what does it take to run a bug bounty program
play

What does it take to run a bug bounty program? Typical problems and - PowerPoint PPT Presentation

Oct 20, 2022 •108 likes •540 views

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1 Wait, who are you Was software engineer, Arteest now at least 50% cyber 2

  1. What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1

  2. Wait, who are you¿ Was software engineer, Arteest™ now at least 50% cyber 2

  3. “You should run a bug bounty!” — everyone, probably 3

  4. Generally considered a Good Idea Google Reddit Facebook Microsoft Apple Valve Fitbit Mastercard Netgear Avast DigitalOcean Android (and others) 4

  5. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 5

  6. A FORMAL PROGRAM WHERE: 1. Researchers tell you about security bugs in your software 2. You pay them for their efforts 6

  7. People will attack your software anyway A bounty lets it happen on your own terms ✗ ✓ 7

  8. Tap into international talent Bounty hunters can work anywhere in the world 8

  9. Tap into specialist talent Bounty hunters often specialize in some 
 platform, tool, or framework 9

  10. Meet security standards Certifications ask for “vulnerability testing”, “penetration testing” 10

  11. More secure products Your products have measurably fewer bugs 11

  12. 👎 12

  13. BUT THERE ARE CHALLENGES 13

  14. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 14

  15. Choosing a platform • Use an existing bug bounty platform 
 (STRONGLY RECOMMENDED) 
 • Or roll your own 15

  16. You don’t have experience with bug bounties. 16

  17. You don’t have experience with bug bounties. • Limit initial reports 16

  18. You don’t have experience with bug bounties. • Limit initial reports • Make a shared chatroom/forum for bounty staff to ask each other for help 16

  19. When should we increase the bounty? $$$ 17

  20. When should we increase the bounty? $$$ Pull data from your platform : • # critical bugs found in the last 90 days • Flow rate (is the dev team overwhelmed?) • Remaining bounty budget (can you afford it?) 17

  21. Our payout calculator $$$ 18

  22. A huge proportion of all incoming bug reports are invalid. Title Paid out 18% Invalid 82% FY18 bug reports 19

  23. A huge proportion of all incoming bug reports are invalid. Title Paid out • Choose a bounty platform 18% which offers filtering services Invalid 82% FY18 bug reports 19

  24. A huge proportion of all incoming bug reports are invalid. Title Paid out • Choose a bounty platform 18% which offers filtering services • Bounty briefing page is your Invalid first line of defence 82% FY18 bug reports 19

  25. Communication fatigue 20

  26. Communication fatigue • Use standard responses • Check bonus content for more ideas and situations 20

  27. Communication e.g. Bug resolved fatigue Hi <researcher>, Thank you for your report to our bug bounty program. The issue has been fixed by the development team and should reach production soon. • Use standard responses If you can still reproduce the issue in 2 weeks from today, please let • Check bonus content for more us know and we can investigate further. ideas and situations Thank you for your continued efforts toward our bug bounty program. 20

  30. Decision fatigue 23

  31. Decision fatigue • Make a shared page for procedures and protocols • Every time you have to make a judgement call, update the docs to cover it • FLOWCHARTS 👍 23

  32. e.g. “How do you handle a Critical bug?” Decision fatigue • Make a shared page for procedures and protocols • Every time you have to make a judgement call, update the docs to cover it • FLOWCHARTS 👍 23

  33. You’re dependent on a small group of researchers. 24

  34. You’re dependent on a small group of researchers. 24

  35. You’re dependent on a small group of researchers. • Increasing the bounty ≠ more researchers 
 • Advertise and hold hacking events 24

  36. Boring, repetitive admin tasks 25

  37. Boring, repetitive admin tasks • Choose a platform with an API • Make the robots do it for you 25

  38. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 26

  39. Run a bug bounty! 👎 27

  40. Choosing your platform: Filtering Reports + stats Control via services API 28

  41. Preventing problems: Use filtering Document Start small services procedures Pull data to Automate! inform decisions Advertise 29

  42. Atlassian’s bounty program: bugcrowd.com/atlassian For more, check out the bonus content Or forward cat pictures to ablack@atlassian.com ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and services that differentiates Kaman Industrial Technologies from our competitors. Program Overview Goal: Increase account penetration

186 views • 7 slides
Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty program Essentially bribing strangers to tell us their facebook 0days Sometimes blows up in our face, most of time works pretty well

841 views • 25 slides
Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering Senior AppSec Engineer &amp; Team Lead @ Bugcrowd Bug bounty Hunter Video Games Bsides Vienna 2016 Agenda What &amp; Why

365 views • 34 slides
BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66 HUNTER STREET, SYDNEY NSW 2000, AUSTRALIA TELEPHONE: +61 417 654 090 WWW.BOUNTY.COM.AU 14 TH JUNE 2018 DISCLAIMER This investor Presentation

322 views • 16 slides
Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event Bug bounty? Responsible disclosure? Huh? Huh? Security Researchers Whitehats (Optional) The Hackers company

425 views • 38 slides
Organizing a BUG Bounty program GetClouder Marian Marinov &lt; mm@1h.com &gt; GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov &lt; mm@1h.com &gt; GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov &lt; mm@1h.com &gt; GetClouder Organizing a BUG Bounty program What will I tell you? Why? How? The most interesting thing by now GetClouder Organizing a BUG Bounty program Why?

382 views • 7 slides
Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX Code: BUY Philip F Kelso - CEO Cooper Basin - Drilling Utopia 14 Bounty Oil &amp; Gas NL Major Growth Projects with Production Base 2013

239 views • 19 slides
Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter, Airbnb Running a data driven program Methodology Questions Program Logistics - Twitter Single public program Soft launch

930 views • 20 slides
Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group PLC ICANN 63, Barcelona Introduction CentralNic Group PLC includes 4 registries and 5 registrars: CentralNic OpenRegistry KSRegistry SK-NIC TLD

411 views • 13 slides
Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015 ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Bounty Oil &amp; Gas NL Major Growth Projects with Production Base Recent

334 views • 19 slides
Bounty Oil &amp; Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil &amp; Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil &amp; Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso Highlights Australia Bounty has successfully delineated and de-risked the Azalea Prospect in AC/P 32 (BUY 100%) Timor Sea, ready for farmout

552 views • 19 slides
Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine Transportation Maine Maritime Academy At first glance, the Bounty tragedy was a simple disaster. One bad decision took a vessel straight into

215 views • 6 slides
The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari 3 , and Jens Grossklags 4 1 University of Houston 2 Snap Inc. 3 Pennsylvania State University 4 Technical University of Munich 1 Bug-Bounty

553 views • 23 slides
Bounty Oil &amp; Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO

Bounty Oil &amp; Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO

Bounty Oil &amp; Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO DISCLAIMER This presentation contains forward looking statements that are subject to risk factors associated with the oil and gas industry. It is believed

372 views • 25 slides
Bounty Oil and Gas NL Excellence in Oil &amp; Philip F Kelso CEO Sydney, March 2, 2011 Gas

Bounty Oil and Gas NL Excellence in Oil &amp; Philip F Kelso CEO Sydney, March 2, 2011 Gas

Bounty Oil and Gas NL Excellence in Oil &amp; Philip F Kelso CEO Sydney, March 2, 2011 Gas Gas y DIS CLAIMER This presentation contains forward looking statements that are subj ect to risk factors associated with the oil f t i t d

466 views • 15 slides
with { Poking Servers whoami | head WebAppSec Consultant,

with { Poking Servers whoami | head WebAppSec Consultant,

with { Poking Servers whoami | head WebAppSec Consultant, Penetra:on Tester, Bug Bounty Hunter for Google, Facebook, Paypal, Mozilla and other bounty

740 views • 48 slides
Prevalence and Predictors of Burnout Among Hospice and Palliative Care Clinicians: An IDT

Prevalence and Predictors of Burnout Among Hospice and Palliative Care Clinicians: An IDT

Prevalence and Predictors of Burnout Among Hospice and Palliative Care Clinicians: An IDT Perspective Faculty Constance Dahlin, ANP-BC, ACHPN Rich Lamkin, PA-C Consultant, Center to Advance Palliative President Care, New York, NY

819 views • 35 slides
Work Smarter 10 Strategies to Maximize your Time, Attention, and Energy Dr. Mike Doughty

Work Smarter 10 Strategies to Maximize your Time, Attention, and Energy Dr. Mike Doughty

Work Smarter 10 Strategies to Maximize your Time, Attention, and Energy Dr. Mike Doughty Handouts http://instruction.monroe.edu/productivity Password: productivity ticket to leave 3 ways I could improve the content ways I could improve

977 views • 87 slides
Analyzing data using Python Eric Marsden &lt;eric.marsden@risk-engineering.org&gt; The purpose

Analyzing data using Python Eric Marsden &lt;eric.marsden@risk-engineering.org&gt; The purpose

Analyzing data using Python Eric Marsden &lt;eric.marsden@risk-engineering.org&gt; The purpose of computing is insight, not numbers. Richard Hamming data probabilistic model event probabilities consequence model event consequences

730 views • 51 slides
A continuum damage model for creep fracture and fatigue analysis Petteri Kauppila 1 , Reijo Kouhia

A continuum damage model for creep fracture and fatigue analysis Petteri Kauppila 1 , Reijo Kouhia

A continuum damage model for creep fracture and fatigue analysis Petteri Kauppila 1 , Reijo Kouhia 2 , Juha Ojanper a 1 , Timo Saksala 2 , Timo Sorjonen 1 1 Valmet Technologies Oy, P.O. Box 109, FI-33101 Tampere, Finland 2 Tampere University of

429 views • 20 slides
NAPH HCAHPS L e ar ning Ne twor k: Be yond the Basic s Offic e Hour s: Maintaining

NAPH HCAHPS L e ar ning Ne twor k: Be yond the Basic s Offic e Hour s: Maintaining

NAPH HCAHPS L e ar ning Ne twor k: Be yond the Basic s Offic e Hour s: Maintaining Compassionate Car e F e b rua ry 13, 2013 Ja ne Ho o ke r, Ca rrie Bra dy a nd Je ro d a nd She rri L o e b Ag e nda I ntro duc tio ns T he L

326 views • 14 slides
MA MAIN INTAIN ININ ING G HE HEALTHY HY Commonwealth Corps Training PR PROFE FESSIO

MA MAIN INTAIN ININ ING G HE HEALTHY HY Commonwealth Corps Training PR PROFE FESSIO

MA MAIN INTAIN ININ ING G HE HEALTHY HY Commonwealth Corps Training PR PROFE FESSIO SSIONA NAL November 2018 RE RELATIONSHIPS AGENDA Welcome &amp; Introductions Professional Boundaries in Interpersonal Relationships

629 views • 35 slides
HOME SAFETY CONSIDERATIONS FOR INDIVIDUALS WITH PARKINSONS DISEASE: AN OCCUPATIONAL THERAPY

HOME SAFETY CONSIDERATIONS FOR INDIVIDUALS WITH PARKINSONS DISEASE: AN OCCUPATIONAL THERAPY

HOME SAFETY CONSIDERATIONS FOR INDIVIDUALS WITH PARKINSONS DISEASE: AN OCCUPATIONAL THERAPY PERSPECTIVE Dr. Kathleen Stoklosa Nazareth College Occupational Therapy OT Goals Maintain independence, interests, and roles Safety issues

480 views • 25 slides
Maximizing the Meaning of Multimedia: Reader-friendly strategies for your next encounter with

Maximizing the Meaning of Multimedia: Reader-friendly strategies for your next encounter with

Maximizing the Meaning of Multimedia: Reader-friendly strategies for your next encounter with on-screen presentations Elizabeth Chibucos and Leslie Schultz 2013 TypeWell Conference Portland, Oregon; Saturday, April 27 Introduction

418 views • 22 slides

More recommend