Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event
Bug bounty? Responsible disclosure? Huh?
Huh? “Security Researchers” “Whitehats” (Optional) The “Hackers” company gives a “Your children” monetary award Find a security Report it to a company vulnerability in and give them time to fix it a company before telling anyone else
The agenda! - Part 2: Huh? - The component parts of these programs - Where it fits, where it doesn’t - Questions
Adam ‘rudd’ Ruddermann, Practice Director
Who is rudd?
Ok so, back to ‘huh?’
What is ‘responsible disclosure?’ • Researchers make a reasonable effort to contact the organization that can fix the security vulnerability and provide them actionable data about the bug to enable a fix. • Researchers give the organization a reasonable amount of time to fix the bug and distribute it to their customers before disclosing it to anyone else. • CCERT: 45 days • Google: 90 days • If the organization does not act in good faith or does not intend to fix the bug, the researcher is reasonably enabled to publicly disclose the unfixed vulnerability.
Clearing the air on terminology Responsible Disclosure • Publicly published: • Responsible disclosure rules • Product scope and boundaries • Legal safe harbor provisions • A dedicated channel to submit bugs Bug Bounty • Thanks page and/or Hall of Fame • Monetary and/or prize awards
Wait. How did we get here?
The component parts I promise this won’t be too boring
The component parts of these programs Public Daily Engineering Legal Award Partnerships Relations Ops Payouts
The component parts of these programs Public Daily Engineering Legal Award Partnerships Relations Ops Payouts
Day-to-day Operations / Lifecycle of a Submission Initial Decision Fix Resolve Triage Triage
Day-to-day Operations / Lifecycle of a Submission Initial Decision Fix Resolve Triage Triage • Engine room of the cruise ship • Noise filtering • Staff typically do not need to read code or be able to suggest fixes • Unambiguous and well understood final decisions are made here • Feels a lot like a help desk, but is much more technical
Day-to-day Operations / Lifecycle of a Submission Initial Decision Fix Resolve Triage Triage • The captain of the ship • The most technical person in the process • Looks deep to understand root causes – including reading code • Usually has day-to-day oversight of how things are going • Everyone is supporting this person
Day-to-day Operations / Lifecycle of a Submission Initial Decision Fix Resolve Triage Triage • Working with engineering teams to get it fixed • Step 1: Let the team know • Step 2: Agree on how impactful the vulnerability • Step 3: Agree on resourcing and timelines • Step 4: Track it!
Day-to-day Operations / Lifecycle of a Submission Initial Decision Fix Resolve Triage Triage • Verify and land the fix, pay the researcher • Make sure the fix actually works… or doesn’t introduce other problems • Land it in production… does it break the product? (it happens) • Let the researcher know and pay them (if you haven’t already)
Day-to-day Operations / Lifecycle of a Submission Initial Decision Fix Resolve Triage Triage
Program Operations Management • This process can be as ad hoc or refined as necessary for an org • Good software – either built in house or outsourced through a vendor – is critical • Operational metrics will define your success and failure
The component parts of these programs Public Daily Engineering Legal Award Partnerships Relations Ops Payouts
Legal • Clear lines of communications and expectations with corporate legal teams • Contract law • EULA – exempt whitehats, precise carve outs, or fully require adherence? • Program-unique terms • Criminal law and legal safe harbors • USA: CFAA, DMCA • UK: CMA • Corporate compliance • Data privacy: GDPR, Privacy Shield, etc • Sanctions and anti-terrorism: Various US and EU lists • Diversity and anti-corruption: checks for verifying corporate policies
Public Relations / Communications “You’re the only engineers that regularly speak officially on the behalf of the company that don’t have time to clear every word with PR first.” - Melanie Ensign (@imeluny)
Public Relations / Communications • Communications training for engineers and PMs • Build a library of templated responses • Consensus on when to escalate internally and when escalate to the Comms team
Engineering Partnerships Product Management Corporate IT Software Engineering
Engineering Partnerships Product Management Corporate IT Software Engineering • Coordinating scope changes • Very specific scope with the product roadmap considerations • Thoughtful prioritization of • Managing potential false low/mid severity bugs positives on sensors • This is Expert Mode bug bounty • Software security education
Paying out awards • What? • How much should you pay? • How? • PayPal, Payoneer, Bitcoin, Wire Transfer, Airline Points (United), Gift Cards? • Taxes! • Withhold income tax? • Require W8s?
The component parts of these programs Public Daily Engineering Legal Award Partnerships Relations Ops Payouts
”Ok, now what?”
Why this is worth it • With good relationships, leveraging researchers will enable you you scale your security team • Think of it like QA: Dozens of good testers will find more bugs than just 2 or 3 excellent testers • Traditional pen tests are only accurate for a point in time, bug bounty testing is continuous
Where this fits • Products should have a security architecture review and a traditional source code enabled pen test before considering bug bounty • A small, private bug bounty is a great safe way to give top hackers access to a product first before launching an open bounty • Recurring source code enabled pen tests to find deep, complex vulnerabilities
About those hacker parties…
Questions? Adam Ruddermann Practice Director, Bug Bounty Services Email: rudd@nccgroup.trust Twitter: @adamruddermann
Recommend
More recommend