Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Decoding Bug Bounty Programs

Jon Rose
September 27, 2013

Decoding Bug Bounty Programs

Let’s deconstruct the world of digital bounty hunters.
 
Amid the growing trend to “crowd source” services, a few progressive enterprises are taking a new approach to information security. A potential game-changer, these companies are shifting the traditional model of IT risk assessment by opening their doors -- and their wallets -- to freelance hackers who break in without fear of legal repercussions. Bug Bounty Programs pay cash money to hackers for responsibly disclosing security vulnerabilities on production applications and networks.
 
From the vantage point of the bounty hunter, this presentation will examine who these freelance hackers are, their motivations, and their perspective on the value of bug bounty programs. It is equally as important to understand the perspective of the individuals that run these programs, how the programs fit into a comprehensive, information security framework, as well as key successes and failures to date of this new crowd-sourced model. As part of this, the discussion will review metrics from an existing program and highlight some of the more interesting bugs discovered.
 
Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level.
 
This presentation will cover these questions and more.

Jon Rose

September 27, 2013
Tweet

More Decks by Jon Rose

Other Decks in Technology

Transcript

  1. 1.  Automated  tools  don’t  work   2.  Waterfall  security  isn’t

     Agile   3.  Massive  shortage  of  talent   4.  Cost  prohibiBve
  2. 2004 2013 8-­‐2004 11-­‐2010 9-­‐2010 7-­‐2011 2010 6-­‐2012 5-­‐2012 9-­‐2012

    11-­‐2010 9-­‐2012 3-­‐2009 No  More     Free  Bugs 8-­‐2005 2002 Chrome
  3. Helping   secure   popular   services,   improving  

    my   skills,   the   credit,   and   of   course  the  payment  for  a   job  well  done “ @NightRang3r   Bug  Bounty  Hunter
  4. …enhances  my  logical   bug   finding   crea2vity  

    a n d   a p p r o a c h .   I t   mo2vates  me.. “ @AjaySinghNegi   Bug  Bounty  Hunter
  5. First   of   all   is   the  

    c h a l l e n g e ,   a n d   s e c o n d ,   t h e   acknowledgement   of   researcher’s   hard   work   and   rewarding   them  accordingly “ @NightRang3r   Bug  Bounty  Hunter
  6. 52 To  be  eligible  you  *must  not*:   Be  less

     than  18  years  of  age.   ...   PayPal  will  remove  that  researcher  from   the  Bug  Bounty  Program  and  disqualify   them  from  receiving  any  bounty. “ PayPal  Site  Security  
  7. 54

  8. 59 Redirect  the  vicBm  to  external   websites  located  through

      Facebook  app  in  order  to  save   the  vicBm’s  access_token
  9. 63

  10. 64 We  are  unfortunately  not  able  to  pay   you

     for  this  vulnerability  because  your   ac2ons  violated  our  Terms  of  Service.   We  do  hope,  however,  that  you   con2nue  to  work  with  us  to  find   vulnerabili2es  in  the  site. “ Facebook  
  11. 65

  12. 66 I  could  sell  on  the  black  (hat)  hackers'  

    websites  and  I  could  make  more   money  than  Facebook  could  pay  me.   But  for  me  -­‐-­‐  I  am  a  good  guy.  I  don't   deal  with  the  black  (hat)  stuff." “ Khalil - Interview with CNN  
  13. 44%  percent  of  all  bugs   are  the  first  and

     only  bug   sent  by  a  researcher PayPal
  14. Almost  80%  of  bug   submissions  are  sent  in  

    by  researchers  who   submit  less  than  10  bugs   total PayPal
  15. Be  prepared  to  run  such   a  program,  have  the

      professional  man   power  to  deal  with  bug   submissions  and  to   understand  them “ @NightRang3r   Bug  Bounty  Hunter
  16. Proper  verifica2on  of   logical  bugs,  2mely   reply  to

     bugs   submissions  with  status “ @AjaySinghNegi   Bug  Bounty  Hunter
  17. ?