Bug bounty programs
Click here to load reader
-
Upload
dan-catalin-vasile -
Category
Technology
-
view
3.343 -
download
0
description
Transcript of Bug bounty programs
BUG BOUNTY PROGRAMS
Finding security flaws faster & cheaper
What is security bug bounty?
To show appreciation for security researchers
worldwide, companies offer a bounty (usuallyworldwide, companies offer a bounty (usually
monetary) for certain qualifying security bugs.
Who is already doing it?
& many more& many more
Why do a BBP?
• To prevent critical bugs being sold on the black
market
• Productive relationship with the community
• Internal bug hunters are limited in number, the• Internal bug hunters are limited in number, the
external ones are virtually unlimited
• It’s the fastest way to secure publicly facing
applications and infrastructure
• Provides security training and awareness for
internal teams
• Recruit talented bug hunters
& many more& many more
Why give budget to a BBP and not
invest in a secure SDLC?
NoNo mattermatter howhow muchmuch thethe companycompany improvesimproves thethe
SDLC,SDLC, securitysecurity bugsbugs willwill occur,occur, mainlymainly becausebecause::
•• 33rdrd partyparty codecode andand servicesservices•• 33 partyparty codecode andand servicesservices
•• SharedShared infrastructureinfrastructure
•• NewNew developersdevelopers
•• TheThe rushrush forfor functionalityfunctionality
Why not just BBP as security?
ApplicationApplication securitysecurity mustmust bebe achievedachieved usingusing allall
meansmeans availableavailable..
SecureSecure SDLCSDLC mustmust includeinclude asas partpart ofof thethe cyclecycle::SecureSecure SDLCSDLC mustmust includeinclude asas partpart ofof thethe cyclecycle::
•• SourceSource codecode auditaudit
•• PenetrationPenetration testingtesting
•• BugBug BountyBounty ProgramProgram
How much have others spent?
22MM$$ inin 44 yearsyears
11MM$$ inin 22 yearsyears
How much should the company spend?
•• StartStart lowlow
•• smallsmall amountsamounts
•• nonnon--monetarymonetary bountiesbounties
•• EstablishEstablish aa leaderleader boardboard // hallhall ofof famefame
•• IfIf budgetbudget isis aa constraint,constraint, establishestablish aa capcap andand restrictrestrict thethe•• IfIf budgetbudget isis aa constraint,constraint, establishestablish aa capcap andand restrictrestrict thethe
limitslimits ofof thethe programprogram (one(one site/application)site/application)
•• ReevaluateReevaluate periodicallyperiodically thethe amountsamounts paidpaid
•• It’sIt’s notnot alwaysalways aboutabout thethe moneymoney thatthat securitysecurity
researchersresearchers areare afterafter (but(but thenthen againagain youyou don’tdon’t wantwant toto
endend upup payingpaying $$1212..5050 forfor aa bugbug likelike YahooYahoo;; inin thisthis casecase
nono bountybounty isis aa betterbetter option)option)
Who is doing it?
•• SecuritySecurity researchesresearches doingdoing thisthis forfor aa livingliving
•• HobbyistHobbyist
WhatWhat kindkind ofof personspersons areare doingdoing this?this?
•• HobbyistHobbyist
WhyWhy areare theythey doingdoing this?this?
•• MoneyMoney
•• LeaderboardsLeaderboards
•• HireHire opportunitiesopportunities
•• ChallengesChallenges // FunFun
Lesson learned from other BBP
TheThe leaderleader boardsboards areare constantlyconstantly changingchanging.. SomeSome
peoplepeople gogo outout andand trytry thethe samesame techniquetechnique untiluntil
theythey drydry outout.. NewNew peoplepeople comecome withwith newnew ideas,ideas,theythey drydry outout.. NewNew peoplepeople comecome withwith newnew ideas,ideas,
keepingkeeping thethe scenescene interestinginteresting..
WhenWhen itit comescomes toto securitysecurity research,research, thethe InternetInternet isis
anan endlessendless poolpool ofof freshfresh ideasideas..
Google’s reward matrix
accounts.google.com Other highly
sensitive services
[1]
Normal Google
applications
Non-integrated
acquisitions and
other lower priority
sites [2]
Remote code
execution$20,000 $20,000 $20,000 $1,337 - $5,000
SQL injection or $10,000 $10,000 $10,000 $1,337 - $5,000SQL injection or
equivalent$10,000 $10,000 $10,000 $1,337 - $5,000
Significant
authentication
bypass or
information
leak
$10,000 $7,500 $5,000 $500
Typical XSS $7,500 $5,000 $3,133.7 $100
XSRF, XSSI and
other common
web flaws
$500 - $3,133.7 $500 - $1,337 $500 $100
Black market prices
Short term actions
•• ElaborateElaborate andand publishpublish aa ResponsibleResponsible DisclosureDisclosure
PolicyPolicy
•• EstablishEstablish aa clearclear pointpoint ofof contactcontact forfor reportingreporting•• EstablishEstablish aa clearclear pointpoint ofof contactcontact forfor reportingreporting
(email,(email, webweb form)form)
•• StartStart anan internalinternal BBPBBP forfor employeesemployees
Short term actions
•• GiveGive securitysecurity researchersresearchers creditcredit forfor theirtheir workwork
•• PublishPublish leaderleader boardsboards•• PublishPublish leaderleader boardsboards
•• StartStart anan externalexternal pilotpilot programprogram (limit(limit thethe scopescope
toto oneone site/application)site/application)
Further references
http://vimeo.com/54130349http://vimeo.com/54130349 –– Google, Google, FacebookFacebook and Mozilla BBP and Mozilla BBP managers talking about the subjectmanagers talking about the subject
http://techcrunch.com/2013/08/12/googleshttp://techcrunch.com/2013/08/12/googles--bugbug--bountybounty--programprogram--hashas--nownow--paidpaid--outout--overover--2m2m--upsups--somesome--chromiumchromium--rewardsrewards--toto--5k/5k/ -- how much how much Google & Google & FacebookFacebook have spenthave spent
http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppinghttp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping--forfor--zerozero--daysdays--anan--priceprice--listlist--forfor--hackershackers--secretsecret--softwaresoftware--exploits/exploits/ -- black black market pricesmarket prices
http://www.google.com/about/appsecurity/rewardhttp://www.google.com/about/appsecurity/reward--program/program/ -- Google bug Google bug bounty programbounty program
https://www.facebook.com/whitehathttps://www.facebook.com/whitehat –– FacebookFacebook bug bounty programbug bounty program
[email protected]@pentest.ro
http://www.pentest.rohttp://www.pentest.ro