone SSO available for setup ● Domain no verified ● Attacker set ups SSO ● Attacker adds ANY email address in their ● SSO account Attacker available to login using that email ● address Reward: $10k ● Bsides Vienna 2016 Source (Meme Generator)

  34. Thanks! Shpend Kurtishaj me@shpendk.com @shpendk Source (xkcd)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty program Essentially bribing strangers to tell us their facebook 0days Sometimes blows up in our face, most of time works pretty well

841 views • 25 slides
Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event Bug bounty? Responsible disclosure? Huh? Huh? Security Researchers Whitehats (Optional) The Hackers company

425 views • 38 slides
Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group PLC ICANN 63, Barcelona Introduction CentralNic Group PLC includes 4 registries and 5 registrars: CentralNic OpenRegistry KSRegistry SK-NIC TLD

411 views • 13 slides
2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and services that differentiates Kaman Industrial Technologies from our competitors. Program Overview Goal: Increase account penetration

186 views • 7 slides
Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter, Airbnb Running a data driven program Methodology Questions Program Logistics - Twitter Single public program Soft launch

930 views • 20 slides
BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66 HUNTER STREET, SYDNEY NSW 2000, AUSTRALIA TELEPHONE: +61 417 654 090 WWW.BOUNTY.COM.AU 14 TH JUNE 2018 DISCLAIMER This investor Presentation

322 views • 16 slides
Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder Organizing a BUG Bounty program What will I tell you? Why? How? The most interesting thing by now GetClouder Organizing a BUG Bounty program Why?

382 views • 7 slides
What does it take to run a bug bounty program? Typical problems and practical solutions ANTON

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1 Wait, who are you Was software engineer, Arteest now at least 50% cyber 2

540 views • 42 slides
Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX Code: BUY Philip F Kelso - CEO Cooper Basin - Drilling Utopia 14 Bounty Oil & Gas NL Major Growth Projects with Production Base 2013

239 views • 19 slides
Welcome to the running start information session. This presentation will give an overview of the

Welcome to the running start information session. This presentation will give an overview of the

Welcome to the running start information session. This presentation will give an overview of the running start program, other options for earning college credit while in high school, and how students can access the running start program. Running

416 views • 23 slides
Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015 ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Bounty Oil & Gas NL Major Growth Projects with Production Base Recent

334 views • 19 slides
Running Time Why do we need to analyze the running Algorithm/Running Time Analysis time of a

Running Time Why do we need to analyze the running Algorithm/Running Time Analysis time of a

Running Time Why do we need to analyze the running Algorithm/Running Time Analysis time of a program? Option 1: Run the program and time it Why is this option bad? What can we do about it? Pseudo-Code Math Review Used

329 views • 3 slides
Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso Highlights Australia Bounty has successfully delineated and de-risked the Azalea Prospect in AC/P 32 (BUY 100%) Timor Sea, ready for farmout

552 views • 19 slides
Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine Transportation Maine Maritime Academy At first glance, the Bounty tragedy was a simple disaster. One bad decision took a vessel straight into

215 views • 6 slides
The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari 3 , and Jens Grossklags 4 1 University of Houston 2 Snap Inc. 3 Pennsylvania State University 4 Technical University of Munich 1 Bug-Bounty

553 views • 23 slides
Image Sharpening Example Running a simple parallel program Aims (i) To familiarise yourself

Image Sharpening Example Running a simple parallel program Aims (i) To familiarise yourself

Image Sharpening Example Running a simple parallel program Aims (i) To familiarise yourself with running parallel programs To run a real parallel code (that does file I/O) on different numbers of cores measure the time

700 views • 11 slides
Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] .

Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] .

Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] . Lorenz Breidenbach ETH Zurich, Cornell [Tech] . Florian Tramer . Stanford . Smart Contract Security - The Prongs Formal Verification (+Specification)

960 views • 28 slides
Tcl Bounties November 16, 2016 Tcl Bounties FlightAware is offering a number of bounties for

Tcl Bounties November 16, 2016 Tcl Bounties FlightAware is offering a number of bounties for

Tcl Bounties November 16, 2016 Tcl Bounties FlightAware is offering a number of bounties for various enhancements, fixes, etc, for Tcl and/or Tcl extensions Donal referred to this as a series of Grand Challenges. Recognizing a golden

394 views • 27 slides
1 For the love of money is a root of all kinds of evils. It is through this craving that some

1 For the love of money is a root of all kinds of evils. It is through this craving that some

COUNTING IT ALL GARBAGE Part 5: Spending - 05.16.10 PLAY Count It All Play: Count It All Garbage Video Clip [2:00] Garbage {2:00] Intro: We re now into part 5 of this sermon series. Garbage is anything that comes between us and

659 views • 4 slides
Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org 2 whois lukas@owncloud.com 1/31/16 3 Not much other hobbies Fixed a lot of stuff Employed since 2014 Contributor since 2012 1/31/16 4 The

606 views • 56 slides
Part 3 Customer Relationship Management (CRM) Resource Person MATHISHA HEWAVITHARANA MBA

Part 3 Customer Relationship Management (CRM) Resource Person MATHISHA HEWAVITHARANA MBA

Part 3 Customer Relationship Management (CRM) Resource Person MATHISHA HEWAVITHARANA MBA (Col),BBA Sp.Mktng (Col), PPG DIP. In Mktng (UK), MCIM (UK), Chartered Marketer (UK), Practicing Marketer (SL), ACMA, CGMA CIMA (UK), DBF (IBSL),

512 views • 30 slides
Kotler Keller Marketing Management 14e Creating Long-term Loyalty Relationships

Kotler Keller Marketing Management 14e Creating Long-term Loyalty Relationships

Phillip Kevin Lane Kotler Keller Marketing Management 14e Creating Long-term Loyalty Relationships Discussion Questions 1. What are customer value, satisfaction, and loyalty, and how can companies deliver them? 2. What is the lifetime

2.16k views • 43 slides
Chapter 1 Overview of marketing Core aspects of Marketing Marketing is about creating value for

Chapter 1 Overview of marketing Core aspects of Marketing Marketing is about creating value for

Chapter 1 Overview of marketing Core aspects of Marketing Marketing is about creating value for consumers Is about Affects satisfying many consumer needs entities Marketing Performed both by Entails an individuals and exchange

456 views • 23 slides
Today we will Spark your imagination Think across roles and functions Share

Today we will Spark your imagination Think across roles and functions Share

Today we will Spark your imagination Think across roles and functions Share campus-wide goals for lifelong learning 2 How do we raise lifelong learning up to our current teaching and research levels? Research & Scholarship

683 views • 20 slides

More recommend