Mise en place d'un programme de Bug Bounty

download Mise en place d'un programme de Bug Bounty

of 16

Embed Size (px)

Transcript of Mise en place d'un programme de Bug Bounty

  • BUG BOUNTY PROGRAMPRESENTATION & FEEDBACK

  • WHATS A BUG BOUNTYDeal for reporting bugs and security leaks

    First appeared in 1995

    Google: 2010

    Rest of the world: 2011

    No more consultants, audits, blah blah

    PRESENTATION

  • HACK YOURSELF BEFORE OTHERS DO

    PRESENTATION

  • ADVANTAGESCheap

    Pay as you go

    Distributed

    Transparency

    Experts

    PRESENTATION

  • DRAWBACKS

    Bandwidth

    Reactivity

    Trust

    PRESENTATION

  • FEEDBACK

    HUNTER.IODistributed team of 5

    No security expert

    Focused on UX and data quality, not on security

    http://hunter.io

  • FEEDBACK

    ANNOUNCEMENT

  • FEEDBACK

    ANNOUNCEMENTRules (do not disturb, no automation, test

    with your own data, dont publish until we fixed, etc.)

    Rewards

    Whats included and whats not

    How to report

  • FEEDBACK

    RESULTS

  • FEEDBACK

    RESULTS> 30 reports

    7 rewards

    About 2000$ bounties

    A few disappointed hackers

    A tested and retested app by dozens of hackers

  • FEEDBACK

    KEY SUCCESS FACTORSBe reactive

    Be generous

    Be kind

    Be transparent

    Be confiant

  • FEEDBACK

    SOURCEShttps://hackerone.com/

    https://bountyfactory.io

    https://internetbugbounty.org/

  • QUESTIONS?

    BASTIEN.LIBERSA@GMAIL.COM

    THANK YOU