BUG BOUNTY PROGRAMPRESENTATION & FEEDBACK

WHAT’S A BUG BOUNTY▸Deal for reporting bugs and security leaks

▸First appeared in 1995

▸Google: 2010

▸Rest of the world: 2011

▸No more consultants, audits, blah blah

PRESENTATION

HACK YOURSELF BEFORE OTHERS DO

PRESENTATION

ADVANTAGES▸Cheap

▸Pay as you go

▸Distributed

▸Transparency

▸Experts

PRESENTATION

DRAWBACKS

▸Bandwidth

▸Reactivity

▸Trust

PRESENTATION

FEEDBACK

HUNTER.IO▸Distributed team of 5

▸No security expert

▸Focused on UX and data quality, not on security

FEEDBACK

ANNOUNCEMENT

FEEDBACK

ANNOUNCEMENT▸Rules (do not disturb, no automation, test

with your own data, don’t publish until we fixed, etc.)

▸Rewards

▸What’s included and what’s not

▸How to report

FEEDBACK

RESULTS

FEEDBACK

RESULTS▸> 30 reports

▸7 rewards

▸About 2000$ bounties

▸A few disappointed hackers

▸A tested and retested app by dozens of hackers

FEEDBACK

KEY SUCCESS FACTORS▸Be reactive

▸Be generous

▸Be kind

▸Be transparent

▸Be confiant

FEEDBACK

SOURCES▸https://hackerone.com/

▸https://bountyfactory.io

▸https://internetbugbounty.org/

QUESTIONS?

BASTIEN.LIBERSA@GMAIL.COM

THANK YOU