OWASP Denver
-
Upload
leifdreizler -
Category
Technology
-
view
132 -
download
1
Transcript of OWASP Denver
![Page 1: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/1.jpg)
‹#›
State of Bug Bounty
Leif Dreizler, Sr. Security Engineer@leifdreizler
![Page 2: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/2.jpg)
‹#›
Things I’ll Cover
oBug Bounty: 👻 🎁🔮oPro tips, pitfalls, war storiesoQuestions!
![Page 3: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/3.jpg)
What’s a bug bounty program?
![Page 4: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/4.jpg)
‹#›
A Brief History of Bug Bounty Programs
![Page 5: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/5.jpg)
‹#›
1995
![Page 6: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/6.jpg)
‹#›
2004
![Page 7: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/7.jpg)
‹#›
BigDataSecurityMetrics
7
![Page 8: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/8.jpg)
‹#›
Highlightsfromthe2014Google
o Started in 2010o In 2014 paid over 200 researcherso Highest single payout: $150ko Total payout: $1.5+ milliono Over 500 unique and valid bugso Over half of the bugs in Chrome were reported and fixed in
beta or dev builds
src: http://googleonlinesecurity.blogspot.com/2015/01/security-reward-programs-year-in-review.html
![Page 9: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/9.jpg)
‹#›
Google VRP
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
![Page 10: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/10.jpg)
‹#›
![Page 11: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/11.jpg)
‹#›
Highlights from the 2014 Facebook Report
o Started in 2011o Currently $500 minimum, no
defined maximumo 17,011 Submissionso 61 Eligible bugs were high severityo 123 Countries (65 Rewarded)o $1.3 million paid to 321
researchers
Countries with High # of Valid Subs
Valid Bugs Average $ RewardIndia 196 $1,343
Egypt 81 $1,220USA 61 $2,470UK 28 $2,768
Philippines 27 $1,093
src: https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/1026610350686524
![Page 12: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/12.jpg)
‹#›
Microsoft Bounty Expansion
o Started in 2013o Online services like Azure and 0365 have a
maximum bounty of $15ko Doubled this during Aug 5 - Oct 5 for auth
vulnerabilities in Windows Liveo “Mitigation Bypass” bounty for novel methods to
bypass paramount OS protections like ASLR and DEP - $100ko “Bonus Bounty for Defense” - $50k
src: http://blogs.technet.com/b/msrc/archive/2015/04/22/microsoft-bounty-programs-expansion-azure-and-project-spartan.aspxsrc: https://technet.microsoft.com/en-us/security/dn800983
![Page 13: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/13.jpg)
‹#›
Highlights from the 2014 Github Report
o First year of the programo $200 - $5,000 (doubled for 2015)o 1,920 Submissionso 73 Unique Vulnerabilities (57 medium/high)
o 33 Unique Researchers earned a total of $50,100 for the med/high vulnerabilities
src:h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one
![Page 14: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/14.jpg)
‹#›
Tesla Motors
o Began their program with Bugcrowd in 2015o Includes all Tesla Motors hosts, mobile apps, and any hardware
you’re authorized to test against (don’t hack your neighbors car)o Initially had an upper end of $1,000o Increased the upper end to $10k at Black Hat
o Researchers were able to gain access to the Model S computer system, remotely lock and unlock the car, and apply the emergency brake if under 5 m.p.h.
![Page 15: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/15.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 16: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/16.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 17: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/17.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work
with themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 18: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/18.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the
right thing”oThe program makes a statementoContinuous testing
![Page 19: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/19.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 20: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/20.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 21: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/21.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 22: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/22.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 23: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/23.jpg)
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
![Page 24: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/24.jpg)
‹#›
I’malreadydoingenough
oRed TeamoScannersoTraditional Pentests
![Page 25: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/25.jpg)
‹#›
I’m already getting continuous testing from my red team
o Bug bounties don’t replace red teamso They work in concert, providing a different
perspectiveo Red teams have access to privileged information that
may create bias in their testing
![Page 26: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/26.jpg)
‹#›
I’m already getting continuous testing from my red team
o Bug bounties don’t replace red teamso They work in concert, providing a different
perspectiveo Red teams have access to privileged information that
may create bias in their testing
![Page 27: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/27.jpg)
‹#›
I’m already getting continuous testing from a scanner
oThey report false positivesoScanners miss a lot of
vulnerabilities
![Page 28: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/28.jpg)
‹#›
I’m already having my application pen tested
oLimited resources compared to the crowd
oPaying for time vs. resultsoSnapshot in time
![Page 29: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/29.jpg)
‹#›
src:h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one
GithubProgramLifecycle
![Page 30: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/30.jpg)
‹#›
CommunityManagement
oDeluge of submissionsoTriage and ValidationoResearcher CommunicationoResearcher PaymentoRemediation
![Page 31: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/31.jpg)
‹#›
CommunityManagement
oDeluge of submissionsoTriage and ValidationoResearcher CommunicationoResearcher PaymentoRemediation
![Page 32: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/32.jpg)
‹#›
CommunityManagement
oDeluge of submissionsoTriage and ValidationoResearcher CommunicationoResearcher PaymentoRemediation
![Page 33: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/33.jpg)
‹#›
ProgramGrowthoIncrease number of researchersoIncrease scopeoIncrease reward rangesoIncrease publicity
![Page 34: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/34.jpg)
‹#›
January 2013 - June 2015
State of Bug Bounty
34
![Page 35: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/35.jpg)
‹#›
AreasofTrends:TypesofProgramsSignaltoNoiseRaRoSeverityofSubmissionsTypesofSubmissionsResearcherDemographics&Behavior
CulminaRonof2YearsofBugBountyData
35
![Page 36: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/36.jpg)
‹#›
Researchersaremeasuredonthebelowfactorsandinvitedaccordingly…
Quality ifasubmissionisvalidandinscopeImpact ifasubmissionisworthyourRmeAcRvity ifaresearcherisreadytowork
Trust
Howdoresearchersjoinprivateprograms?
![Page 37: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/37.jpg)
‹#›
» Valid» Fixable
» High-Priority» Reproducible» InScope
NoiseSignal» Invalid
» Ignored» Duplicate» Non-Reproducible
» Out-of-Scope
WhyInviteOnly?
![Page 38: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/38.jpg)
‹#›
Program Statistics
o $725k paid to researcherso 38k submissionso 8k valid & unique (21%)
o $200 average payouto 4.39 “big bugs” per program
![Page 39: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/39.jpg)
‹#›
P1 - Critical
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.
Examples: Vertical Authentication bypass, SSRF, XXE, SQL injection, User Authentication bypass
P2 - High
Vulnerabilities that affect the security of the platform including the processes it supports.
Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact
Whatarebigbugs?
![Page 40: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/40.jpg)
‹#›
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
Google VRP
![Page 41: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/41.jpg)
‹#›
41
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
Google VRP
![Page 42: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/42.jpg)
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
![Page 43: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/43.jpg)
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
![Page 44: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/44.jpg)
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
![Page 45: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/45.jpg)
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
![Page 46: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/46.jpg)
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
![Page 47: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/47.jpg)
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
![Page 48: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/48.jpg)
‹#›
Provide Feedback/Education
o Respond to researcherso Improve submissionso Note deficiencieso Clarify scope
o Trainingo Google: Bughunter Universityo Facebook: Bounty Hunter’s Guideo Bugcrowd: Bugcrowd Forum
![Page 49: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/49.jpg)
‹#›
Shaping the Future of Bug Bounty
o Guest blog postso Bugcrowd Forumo Training
o https://github.com/jhaddix/tbhmo https://www.youtube.com/watch?
v=VtFuAH19Qz0o https://blog.bugcrowd.com/bugcrowds-2015-
guide-hacker-summer-camp/
![Page 50: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/50.jpg)
‹#›
Shaping the Future of Bug BountyBugBountiesasPrimarySourceofIncome(Researcherswith15+ValidSubmissions)
![Page 51: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/51.jpg)
‹#›
Shaping the Future of Bug Bounty
![Page 52: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/52.jpg)
‹#›
Researcher Statistics
o 20,000 total sign upso 90 Countrieso India - 31%o US - 18%o UK - 9%
o Highest average payouto Cyprus - $644o Switzerland - $512o Austria - $475
![Page 53: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/53.jpg)
‹#›
Google VRP
53
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
![Page 54: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/54.jpg)
‹#›
Submissions:Whatdotheyfind?
![Page 55: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/55.jpg)
‹#›
Submissions:Whatdotheyfind?
![Page 56: OWASP Denver](https://reader031.fdocuments.in/reader031/viewer/2022021814/58ee44981a28abf1588b4645/html5/thumbnails/56.jpg)
‹#›
In Summaryo Bug bounty programs have been around for a whileo Managing a bug bounty program can be difficulto Security-conscious companies keep running themo More companies are adopting (private) programso Researchers are reporting interesting and critical vulnerabilities