What does it take to run a bug bounty program? Typical problems and - - PowerPoint PPT Presentation

what does it take to run a bug bounty program
SMART_READER_LITE
LIVE PREVIEW

What does it take to run a bug bounty program? Typical problems and - - PowerPoint PPT Presentation

Oct 20, 2022 108 likes •540 views

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1 Wait, who are you Was software engineer, Arteest now at least 50% cyber 2

slide-1
SLIDE 1 ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM What does it take to run a bug bounty program? Typical problems and practical solutions 1
slide-2
SLIDE 2

Wait, who are you¿

Was software engineer, now at least 50% cyber Arteest™ 2
slide-3
SLIDE 3

“You should run a bug bounty!”

— everyone, probably 3
slide-4
SLIDE 4 Generally considered a Good Idea 4 Google Reddit Facebook Microsoft Apple Valve Fitbit Mastercard Netgear Avast DigitalOcean Android (and others)
slide-5
SLIDE 5

Agenda

1) Bug bounty considered beneficial 2) Challenges and mitigations 3) Summary 5
slide-6
SLIDE 6
  • 1. Researchers tell you

about security bugs in your software

  • 2. You pay them for

their efforts

A FORMAL PROGRAM WHERE:

6
slide-7
SLIDE 7

People will attack your software anyway

A bounty lets it happen on your own terms

✗ ✓

7
slide-8
SLIDE 8

Tap into international talent

Bounty hunters can work anywhere in the world 8
slide-9
SLIDE 9

Tap into specialist talent

Bounty hunters often specialize in some
 platform, tool, or framework 9
slide-10
SLIDE 10

Meet security standards

Certifications ask for “vulnerability testing”, “penetration testing” 10
slide-11
SLIDE 11

More secure products

Your products have measurably fewer bugs 11
slide-12
SLIDE 12

👎

12
slide-13
SLIDE 13

BUT THERE ARE CHALLENGES

13
slide-14
SLIDE 14

Agenda

1) Bug bounty considered beneficial 2) Challenges and mitigations 3) Summary 14
slide-15
SLIDE 15 15
  • Use an existing bug bounty platform

(STRONGLY RECOMMENDED)

  • Or roll your own

Choosing a platform

slide-16
SLIDE 16

You don’t have experience with bug bounties.

16
slide-17
SLIDE 17

You don’t have experience with bug bounties.

  • Limit initial reports
16
slide-18
SLIDE 18

You don’t have experience with bug bounties.

  • Limit initial reports
  • Make a shared chatroom/forum for bounty staff to
ask each other for help 16
slide-19
SLIDE 19

$$$

When should we increase the bounty?

17
slide-20
SLIDE 20

$$$

When should we increase the bounty?

Pull data from your platform:
  • # critical bugs found in the last 90 days
  • Flow rate (is the dev team overwhelmed?)
  • Remaining bounty budget (can you afford it?)
17
slide-21
SLIDE 21

$$$

Our payout calculator

18
slide-22
SLIDE 22

A huge proportion of all incoming bug reports are invalid.

Title Invalid 82% Paid out 18% FY18 bug reports 19
slide-23
SLIDE 23

A huge proportion of all incoming bug reports are invalid.

  • Choose a bounty platform
which offers filtering services Title Invalid 82% Paid out 18% FY18 bug reports 19
slide-24
SLIDE 24

A huge proportion of all incoming bug reports are invalid.

  • Choose a bounty platform
which offers filtering services
  • Bounty briefing page is your
first line of defence Title Invalid 82% Paid out 18% FY18 bug reports 19
slide-25
SLIDE 25

Communication fatigue

20
slide-26
SLIDE 26

Communication fatigue

  • Use standard responses
  • Check bonus content for more
ideas and situations 20
slide-27
SLIDE 27

Communication fatigue

  • Use standard responses
  • Check bonus content for more
ideas and situations e.g. Bug resolved Hi <researcher>, Thank you for your report to our bug bounty program. The issue has been fixed by the development team and should reach production soon. If you can still reproduce the issue in 2 weeks from today, please let us know and we can investigate further. Thank you for your continued efforts toward our bug bounty program. 20
slide-28
SLIDE 28
slide-29
SLIDE 29
slide-30
SLIDE 30

Decision fatigue

23
slide-31
SLIDE 31

Decision fatigue

  • Make a shared page for
procedures and protocols
  • Every time you have to make
a judgement call, update the docs to cover it
  • FLOWCHARTS 👍
23
slide-32
SLIDE 32

Decision fatigue

  • Make a shared page for
procedures and protocols
  • Every time you have to make
a judgement call, update the docs to cover it
  • FLOWCHARTS 👍
e.g. “How do you handle a Critical bug?” 23
slide-33
SLIDE 33

You’re dependent on a small group of researchers.

24
slide-34
SLIDE 34

You’re dependent on a small group of researchers.

24
slide-35
SLIDE 35

You’re dependent on a small group of researchers.

  • Increasing the bounty ≠
more researchers

  • Advertise and hold
hacking events 24
slide-36
SLIDE 36

Boring, repetitive admin tasks

25
slide-37
SLIDE 37

Boring, repetitive admin tasks

  • Choose a platform with an API
  • Make the robots do it for you
25
slide-38
SLIDE 38

Agenda

1) Bug bounty considered beneficial 2) Challenges and mitigations 3) Summary 26
slide-39
SLIDE 39 Run a bug bounty!

👎

27
slide-40
SLIDE 40 Choosing your platform: Control via API Filtering services Reports + stats 28
slide-41
SLIDE 41 Preventing problems: Document procedures Start small Advertise Use filtering services Automate! Pull data to inform decisions 29
slide-42
SLIDE 42

For more, check out the bonus content

Or forward cat pictures to ablack@atlassian.com ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM Atlassian’s bounty program: bugcrowd.com/atlassian 30