what does it take to run a bug bounty program
play

What does it take to run a bug bounty program? Typical problems and - PowerPoint PPT Presentation

Oct 20, 2022 •108 likes •540 views

What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1 Wait, who are you Was software engineer, Arteest now at least 50% cyber 2

  1. What does it take to run a bug bounty program? Typical problems and practical solutions ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 1

  2. Wait, who are you¿ Was software engineer, Arteest™ now at least 50% cyber 2

  3. “You should run a bug bounty!” — everyone, probably 3

  4. Generally considered a Good Idea Google Reddit Facebook Microsoft Apple Valve Fitbit Mastercard Netgear Avast DigitalOcean Android (and others) 4

  5. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 5

  6. A FORMAL PROGRAM WHERE: 1. Researchers tell you about security bugs in your software 2. You pay them for their efforts 6

  7. People will attack your software anyway A bounty lets it happen on your own terms ✗ ✓ 7

  8. Tap into international talent Bounty hunters can work anywhere in the world 8

  9. Tap into specialist talent Bounty hunters often specialize in some 
 platform, tool, or framework 9

  10. Meet security standards Certifications ask for “vulnerability testing”, “penetration testing” 10

  11. More secure products Your products have measurably fewer bugs 11

  12. 👎 12

  13. BUT THERE ARE CHALLENGES 13

  14. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 14

  15. Choosing a platform • Use an existing bug bounty platform 
 (STRONGLY RECOMMENDED) 
 • Or roll your own 15

  16. You don’t have experience with bug bounties. 16

  17. You don’t have experience with bug bounties. • Limit initial reports 16

  18. You don’t have experience with bug bounties. • Limit initial reports • Make a shared chatroom/forum for bounty staff to ask each other for help 16

  19. When should we increase the bounty? $$$ 17

  20. When should we increase the bounty? $$$ Pull data from your platform : • # critical bugs found in the last 90 days • Flow rate (is the dev team overwhelmed?) • Remaining bounty budget (can you afford it?) 17

  21. Our payout calculator $$$ 18

  22. A huge proportion of all incoming bug reports are invalid. Title Paid out 18% Invalid 82% FY18 bug reports 19

  23. A huge proportion of all incoming bug reports are invalid. Title Paid out • Choose a bounty platform 18% which offers filtering services Invalid 82% FY18 bug reports 19

  24. A huge proportion of all incoming bug reports are invalid. Title Paid out • Choose a bounty platform 18% which offers filtering services • Bounty briefing page is your Invalid first line of defence 82% FY18 bug reports 19

  25. Communication fatigue 20

  26. Communication fatigue • Use standard responses • Check bonus content for more ideas and situations 20

  27. Communication e.g. Bug resolved fatigue Hi <researcher>, Thank you for your report to our bug bounty program. The issue has been fixed by the development team and should reach production soon. • Use standard responses If you can still reproduce the issue in 2 weeks from today, please let • Check bonus content for more us know and we can investigate further. ideas and situations Thank you for your continued efforts toward our bug bounty program. 20

  30. Decision fatigue 23

  31. Decision fatigue • Make a shared page for procedures and protocols • Every time you have to make a judgement call, update the docs to cover it • FLOWCHARTS 👍 23

  32. e.g. “How do you handle a Critical bug?” Decision fatigue • Make a shared page for procedures and protocols • Every time you have to make a judgement call, update the docs to cover it • FLOWCHARTS 👍 23

  33. You’re dependent on a small group of researchers. 24

  34. You’re dependent on a small group of researchers. 24

  35. You’re dependent on a small group of researchers. • Increasing the bounty ≠ more researchers 
 • Advertise and hold hacking events 24

  36. Boring, repetitive admin tasks 25

  37. Boring, repetitive admin tasks • Choose a platform with an API • Make the robots do it for you 25

  38. 1) Bug bounty considered beneficial 2) Challenges and mitigations Agenda 3) Summary 26

  39. Run a bug bounty! 👎 27

  40. Choosing your platform: Filtering Reports + stats Control via services API 28

  41. Preventing problems: Use filtering Document Start small services procedures Pull data to Automate! inform decisions Advertise 29

  42. Atlassian’s bounty program: bugcrowd.com/atlassian For more, check out the bonus content Or forward cat pictures to ablack@atlassian.com ANTON BLACK | GRADUATE SECURITY ENGINEER | ABLACK@ATLASSIAN.COM 30

Recommend

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and

2012 Bounty Rewards Program Program Theme Expose Bounty Accounts to our outstanding products and services that differentiates Kaman Industrial Technologies from our competitors. Program Overview Goal: Increase account penetration

186 views • 7 slides
Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty program Essentially bribing strangers to tell us their facebook 0days Sometimes blows up in our face, most of time works pretty well

841 views • 25 slides
Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering Senior AppSec Engineer &amp; Team Lead @ Bugcrowd Bug bounty Hunter Video Games Bsides Vienna 2016 Agenda What &amp; Why

365 views • 34 slides
BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66

BOUNTY M MINING LTD TD (A (ASX:B2Y) BOUNTY MINING LIMITED ACN 107 411 067 SUITE 301, 66 HUNTER STREET, SYDNEY NSW 2000, AUSTRALIA TELEPHONE: +61 417 654 090 WWW.BOUNTY.COM.AU 14 TH JUNE 2018 DISCLAIMER This investor Presentation

322 views • 16 slides
Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring

Running a Bug Bounty Program Adam Ruddermann 15 March 2018 IIA / ISACA / ACFE Joint Spring Training Event Bug bounty? Responsible disclosure? Huh? Huh? Security Researchers Whitehats (Optional) The Hackers company

425 views • 38 slides
Organizing a BUG Bounty program GetClouder Marian Marinov &lt; mm@1h.com &gt; GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov &lt; mm@1h.com &gt; GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov &lt; mm@1h.com &gt; GetClouder Organizing a BUG Bounty program What will I tell you? Why? How? The most interesting thing by now GetClouder Organizing a BUG Bounty program Why?

382 views • 7 slides
Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX

Bounty Oil and Gas NL Presentation to: Excellence in Oil and Gas March 11 12, 2014 ASX Code: BUY Philip F Kelso - CEO Cooper Basin - Drilling Utopia 14 Bounty Oil &amp; Gas NL Major Growth Projects with Production Base 2013

239 views • 19 slides
Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter, Airbnb Running a data driven program Methodology Questions Program Logistics - Twitter Single public program Soft launch

930 views • 20 slides
Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group

Running a Bug Bounty Program for your registry or registrar Gavin Brown, CTO, CentralNic Group PLC ICANN 63, Barcelona Introduction CentralNic Group PLC includes 4 registries and 5 registrars: CentralNic OpenRegistry KSRegistry SK-NIC TLD

411 views • 13 slides
Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015

Bounty Oil and Gas NL Presentation to: Energy, Oil and Gas Investor Summit March 17 18, 2015 ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Bounty Oil &amp; Gas NL Major Growth Projects with Production Base Recent

334 views • 19 slides
Bounty Oil &amp; Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil &amp; Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso

Bounty Oil &amp; Gas NL Annual General Meeting 27 November 2013 CEOs Report Philip F Kelso Highlights Australia Bounty has successfully delineated and de-risked the Azalea Prospect in AC/P 32 (BUY 100%) Timor Sea, ready for farmout

552 views • 19 slides
Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine

Lessons of the Bounty: Drawing Experience from Tragedy Captain G. Andy Chase Professor of Marine Transportation Maine Maritime Academy At first glance, the Bounty tragedy was a simple disaster. One bad decision took a vessel straight into

215 views • 6 slides
The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari 3 , and Jens Grossklags 4 1 University of Houston 2 Snap Inc. 3 Pennsylvania State University 4 Technical University of Munich 1 Bug-Bounty

553 views • 23 slides
Bounty Oil &amp; Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO

Bounty Oil &amp; Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO

Bounty Oil &amp; Gas NL AGM 28 th November, 2011 Presentation by: Philip F Kelso - CEO DISCLAIMER This presentation contains forward looking statements that are subject to risk factors associated with the oil and gas industry. It is believed

372 views • 25 slides
Bounty Oil and Gas NL Excellence in Oil &amp; Philip F Kelso CEO Sydney, March 2, 2011 Gas

Bounty Oil and Gas NL Excellence in Oil &amp; Philip F Kelso CEO Sydney, March 2, 2011 Gas

Bounty Oil and Gas NL Excellence in Oil &amp; Philip F Kelso CEO Sydney, March 2, 2011 Gas Gas y DIS CLAIMER This presentation contains forward looking statements that are subj ect to risk factors associated with the oil f t i t d

466 views • 15 slides
with { Poking Servers whoami | head WebAppSec Consultant,

with { Poking Servers whoami | head WebAppSec Consultant,

with { Poking Servers whoami | head WebAppSec Consultant, Penetra:on Tester, Bug Bounty Hunter for Google, Facebook, Paypal, Mozilla and other bounty

740 views • 48 slides
Bounty Oil and Gas NL Annual General Meeting November 28, 2019 CEO Presentation ASX Code: BUY

Bounty Oil and Gas NL Annual General Meeting November 28, 2019 CEO Presentation ASX Code: BUY

Bounty Oil and Gas NL Annual General Meeting November 28, 2019 CEO Presentation ASX Code: BUY Philip Kelso - CEO Drilling Cooper Basin QLD Disclaimer/Competent Person This presentation contains forward looking statements that are subject to

324 views • 16 slides
PRIVATISED FUNDING: BOUNTY HUNTERS AGAIN? CFAs, contingency fees, and third party funders in

PRIVATISED FUNDING: BOUNTY HUNTERS AGAIN? CFAs, contingency fees, and third party funders in

PRIVATISED FUNDING: BOUNTY HUNTERS AGAIN? CFAs, contingency fees, and third party funders in civil litigation Christopher Hodges Head of the CMS Research Programme on Civil Justice Systems Centre for Socio-Legal Studies, University of Oxford

635 views • 25 slides
Bounty Oil and Gas NL Annual General Meeting November 29, 2017 CEO Presentation ASX Code: BUY

Bounty Oil and Gas NL Annual General Meeting November 29, 2017 CEO Presentation ASX Code: BUY

Bounty Oil and Gas NL Annual General Meeting November 29, 2017 CEO Presentation ASX Code: BUY Philip Kelso - CEO Pipe-laying Songo Songo Island Disclaimer/Competent Person This presentation contains forward looking statements that are

537 views • 17 slides
Farm-to-Freezer An Institutional Guide to Saving Summers Bounty By 2013 Ralph W. Voorhees

Farm-to-Freezer An Institutional Guide to Saving Summers Bounty By 2013 Ralph W. Voorhees

Farm-to-Freezer An Institutional Guide to Saving Summers Bounty By 2013 Ralph W. Voorhees Public Service Fellows Abdul Abad Erin Maguire Kevin Dahaghi Sarthi Tuli Katherine Fudacz Arielle Wortzel Instructor: Kathe Newman

403 views • 22 slides
Bounty Oil and Gas NL Annual General Meeting November 27, 2015 CEO Presentation ASX Code: BUY

Bounty Oil and Gas NL Annual General Meeting November 27, 2015 CEO Presentation ASX Code: BUY

Bounty Oil and Gas NL Annual General Meeting November 27, 2015 CEO Presentation ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Disclaimer/Competent Person This presentation contains forward looking statements that are

245 views • 23 slides
Prese serving g the he Bou Bounty Sejal Lanterman Cooperative Extension Educator Topics w

Prese serving g the he Bou Bounty Sejal Lanterman Cooperative Extension Educator Topics w

Prese serving g the he Bou Bounty Sejal Lanterman Cooperative Extension Educator Topics w we will e ill explo lore Why Preserve Following the rules Staying Organized Water Bath Canning Pressure Canning

535 views • 32 slides
Canada lynx in Minnesota Exploitation Pre-1965 Bounty 1965 Unprotected Management 1976

Canada lynx in Minnesota Exploitation Pre-1965 Bounty 1965 Unprotected Management 1976

Canada lynx in Minnesota Exploitation Pre-1965 Bounty 1965 Unprotected Management 1976 Furbearer Protection 1984 Season closure 2000 ESA Threatened status Current ~2000 Hair snare, Snow-tracking and DNA analysis 2003 Telemetry project

816 views • 35 slides
Bounty Oil and Gas NL Presentation to QUPEX Tattersalls Club Brisbane 2 August 2016 ASX Code:

Bounty Oil and Gas NL Presentation to QUPEX Tattersalls Club Brisbane 2 August 2016 ASX Code:

Bounty Oil and Gas NL Presentation to QUPEX Tattersalls Club Brisbane 2 August 2016 ASX Code: BUY Philip F Kelso - CEO Gas Plant Songo Songo Island Disclaimer/Competent Person This presentation contains forward looking statements that are

651 views • 30 slides

More recommend