Yet another talk on bug bounty

17
Bug bounty n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 22/07/2017

Transcript of Yet another talk on bug bounty

Page 1: Yet another talk on bug bounty

Bug bounty

n|u - The Open security communityChennai Meet

Presenter : Vinoth KumarDate : 22/07/2017

Page 2: Yet another talk on bug bounty

# About Me

Application security engineer.

Blogger @ http://www.tutorgeeks.net

Email @ [email protected]

Tweet @vinothpkumar

Page 3: Yet another talk on bug bounty

Agenda for the session

● What is bug bounty● How to start with bug bounty● My career as a bug bounty hunter● Advantages of participating in bug bounty programs● Advantages of conducting a bug bounty program● Disappointments in bug bounty● Popular bug bounty platforms● Tips and resources

Page 4: Yet another talk on bug bounty

What is bug bounty

Paying monetary reward to security researchers for certain qualifying security bugs.

● Researcher finds a security bug in example.com● Responsibly report the identified bug to Example ● Example security team validates your findings and fix the issue ● Example pays $$$ / swag / Gift according to its impact and their program policy

Page 5: Yet another talk on bug bounty

How to start with Bug bounty

● Start with easier sites. Understand the logic of the site. Find sites that are not tested by many.

● Never hunt for money, hunt for learning. ( 500 USD in facebook.com is equal to five 100 USD in spreaker.com )

● Enumeration is the key. Target the subdomains instead of the main site. ● Always check if a site is running a bug bounty program before performing the test

cases. Testing the site without permission is a cyber crime, even if your intention is good. ( Responsibly reporting the identified security vulnerabilities )

● Say no to scanners

Page 6: Yet another talk on bug bounty

Quality of a good report - Earns more respect

Vulnerability :

Detailed explanation of the vulnerability :

Steps to reproduce : ( With attachments and video if required )

How does it affect example.com:

Remediation:

Note : Don’t blindly copy paste the contents from other researchers blogs or h1 reports. Understand the vulnerabilities and it’s exploitation.

Page 7: Yet another talk on bug bounty

My career as a bug bounty hunter

Page 8: Yet another talk on bug bounty

Seeking security engineer job was difficult

Applied to security engineer jobs - 25+ companies

Either “No response”

(or)

“You don’t have relevant experience”

(Since, I spent 1.5 years of my career, in non-security

Getting a security engineer job was difficult)

No

Page 9: Yet another talk on bug bounty

Why I didn’t get interview calls

● No relevant experience. ● No Industry recognized security certifications.● Didn’t have anything to showcase my ability.

Page 10: Yet another talk on bug bounty

Advantages of participating in bug bounty programs

● Values of your resume● Increase possibility of getting a job in the industry.● Opportunity to make more money in less time.● Recognition● Knowledge ● You’ll learn to work hard because of the competitions.

Page 11: Yet another talk on bug bounty

Advantages of conducting a bug bounty program

● Less hack and breaches● Lot of people are testing your application - ( Different approaches towards testing )● Cost Efficient

○ Company has to spend huge amount when they outsource security assessment to a 3rd party vendor. $$$ is charged based on the time duration spent on testing your application whereas when you run a bug bounty program, you only pay the researcher for the reported bugs and not for the whole effort spent on security testing.

Page 12: Yet another talk on bug bounty

Disappointments in Bug Bounty

● Duplicate submission will hurt more than your love failure.● Companies not responding to your report but silently fix the vulnerabilities without

giving you a credit.● Companies not rewarding the appropriate amount for the severity of the bug.

Page 13: Yet another talk on bug bounty

Popular Bug bounty platforms

● https://www.bugcrowd.com/bug-bounty-list/● Hackerone.com● Bugcrowd.com● Synack● Use google dorks

○ inurl:bugbounty

Page 14: Yet another talk on bug bounty

Indian companies that run’s BB programs

Page 15: Yet another talk on bug bounty

Tips and Resources

● Read all public disclosures of Hackerone - http://h1.nobbd.de/● Always strict to the program scope.● Follow some great bug bounty hunter’s. Read their blogs. ● Keep your eyes glued on twitter. ● Be very strong in at least one vulnerability and its exploitation.

○ I admire Anand prakash for his IDOR skills - http://www.anandpraka.sh/

● Select a particular target while focussing on bug bounty. Don’t test random sites.○ FYI - File descriptor earned 2.5 crores only from Twitter - https://hackerone.com/filedescriptor

Page 16: Yet another talk on bug bounty

● Choose your passion. Go for either Web application or Mobile application security testing.

● Join some bug bounty forums - https://bugbounty-world.slack.com● Keep watching Nullcon, Defcon, Blackhat talks● Sign up for Google alerts.

○ ( You’ll never know when you’ll get a pop up in Google :P )

Page 17: Yet another talk on bug bounty

Thank You