what does it take to run a bug bounty program
play

What does it take to run a bug bounty program? Typical problems and - PowerPoint PPT Presentation

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1 Wait, who are you Was software engineer, Arteest now at least 50% cyber 2


  1. What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1

  2. Wait, who are you¿ Was software engineer, Arteest™ now at least 50% cyber 2

  3. “You should run a bug bounty!” — everyone, probably 3

  4. Generally considered a Good Idea Google Reddit Facebook Microsoft Apple Valve Fitbit Mastercard Netgear Avast DigitalOcean Android (and others) 4

  5. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 5

  6. A FORMAL PROGRAM WHERE: 1. Researchers tell you about security bugs in your software 2. You pay them for their efforts 6

  7. People will attack your software anyway A bounty lets it happen on your own terms ✗ ✓ 7

  8. Tap into international talent Bounty hunters can work anywhere in the world 8

  9. Tap into specialist talent Bounty hunters often specialize in some 
 platform, tool, or framework 9

  10. Meet security standards Certifications ask for “vulnerability testing”, “penetration testing” 10

  11. More secure products Your products have measurably fewer bugs 11

  12. 👎 12

  13. BUT THERE ARE CHALLENGES 13

  14. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 14

  15. Choosing a platform • Use an existing bug bounty platform 
 (STRONGLY RECOMMENDED) 
 • Or roll your own 15

  16. You don’t have experience with bug bounties. 16

  17. You don’t have experience with bug bounties. • Limit initial reports 16

  18. You don’t have experience with bug bounties. • Limit initial reports • Make a shared chatroom/forum for bounty staff to ask each other for help 16

  19. When should we increase the bounty? $$$ 17

  20. When should we increase the bounty? $$$ Pull data from your platform : • # critical bugs found in the last 90 days • Flow rate (is the dev team overwhelmed?) • Remaining bounty budget (can you afford it?) 17

  21. Our payout calculator $$$ 18

  22. A huge proportion of all incoming bug reports are invalid. Title Paid out 18% Invalid 82% FY18 bug reports 19

  23. A huge proportion of all incoming bug reports are invalid. Title Paid out • Choose a bounty platform 18% which offers filtering services Invalid 82% FY18 bug reports 19

  24. A huge proportion of all incoming bug reports are invalid. Title Paid out • Choose a bounty platform 18% which offers filtering services • Bounty briefing page is your Invalid first line of defence 82% FY18 bug reports 19

  25. Communication fatigue 20

  26. Communication fatigue • Use standard responses • Check bonus content for more ideas and situations 20

  27. Communication e.g. Bug resolved fatigue Hi <researcher>, Thank you for your report to our bug bounty program. The issue has been fixed by the development team and should reach production soon. • Use standard responses If you can still reproduce the issue in 2 weeks from today, please let • Check bonus content for more us know and we can investigate further. ideas and situations Thank you for your continued efforts toward our bug bounty program. 20

  28. Decision fatigue 23

  29. Decision fatigue • Make a shared page for procedures and protocols • Every time you have to make a judgement call, update the docs to cover it • FLOWCHARTS 👍 23

  30. e.g. “How do you handle a Critical bug?” Decision fatigue • Make a shared page for procedures and protocols • Every time you have to make a judgement call, update the docs to cover it • FLOWCHARTS 👍 23

  31. You’re dependent on a small group of researchers. 24

  32. You’re dependent on a small group of researchers. 24

  33. You’re dependent on a small group of researchers. • Increasing the bounty ≠ more researchers 
 • Advertise and hold hacking events 24

  34. Boring, repetitive admin tasks 25

  35. Boring, repetitive admin tasks • Choose a platform with an API • Make the robots do it for you 25

  36. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 26

  37. Run a bug bounty! 👎 27

  38. Choosing your platform: Filtering Reports + stats Control via services API 28

  39. Preventing problems: Use filtering Document Start small services procedures Pull data to Automate! inform decisions Advertise 29

  40. Atlassian’s bounty program: bugcrowd.com/atlassian For more, check out the bonus content Or forward cat pictures to ablack@atlassian.com ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 30

Recommend


More recommend