+ All Categories
Home > Documents > Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012...

Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012...

Date post: 01-Sep-2020
Category:
Upload: others
View: 2 times
Download: 0 times
Share this document with a friend
72
Decoding Bug Bounty Programs Jon Rose
Transcript
Page 1: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Decoding Bug Bounty Programs

Jon Rose

Page 2: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

It’s all about

YOU

Page 3: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Builder

Breaker

Defender

What is your Role?

Page 4: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Bug Bounty Programs are

Revolutionizing the way businesses protect themselves

Page 5: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

O RLY?

Page 6: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Traditional security testing is

Page 7: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

1. Automated tools don’t work

2. Waterfall security isn’t Agile

3. Massive shortage of talent

4. Cost prohibitive

Page 8: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which
Page 9: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Responsible Disclosure

Plus

CrowdSourcing With

Ca$h

Page 10: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

2004 2013

8-2004

11

-20

10

9-2

01

0

Google Chrome

7-2

01

1

2010

6-2

01

2

5-2

01

2

9-2

01

2

11

-20

10

9-2

01

2

3-2009 No More Free Bugs

8-2005

2002

Page 11: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Any Bug Reporters?

Page 12: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Keys to Running a Bug Bounty

Page 13: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

5 Simple Rules

Page 14: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Remote Code

Execution

SQL Injection

Auth Bypass

XSS

Bug Payouts

Page 15: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Not all bugs are

equal

Page 16: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Disclosure Policy

Page 17: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

First In,

Best Dressed

Page 18: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Well Defined Targets and Scope

Page 19: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Do you pay for valid bugs that are

out of scope?

Page 20: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

5 Major Benefits

Page 21: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Embrace Continuous Testing

Page 22: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Market Your Security

Page 23: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Diversity in Tools,

Techniques, Approach

Page 24: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Only Pay for results

Only Pay For Results

Page 25: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Are companies with

bug bounties

secure?

MORE

Page 26: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

8 Potential Problems

Page 27: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

International Legal Issues

Page 28: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Fixing bugs is hard and requires

teamwork

Page 29: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Spot the difference

Page 30: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Understanding Language Barriers

Page 31: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

FALSE POSITIVES

ARE A NECESSARY

EVIL

Page 32: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Weak Security Foundation

Page 33: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Unclear Policies and Processes

Page 34: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Hackers Cheat

Page 35: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Bounty Hunters

Page 36: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Helping secure popular services, improving my skills, the credit, and of course the payment for a job well done

@NightRang3r Bug Bounty Hunter

Page 37: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

…enhances my logical bug finding creativity and approach. It motivates me..

@AjaySinghNegi Bug Bounty Hunter

Page 38: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

First of all is the challenge, and second, the acknowledgement of researcher’s hard work and rewarding them accordingly

@NightRang3r Bug Bounty Hunter

Page 39: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

I like the training

aspects of bug bounties

@makash Bug Bounty Hunter

Page 40: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

The new challenges which I get in the bug bounty programs and also the appreciation by the bug bounty security team

@AjaySinghNegi Bug Bounty Hunter

Page 41: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

3 Benefits

Page 42: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Prestige and fame

Page 43: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Practice Makes Perfect

Page 44: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Cash Money

Page 45: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

•Money

•Fame

•Experience

Pick One:

Page 46: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

4 Problems Ahead…

Page 47: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

No Visibility

Page 48: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Terms can change at any time

Page 49: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Inefficient use of

testers time

Page 50: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Fixes Take Time

Page 51: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Free Advice

Page 52: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Be prepared to run

such a program, have

the professional man power to deal with

bug submissions and to

understand them

@NightRang3r Bug Bounty Hunter

Page 53: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Proper verification,

timely reply to bugs

submissions with status

@AjaySinghNegi Bug Bounty Hunter

Page 54: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Statistics don’t Lie

Page 55: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Almost 80% of bug submissions are sent in

by researchers who submit less than 10 bugs

total

PayPal

Page 56: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

44% percent of all bugs are the first and only bug

sent by a researcher

PayPal

Page 57: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

10% of the researchers submit 25 bugs or more

PayPal

Page 58: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Google has paid out $806,501 as of

3/11/2013

Google

Page 59: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Almost 70% of valid bugs are XSS

Google

XSS XSRF

Page 60: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Does it Work?

Page 61: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Google is reporting fewer

bug submissions

“Harder to find” Google Bug Hunter

Page 62: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Crowd-Sourced Security is

changing testing

Page 63: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

CrowdSecurify Bugwolf

Outsourcing

Page 64: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which
Page 65: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Submit bugs

Accept bugs

Provide Rewards Get Secure

Page 66: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Thank You!

Page 67: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Dark on Light

Page 68: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Continuous

Light on Dark

Page 69: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Be prepared to run

such a program, have

the professional man power to deal with

bug submissions and to understand them @NightRang3r Bug Bounty Hunter

Page 70: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Dark Grey Text

Light Grey

Callout for Light

Callout for Dark

POP

Page 71: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Analysis

Tracking

Development

Payment

Program Costs

Page 72: Decoding Bug Bounty Programs2004 2013 8-2004 11-2010 9-2010 Google Chrome 7-2011 2010 6-2012 5-2012 9-2012 11-2010 9-2012 3-2009 No More Free Bugs 8-2005 2002The new challenges which

Crowd Sourcing


Recommended