running a bug bounty program
play

Running a Bug Bounty Program What you need to know Shpend TU - - PowerPoint PPT Presentation

Dec 09, 2023 •25 likes •365 views

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering Senior AppSec Engineer & Team Lead @ Bugcrowd Bug bounty Hunter Video Games Bsides Vienna 2016 Agenda What & Why

  1. Running a Bug Bounty Program What you need to know

  2. Shpend TU - Master in Software Engineering ● Senior AppSec Engineer & Team Lead @ Bugcrowd ● Bug bounty Hunter ● Video Games ● Bsides Vienna 2016

  3. Agenda ● What & Why ● Pre-launch ● Post-Launch ● Notable findings Bsides Vienna 2016

  4. Bug Bounty Programs

  5. Audience survey: Do you know what Bug Bounty means? Bsides Vienna 2016 Source (Hyperbole and a Half)

  6. The History of Bug Bounties: Abbreviated Timeline from 1995 to Present

  7. Why? Bsides Vienna 2016

  8. Should I invite random people to hack on my systems? Bsides Vienna 2016 Source (Hyperbole and a Half)

  9. Benefits to running a Bug Bounty Program Lots of Eyes ● Pay for results model ● Shows a more advanced security posture ● Better reputation ● Bsides Vienna 2016 Source (ESRB)

  10. Case Study: Instructure 2013 (Pentest) 2014 (Bug Bounty) 2015 (Bug Bounty) Critical 0 0 0 High 1 25 3 Medium 1 8 2 Low 2 16 5 https://www.canvaslms.com/security Bsides Vienna 2016 Source (Canvas)

  11. Who are these people? All ages ● All levels of experience & skillsets ● All over the world ● Users and and non-users ● Passionate about security! ● Bsides Vienna 2016 Source (ESRB)

  12. Researcher Incentive Cash! ● Reputation (Hall of Fame) ● Ranking (platforms) ● Passionate about security! ● Bsides Vienna 2016 Source (ESRB)

  13. The Value of Crowdsourced Testing Bsides Vienna 2016 Source (RedTeam Pentesting)

  14. How? Bsides Vienna 2016

  15. Before and After Pre-Launch as a Program Owner Post-Launch as a Program Owner ● ● Scope Handling Submissions (Manpower) ○ ○ Exclusions Communicating Effectively ○ ○ Environment Defining a Vulnerability Rating Taxonomy ○ ○ Access ○ Bsides Vienna 2016

  16. “Make a change, pay the researcher.” Bsides Vienna 2016 Source (Get A Life)

  17. Pre-Launch

  18. Scope Define target(s). ● Only webapp (www.example.com) ○ All subdomains (careful) (*.example.com) ○ All products & acquisitions (more careful) ○ Mobile? (Android, iOS, Windows Phone? j/k) ○ Human & physical ○ Bsides Vienna 2016 Source (Accurate Shooter)

  19. Scope Define non/rewardable findings ● No security impact (Logout csrf) ○ Best practice (Session management) ○ Full/partial poc? (XXE, SSRF,SQLI) ○ Define reward range ● Min and Max ○ Table based on vuln types ○ Define Disclosure ● Allowed or not ○ Bsides Vienna 2016 Source (Accurate Shooter)

  20. Exclusions You might not care about: ● (Low-impact) “low hanging fruit” ○ Intended functionality ○ Known issues (call out!) ○ Accepted risks ○ Issues based on pivoting ○ Bsides Vienna 2016 Source (Meme Generator)

  21. Environment Production vs. staging ● Make sure it can stand up to testing! ● Scanners ○ Contact forms ○ Pentesting requests ○ Special bounty types ● IoT/devices ○ Researcher environments ● Bsides Vienna 2016 Source (The Daily Mail)

  22. Access Easier = better (self-signup) ● Provide adequate resources for success ● E.g. sandbox credit cards ○ No shared credentials ● Bsides Vienna 2016 Source (Demotivation)

  23. Post-Launch

  24. Be Prepared ● High volume of submissions ● Scanners Manpower ● ● Communication Bsides Vienna 2016 Source (Meme Generator)

  25. Tips: Triage submissions ● Work oldest to newest ● Push back if unclear (ask more info) Tag valid findings ● ● Experience -> faster triage Bsides Vienna 2016 Source (Meme Generator)

  26. Tips: Triage submissions efficiently ● Check Domain/Bug for in scope ● Have multiple browsers ready ● Check for duplicates ● Keep burp open (you’ll need it) Reproduce (Replication steps) Have environment ready (XXE oob via ftp) ● ● ● Have accounts (with diff roles) ready ● Keep scope handy Bsides Vienna 2016 Source (Meme Generator)

  27. Communication is Key Researchers like: ● Concise, unambiguous responses ○ ESL ■ Short response time ○ Predictable reward time ○ Communicate issue being looked at ● Reply to researcher questions. ● Bsides Vienna 2016 Source (Profielwekstuk)

  28. Define a Vulnerability Rating Taxonomy For program owners: ● Speeds up triage process ○ Track your organization’s security posture ○ Arrive at a reward amount more quickly ○ For researchers: ● Focus on high-value bugs ○ Avoid wasting time on non-rewardable bugs ○ Alongside brief, helps build trust ○ Bsides Vienna 2016

  29. Discuss the VRT at a Roundtable Priority will change as your organization does ● Establish a regular meeting ● Review interesting bugs ○ Discuss additions ○ Propose changes ○ This is an ongoing process! ● Great learning opportunity ● Bsides Vienna 2016 Source (Wikipedia)

  30. Notable Findings

  31. Kernel Panic 2 Remote BoF kernel level (Cifs/NSF) ● Found in custom kernel modules ● Rewarded $10k each ● Timeframe: 2 weeks ● Bsides Vienna 2016 Source (Meme Generator)

  32. “You can’t see me” exposed! POS tablet (Android) ● Shipped to researchers for testing ● Winner takes all ($15k) ● Hacked via flashing ● Bonus bug: admin backdoor ● Bsides Vienna 2016 Source (Meme Generator)

  33. Login as anyone SSO available for setup ● Domain no verified ● Attacker set ups SSO ● Attacker adds ANY email address in their ● SSO account Attacker available to login using that email ● address Reward: $10k ● Bsides Vienna 2016 Source (Meme Generator)

  34. Thanks! Shpend Kurtishaj me@shpendk.com @shpendk Source (xkcd)

Recommend

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty program Essentially bribing strangers to tell us their facebook 0days Sometimes blows up in our face, most of time works pretty well

841 views • 25 slides
Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event Bug bounty? Responsible disclosure? Huh? Huh? Security Researchers Whitehats (Optional) The Hackers company

425 views • 38 slides
Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group PLC ICANN 63, Barcelona Introduction CentralNic Group PLC includes 4 registries and 5 registrars: CentralNic OpenRegistry KSRegistry SK-NIC TLD

411 views • 13 slides
2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and services that differentiates Kaman Industrial Technologies from our competitors. Program Overview Goal: Increase account penetration

186 views • 7 slides
Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter, Airbnb Running a data driven program Methodology Questions Program Logistics - Twitter Single public program Soft launch

930 views • 20 slides
BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66 HUNTER STREET, SYDNEY NSW 2000, AUSTRALIA TELEPHONE: +61 417 654 090 WWW.BOUNTY.COM.AU 14 TH JUNE 2018 DISCLAIMER This investor Presentation

322 views • 16 slides
Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder Organizing a BUG Bounty program What will I tell you? Why? How? The most interesting thing by now GetClouder Organizing a BUG Bounty program Why?

382 views • 7 slides
What does it take to run a bug bounty program? Typical problems and practical solutions ANTON

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1 Wait, who are you Was software engineer, Arteest now at least 50% cyber 2

540 views • 42 slides
Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX Code: BUY Philip F Kelso - CEO Cooper Basin - Drilling Utopia 14 Bounty Oil & Gas NL Major Growth Projects with Production Base 2013

239 views • 19 slides
Welcome to the running start information session. This presentation will give an overview of the

Welcome to the running start information session. This presentation will give an overview of the

Welcome to the running start information session. This presentation will give an overview of the running start program, other options for earning college credit while in high school, and how students can access the running start program. Running

416 views • 23 slides
Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015 ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Bounty Oil & Gas NL Major Growth Projects with Production Base Recent

334 views • 19 slides
Running Time Why do we need to analyze the running Algorithm/Running Time Analysis time of a

Running Time Why do we need to analyze the running Algorithm/Running Time Analysis time of a

Running Time Why do we need to analyze the running Algorithm/Running Time Analysis time of a program? Option 1: Run the program and time it Why is this option bad? What can we do about it? Pseudo-Code Math Review Used

329 views • 3 slides
Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil & Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso Highlights Australia Bounty has successfully delineated and de-risked the Azalea Prospect in AC/P 32 (BUY 100%) Timor Sea, ready for farmout

552 views • 19 slides
Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine Transportation Maine Maritime Academy At first glance, the Bounty tragedy was a simple disaster. One bad decision took a vessel straight into

215 views • 6 slides
The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari 3 , and Jens Grossklags 4 1 University of Houston 2 Snap Inc. 3 Pennsylvania State University 4 Technical University of Munich 1 Bug-Bounty

553 views • 23 slides
Image Sharpening Example Running a simple parallel program Aims (i) To familiarise yourself

Image Sharpening Example Running a simple parallel program Aims (i) To familiarise yourself

Image Sharpening Example Running a simple parallel program Aims (i) To familiarise yourself with running parallel programs To run a real parallel code (that does file I/O) on different numbers of cores measure the time

700 views • 11 slides
CSE 351: Week 8 Tom Bergan, TA 1 Today What happens when a program starts running?

CSE 351: Week 8 Tom Bergan, TA 1 Today What happens when a program starts running?

CSE 351: Week 8 Tom Bergan, TA 1 Today What happens when a program starts running? Address spaces Virtual memory 2 Lets start a program $ ./bufbomb -u tbergan Goal: execute main() in ./bufbomb int main(int argc, char

210 views • 20 slides
Processes A process is an instance of a program running Modern OSes run multiple processes

Processes A process is an instance of a program running Modern OSes run multiple processes

Processes A process is an instance of a program running Modern OSes run multiple processes simultaneously Examples (can all run simultaneously): - gcc file_A.c compiler running on file A - gcc file_B.c compiler running on file B

619 views • 44 slides
Introduction to ARCHER and Cray MPI Running a Simple Parallel Program Aims To familiarise

Introduction to ARCHER and Cray MPI Running a Simple Parallel Program Aims To familiarise

Introduction to ARCHER and Cray MPI Running a Simple Parallel Program Aims To familiarise yourself with running parallel programs how to compile on ARCHER how to submit jobs to the compute nodes using PBS To run a real parallel

356 views • 10 slides
COMP 204: Computer Programming for Life Sciences Writing and Running Python Program Mathieu

COMP 204: Computer Programming for Life Sciences Writing and Running Python Program Mathieu

COMP 204: Computer Programming for Life Sciences Writing and Running Python Program Mathieu Blanchette, based on material from Yue Li, Carlos Oliver and Christopher Cameron 1 / 11 What is a computer program? Computer program: Simple text file

234 views • 11 slides
Bounty Oil & Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO

Bounty Oil & Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO

Bounty Oil & Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO DISCLAIMER This presentation contains forward looking statements that are subject to risk factors associated with the oil and gas industry. It is believed

372 views • 25 slides
CSSE 232 Computer Architecture I Running a Program 1 / 15 Class Status Reading for today

CSSE 232 Computer Architecture I Running a Program 1 / 15 Class Status Reading for today

CSSE 232 Computer Architecture I Running a Program 1 / 15 Class Status Reading for today 2.12, 2.13, 2.14, B.1-5 2 / 15 Outline Compilers Assemblers Linkers Loaders 3 / 15 Translation and Startup in C C program

497 views • 15 slides
with { Poking Servers whoami | head WebAppSec Consultant,

with { Poking Servers whoami | head WebAppSec Consultant,

with { Poking Servers whoami | head WebAppSec Consultant, Penetra:on Tester, Bug Bounty Hunter for Google, Facebook, Paypal, Mozilla and other bounty

740 views • 48 slides
Bounty Oil and Gas NL Excellence in Oil & Philip F Kelso CEO Sydney, March 2, 2011 Gas

Bounty Oil and Gas NL Excellence in Oil & Philip F Kelso CEO Sydney, March 2, 2011 Gas

Bounty Oil and Gas NL Excellence in Oil & Philip F Kelso CEO Sydney, March 2, 2011 Gas Gas y DIS CLAIMER This presentation contains forward looking statements that are subj ect to risk factors associated with the oil f t i t d

466 views • 15 slides

More recommend