5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne
-
Upload
hackerone -
Category
Technology
-
view
98 -
download
0
Transcript of 5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne
hackerone.com @hacker0x01
Who is this guy?
2
● Adam Bacchus
● Work
○ Pentester (~4 yrs)
○ Google (~4 years)
○ Snapchat (~1 year)
○ HackerOne
● Play
○ Gaming
○ Playing with fire
hackerone.com @hacker0x01
5 reasons NOT to start a bug bounty program
4
1. Who are these hackers? Can I trust them?
2. It’ll be a PR disaster!
3. It’s a budgeting black hole!
4. We don’t have bandwidth to start and run a bounty program!
5. (??? to be revealed later ???)
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
6
● Anyone from across the world!
● Student hackers
● Professional hackers
● Casual hackers
● Young, old, all genders, all races - everyone
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
7
● Why do they hack?
○ Intellectual curiosity
○ Recognition
○ It’s the “right thing” to do
○ Financial rewards
○ Helping protect brands they like
○ Satisfaction from improving security
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
8
Reality check:1. Vulnerabilities are inevitable.
2. Hackers are gonna hack.3. Give them the opportunity to do the right thing!
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
9
● What if they go outside of scope?● What if they leak vulnerability details?
● What if they use what they found as a weapon against me?
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
10
What if they go out of scope?
● First step - create a “rules page,” AKA your “security page”
● What’s in scope? What’s out of scope?
● How do they contact you?
● Are you offering rewards?
● Rules page is an iterative process
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
11
Transparency is key!Transparency reduces misunderstandings.
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
12
● What if they go outside of scope?
● What if they leak vulnerability details?● What if they use what they found as a weapon against me?
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
13
What if they leak vulnerability details?
● Set the “rules of the road” in your security page
● No disclosure until the bug is fixed! Otherwise, you’re outta here
● When are bounties paid?
● Incentives + negative impact
○ Loss of reputation for the hacker
○ Other companies won’t want to work with them
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
14
Transparency is key!Transparency reduces misunderstandings.
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
15
● What if they go outside of scope?
● What if they leak vulnerability details?
● What if they use what they found as a weapon against me?
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
16
What if they use what they found as a weapon against me?
● Hackers are gonna hack; it’s a race between good and evil
○ Truly evil hackers aren’t going to bother with your bug bounty
○ Encourage friendly hackers to find and report bugs first
● Clearly state to use test accounts only in your security@ page
○ Hacking other users is not allowed!
● Outline the limits of testing in your security@ page
○ How far should/shouldn’t a hacker go with a PoC?
hackerone.com @hacker0x01
#1 - Who are these hackers? Can I trust them?
17
Did I mention transparency yet? :)
hackerone.com @hacker0x01
#2 - It’s a budgeting black hole!
19
● I don’t know how much budget I need for bounties!● This sounds like it costs a ton of money! What’s my ROI?
hackerone.com @hacker0x01
#2 - It’s a budgeting black hole!I don’t know how much budget I need for bounties!
● Start small! Ensure your scope is well-defined
● Figure out your bounty pricing structure
● Think of vulnerability types and scopes that matter most to you
○ These areas should have higher rewards
○ Healthcare? Bugs that expose patient data
○ Financial? Bugs that alter financial data
○ Advertising? Bugs that impact daily revenue
○ etc.
20
hackerone.com @hacker0x01
#2 - It’s a budgeting black hole!
21
I don’t know how much budget I need for bounties!
● Consider starting with a “private” / invite-only program first
● Test the waters
● Avg. bounty based on HackerOne data = $500 per bug
● Check out similar bug bounty programs to see how they structure pricing
hackerone.com @hacker0x01
#2 - It’s a budgeting black hole!
22
● I don’t know how much budget I need for bounties!
● This sounds like it costs a ton of money! What’s my ROI?
hackerone.com @hacker0x01
#2 - It’s a budgeting black hole!
23
This sounds like it costs a ton of money! What’s my ROI?
● What’s more expensive - getting breached, or getting a head’s up from a friendly hacker?
● Data from bug bounty programs helps you identify gaps in your SDLC
● Positive security PR by virtue of even having a bounty program
● HackerOne has ROI tools to walk you through this; contact [email protected] for more info
The Dept. of Defense paid $5 million+ over three years to a single vendor which found < 10 vulns. Hack the Pentagon bug bounty program cost $150k and resulted in 138 valid vulnerabilities. That’s 14x output for 1/33 the cost!
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
25
● Our security team is already swamped, how can we find time to run a bounty program?
● We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
26
Our security team is already swamped, how can we find time to run a bounty program?
● It definitely takes time
● Initial launch will have the biggest flood of reports
● Consider a “private” / invite only program to start out
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
27
Our security team is already swamped, how can we find time to run a bounty program?
● Setup a weekly on-duty/interrupts rotation
● Primary on-duty is responsible for responding to all reports
● Share the operational load, prevent burnout
● Depending on volume, assume 20 hrs / week initially
● Otherwise, you can pay to play
○ HackerOne offers various levels of managed service for triaging reports, managing bounties, etc.
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
28
● Our security team is already swamped, how can we find time to run a bounty program?
● We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
29
We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?
● Engage early with your dev team; “bugs are coming”
● Bugs are live in prod and were found by a friendly hacker
● This means an evil hacker could find it too
● Provides real world motivation for more timely remediation
● Improve security culture and priority throughout the org
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
30
We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?
● This is a new stream/source of bugs
● Tie-in to your existing vulnerability management processes
● Ensure the impact of the issue is clearly communicated
○ Classify severity of the issue (ease of exploit, impact, what’s affected, etc.)
hackerone.com @hacker0x01
#3 - We don’t have bandwidth!
31
We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?
● If devs have questions, be the glue between them and the hacker
● Create incentive programs for devs, celebrate:
○ Fastest fixers
○ Cleanest code
○ Most improved
○ etc.
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
33
● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak!
● What if we disagree with a hacker and they go to the media?
● My PR team would never allow us to do something like this!
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
36
Who would publicly
state they wanted help
from hackers?
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
37
Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak!
● It’s impossible to catch everything yourself
● Bug bounty programs let friendly hackers work with you to help identify issues before the bad guys do
● Big names have public programs - they are a best practice
○ Not having a program puts you behind the race
● Even the US DoD invited hackers to Hack the Pentagon!
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
38
● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak!
● What if we disagree with a hacker and they go to the media?● My PR team would never allow us to do something like this!
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
39
What if we disagree with a hacker and they go to the media?
● Transparency and high quality comms to keep things smooth
● Invariably you’ll have an outlier wanting to go public on a non-issue
● If it’s truly a non-issue, the hacker will end up looking silly
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
40
● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak!
● What if we disagree with a hacker and they go to the media?
● My PR team would never allow us to do something like this!
hackerone.com @hacker0x01
#4 - It’ll be a PR disaster!
41
My PR team would never allow us to do something like this!
● Having a publicly facing bug bounty program is actually a source of greatsecurity PR
● Your public bug bounty program is a public track record of your commitment to security
● Security is a competitive differentiator
● Need to ensure PR understands how bug bounties work
● Show them examples of positive security PR from bug bounty programs (e.g. Hack The Pentagon)
hackerone.com @hacker0x01
#5 - ???
42
● Alright, the fifth reason NOT to start a bug bounty program… (drumroll please)
hackerone.com @hacker0x01
#5 - I don’t know where to start!
43
I don’t know where to start!
● Maybe you’re convinced - you’re ready to start a program… but how?
● There are a ton of resources out there to get started
● Lots of great existing examples...
hackerone.com @hacker0x01
#5 - I don’t know where to start!
44
Example: Uber’s rules page - hackerone.com/uber
hackerone.com @hacker0x01
#5 - I don’t know where to start!
45
Example: Twitter’s rules page - hackerone.com/twitter
hackerone.com @hacker0x01
#5 - I don’t know where to start!
● HackerOne’s “Hacktivity” feed: https://hackerone.com/hacktivity/popular
● Collin Greene’s blog on bug bounty programs: https://hackerone.com/blog/bug-bounty-5-years-in-uber-facebook
● Creating a private team on HackerOne:https://hackerone.com/teams/new
● Crafting your security page:https://hackerone.com/blog/Bug-Bounty-or-Bust-Crafting-Your-Security-Page
46
hackerone.com @hacker0x01
So… why shouldn’t you start a bug bounty program?
47
1. Who are these hackers? Can I trust them?
2. It’ll be a PR disaster!
3. It’s a budgeting black hole!
4. We don’t have bandwidth to start and run a bounty program!
5. (??? to be revealed later ???)
hackerone.com @hacker0x01
So… why shouldn’t you start a bug bounty program?
48
1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster!
3. It’s a budgeting black hole!
4. We don’t have bandwidth to start and run a bounty program!
5. (??? to be revealed later ???)
hackerone.com @hacker0x01
So… why shouldn’t you start a bug bounty program?
49
1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster! Bug bounty programs improve your security PR
stature3. It’s a budgeting black hole!
4. We don’t have bandwidth to start and run a bounty program!
5. (??? to be revealed later ???)
hackerone.com @hacker0x01
So… why shouldn’t you start a bug bounty program?
50
1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster! Bug bounty programs increase your security PR
stature3. It’s a budgeting black hole! Estimate your budget and start small4. We don’t have bandwidth to start and run a bounty program!
5. (??? to be revealed later ???)
hackerone.com @hacker0x01
So… why shouldn’t you start a bug bounty program?
51
1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster! Bug bounty programs increase your security PR
stature3. It’s a budgeting black hole! Estimate your budget and start small4. We don’t have bandwidth to start and run a bounty program! Sell the ROI to
get buy-in on necessary resources, build a great structure around operational coverage
5. (??? to be revealed later ???)
hackerone.com @hacker0x01
So… why shouldn’t you start a bug bounty program?
52
1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster! Bug bounty programs increase your security PR
stature3. It’s a budgeting black hole! Estimate your budget and start small4. We don’t have bandwidth to start and run a bounty program! Sell the ROI to
get buy-in on necessary resources, build a great structure around operational coverage
5. (??? to be revealed later ???) Get started!
hackerone.com @hacker0x01
Conclusion
53
Thanks for watching!
1. HackerOne’s “Hacktivity” feed: https://hackerone.com/hacktivity/popular
2. Collin Greene’s blog on bug bounty programs: https://hackerone.com/blog/bug-bounty-5-years-in-uber-facebook
3. Creating a private team on HackerOne:https://hackerone.com/teams/new
4. Crafting your security page:https://hackerone.com/blog/Bug-Bounty-or-Bust-Crafting-Your-Security-Page
Twitter: @sushihack