Bug bounty programs

download Bug bounty programs

of 16

  • date post

  • Category


  • view

  • download


Embed Size (px)


Finding security flaws faster & cheaper

Transcript of Bug bounty programs

  • 1.BUG BOUNTY PROGRAMS Finding security flaws faster & cheaper

2. What is security bug bounty? To show appreciation for security researchers worldwide, companies offer a bounty (usuallyworldwide, companies offer a bounty (usually monetary) for certain qualifying security bugs. 3. Who is already doing it? & many more& many more 4. Why do a BBP? To prevent critical bugs being sold on the black market Productive relationship with the community Internal bug hunters are limited in number, the Internal bug hunters are limited in number, the external ones are virtually unlimited Its the fastest way to secure publicly facing applications and infrastructure Provides security training and awareness for internal teams Recruit talented bug hunters & many more& many more 5. Why give budget to a BBP and not invest in a secure SDLC? NoNo mattermatter howhow muchmuch thethe companycompany improvesimproves thethe SDLC,SDLC, securitysecurity bugsbugs willwill occur,occur, mainlymainly becausebecause:: 33rdrd partyparty codecode andand servicesservices 33 partyparty codecode andand servicesservices SharedShared infrastructureinfrastructure NewNew developersdevelopers TheThe rushrush forfor functionalityfunctionality 6. Why not just BBP as security? ApplicationApplication securitysecurity mustmust bebe achievedachieved usingusing allall meansmeans availableavailable.. SecureSecure SDLCSDLC mustmust includeinclude asas partpart ofof thethe cyclecycle::SecureSecure SDLCSDLC mustmust includeinclude asas partpart ofof thethe cyclecycle:: SourceSource codecode auditaudit PenetrationPenetration testingtesting BugBug BountyBounty ProgramProgram 7. How much have others spent? 22MM$$ inin 44 yearsyears 11MM$$ inin 22 yearsyears 8. How much should the company spend? StartStart lowlow smallsmall amountsamounts nonnon--monetarymonetary bountiesbounties EstablishEstablish aa leaderleader boardboard // hallhall ofof famefame IfIf budgetbudget isis aa constraint,constraint, establishestablish aa capcap andand restrictrestrict thethe IfIf budgetbudget isis aa constraint,constraint, establishestablish aa capcap andand restrictrestrict thethe limitslimits ofof thethe programprogram (one(one site/application)site/application) ReevaluateReevaluate periodicallyperiodically thethe amountsamounts paidpaid ItsIts notnot alwaysalways aboutabout thethe moneymoney thatthat securitysecurity researchersresearchers areare afterafter (but(but thenthen againagain youyou dontdont wantwant toto endend upup payingpaying $$1212..5050 forfor aa bugbug likelike YahooYahoo;; inin thisthis casecase nono bountybounty isis aa betterbetter option)option) 9. Who is doing it? SecuritySecurity researchesresearches doingdoing thisthis forfor aa livingliving HobbyistHobbyist WhatWhat kindkind ofof personspersons areare doingdoing this?this? HobbyistHobbyist WhyWhy areare theythey doingdoing this?this? MoneyMoney LeaderboardsLeaderboards HireHire opportunitiesopportunities ChallengesChallenges // FunFun 10. Lesson learned from other BBP TheThe leaderleader boardsboards areare constantlyconstantly changingchanging.. SomeSome peoplepeople gogo outout andand trytry thethe samesame techniquetechnique untiluntil theythey drydry outout.. NewNew peoplepeople comecome withwith newnew ideas,ideas,theythey drydry outout.. NewNew peoplepeople comecome withwith newnew ideas,ideas, keepingkeeping thethe scenescene interestinginteresting.. WhenWhen itit comescomes toto securitysecurity research,research, thethe InternetInternet isis anan endlessendless poolpool ofof freshfresh ideasideas.. 11. Googles reward matrix accounts.google.com Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2] Remote code execution $20,000 $20,000 $20,000 $1,337 - $5,000 SQL injection or $10,000 $10,000 $10,000 $1,337 - $5,000SQL injection or equivalent $10,000 $10,000 $10,000 $1,337 - $5,000 Significant authentication bypass or information leak $10,000 $7,500 $5,000 $500 Typical XSS $7,500 $5,000 $3,133.7 $100 XSRF, XSSI and other common web flaws $500 - $3,133.7 $500 - $1,337 $500 $100 12. Black market prices 13. Short term actions ElaborateElaborate andand publishpublish aa ResponsibleResponsible DisclosureDisclosure PolicyPolicy EstablishEstablish aa clearclear pointpoint ofof contactcontact forfor reportingreporting EstablishEstablish aa clearclear pointpoint ofof contactcontact forfor reportingreporting (email,(email, webweb form)form) StartStart anan internalinternal BBPBBP forfor employeesemployees 14. Short term actions GiveGive securitysecurity researchersresearchers creditcredit forfor theirtheir workwork PublishPublish leaderleader boardsboards PublishPublish leaderleader boardsboards StartStart anan externalexternal pilotpilot programprogram (limit(limit thethe scopescope toto oneone site/application)site/application) 15. Further references http://vimeo.com/54130349http://vimeo.com/54130349 Google,Google, FacebookFacebook and Mozilla BBPand Mozilla BBP managers talking about the subjectmanagers talking about the subject http://techcrunch.com/2013/08/12/googleshttp://techcrunch.com/2013/08/12/googles--bugbug--bountybounty--programprogram--hashas--nownow-- paidpaid--outout--overover--2m2m--upsups--somesome--chromiumchromium--rewardsrewards--toto--5k/5k/ -- how muchhow much Google &Google & FacebookFacebook have spenthave spent http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppinghttp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping--forfor-- zerozero--daysdays--anan--priceprice--listlist--forfor--hackershackers--secretsecret--softwaresoftware--exploits/exploits/ -- blackblack market pricesmarket prices http://www.google.com/about/appsecurity/rewardhttp://www.google.com/about/appsecurity/reward--program/program/ -- Google bugGoogle bug bounty programbounty program https://www.facebook.com/whitehathttps://www.facebook.com/whitehat FacebookFacebook bug bounty programbug bounty program 16. danvasile@pentest.rodanvasile@pentest.ro http://www.pentest.rohttp://www.pentest.ro