Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性報奨金制度との付き合い方

 脆弱性報奨金制度との付き合い方

YAPC::Fukuoka 2017のLTでの発表内容です。

Atsushi Takayama

July 01, 2017
Tweet

More Decks by Atsushi Takayama

Other Decks in Technology

Transcript

  1. ੬ऑੑใ঑੍ۚ౓ͱͷ
    ෇͖߹͍ํ
    YAPC::Fukuoka LT

    View Slide

  2. ࣗݾ঺հ
    ߴࢁ @edvakf
    ϐΫγϒגࣜձࣾ CTO ݉ ෱ԬΦϑΟε্ཱͪ͛୲౰

    View Slide

  3. View Slide

  4. ຊεϥΠυͰ͸BugBounty.jpʹ͍ͭͯଟ͘ݴٴ͠
    ͍ͯ·͕͢ɺ୯ͳΔ1Ϣʔβʔͱͯ͠ͷҙݟͰ͋
    ΓɺͦΕҎ্ͷར֐ؔ܎͸·ͬͨ͋͘Γ·ͤΜ

    View Slide

  5. Τϥ͍ਓ
    ʮηΩϡϦςΟϦεΫͱ͔ා͍͠ɺ
    ଟগख͔͚ؒͯ΋͍͍͔Βઈର҆શʹ΍ͬͯͶʯ

    View Slide

  6. ηΩϡϦςΟϦεΫΛݮΒ͍ͨ͠
    ܦӦऀ΋ݱ৔΋ɺηΩϡϦςΟΛܰࢹ͍ͨ͠ͱ͸
    ࢥͬͯͳ͍
    ηΩϡϦςΟʹ͔͚Δ΂͖ద੾ͳίετ͕Θ͔Βͳ
    ͍
    100%Λ໨ࢦͦ͏ͱ͢Δͱແݶʹίετ͕͔͔Δ
    ։ൃ଎౓Λ٘ਜ਼ʹͨ͘͠ͳ͍

    View Slide

  7. ԑ͋ͬͯɺpixivͰ͸
    BugBounty.jpΛར༻͢Δ͜ͱʹͳΓ·ͨ͠

    View Slide

  8. BugBounty.jpͳΒͰ͸ͷར఺

    View Slide

  9. ಋೖίετ͕ݶΓͳ͘௿͍
    ੬ऑੑใࠂ૭ޱͳͲͷγεςϜΛ࡞Βͳͯ͘ྑ͍
    ηΩϡϦςΟ୲౰ऀ΍ઐ೚νʔϜΛ࡞Βͳͯ͘΋
    ࢝ΊΒΕΔ
    ʢཁ߲΋΄΅ؙ౤͛ͯ͠࡞ͬͯ΋Βͬͨʣ

    View Slide

  10. ৼΓࠐΈ·ΘΓΛؙ౤͛Ͱ͖Δ
    ϖʔύʔϫʔΫͱ͔
    ւ֎ૹۚͱ͔
    د෇ۚʹ·ͭΘΔ๏཯ͱ͔
    →ߟ͑ͨ͘ͳ͍ʂʂ

    View Slide

  11. ੬ऑੑใ঑ۚӡ༻৬ਓͷ
    ͓࢓ࣄ

    View Slide

  12. ใࠂͷਫ਼ࠪ
    ࠶ݱ͢Δ͔
    ߈ܸ͸༰қ͔
    Өڹൣғ͸Ͳͷ͙Β͍͔
    ཁ߲Λຬ͍ͨͯ͠Δ͔
    աڈͷใࠂͱॏෳͰͳ͍͔
    मਖ਼ͷํ਑ΛཱͯͯissueԽ
    ؆୯ͳΒͦͷ৔Ͱमਖ਼
    લճཱͯͨissueͰٞ࿦͕ਐΜͰ͍
    Ε͹ࢀՃ
    ใ঑ֹۚͷܾఆʢޙड़ʣ
    ใ঑ֹۚදͷߋ৽
    ಺෦Ͱͬ͘͟ΓܾΊ͍ͯΔ
    ຊ౰͸ެ։ͨ͠΄͏͕ྑ͍ͱࢥ͏
    ج४ͷमਖ਼
    ੬ऑੑͰͳ͍΋ͷ͸ج४Ͱ໌֬Խ
    ͨ͠΄͏͕਌੾
    ͳ͔ͳ͔Ͱ͖͍ͯͳ͍

    View Slide

  13. ͦΕͳΓʹߴ౓ͳ൑அ͕ඞཁ

    View Slide

  14. ݱࡏ͸୲౰ऀ2ਓʢCTOͱϦʔυΤϯδχΞʣͰ

    िʹ1࣌ؒఔ౓Λׂ͍͍ͯΔ
    ଞνʔϜʹमਖ਼Λཁٻ͍ͯ͘͠ύϫʔ΋ඞཁ
    ͜ΕҎ্ͷใࠂΛॲཧ͢Δʹ͸ࣾ಺ͷମ੍Λ΋͏
    ͪΐͬͱ੔͑ͳ͍ͱ͍͚ͳ͍͔ͳͱ͍͏ॴײ
    →࠷ॳద౰ʹܾΊͨใ঑͕ۚͩͬͨɺใࠂΛ૿΍
    ͨ͢ΊʹҰ౓Ҿ্͖͛ͨ

    View Slide

  15. ద੾ͳใ঑ֹۚΛܾΊΔ

    View Slide

  16. ʮ߈ܸ͢ΔΑΓใࠂͨ͠΄͏͕
    ཧʹ͔ͳ͏ఔ౓ʯ

    View Slide

  17. ͸ແཧے

    View Slide

  18. ϐΫγϒͰ͸

    View Slide

  19. ձࣾͱͯ͠ద੾ͱࢥ͏ൣғͰ্ݶઃఆ͢Ε͹ྑ͍
    ηΩϡϦςΟϦεΫ͸اۀͷϒϥϯυ΍ѻ͍ͬͯΔ
    σʔλʹΑ༷ͬͯʑͳͷͰ
    ։ൃମ੍ͷதͰରԠ͍͚ͯ͠Δͪΐ͏Ͳྑ͍ྔͷใ
    ࠂ͕དྷΔΑ͏ʹɺधཁͱڙڅͷόϥϯεΛऔΔ
    िʹ਺݅
    ࣾ಺᜛ٞͱͯ͠͸ɺʮຖ݄͍͍ͩͨ͜ͷ͙Β͍ͷۚ
    ֹͰ΍Γ·͢ʯͱ͍͏಺༰ʹͳ͍ͬͯΔ

    View Slide

  20. ಺෦తͳʮ͓͓Αͦͷج४ʯΛܾΊͯɺͦΕͱͷ

    ૬ରతͳൺֱͰใ঑ֹۚΛܾఆ͍ͯ͠Δ
    ج४Λެ։͠ɺߋ৽͍ͯͬͨ͠΄͏͕ใࠂऀʹ਌੾
    ʢͰ͖ͯͳ͍ʣ
    CVSSΛࢀߟʹͯ͠΋Α͍ʢͯ͠ͳ͍ʣ
    https://www.ipa.go.jp/security/vuln/CVSSv3.html

    View Slide

  21. ଞͷྫʢGoogleʣ
    https://www.google.com/about/appsecurity/reward-program/

    View Slide

  22. ใࠂͷ಺༁

    View Slide

  23. શใࠂͷ͏ͪɺ60ʙ70%Λ੬ऑੑೝఆ͠ɺͦͷ಺༁ʢॴײʣ͸
    ϩάΠϯ΍ηογϣϯʹ·ͭΘΔ࢓༷ͷෆඋɿ20%
    ΦʔϓϯϦμΠϨΫλ΍ΫϦοΫδϟοΩϯάͷΑ͏ͳɺϑΟο
    γϯάʹܨ͕Δ੬ऑੑʢʁʣɿ20%
    HTTPϔομʔͷෆඋ౳ɿ20%
    ϑϨʔϜϫʔΫ౳ͷط஌ͷ੬ऑੑɿ10%
    XSSͳͲɿ10%
    ͦͷଞɿ20%

    View Slide

  24. ਖ਼௚໘౗ͳέʔε΋͋Δ

    View Slide

  25. ݒ೦΋ແ͘͸ͳ͍

    View Slide

  26. ࣾ಺ͷਓ͕ಗ໊Ͱ੬ऑੑใࠂ͖ͯͨ͠Β…
    γεςϜతʹ͸๷͛ͳͦ͞͏

    View Slide

  27. ͱ͸͍͑ɺ
    ͱͯ΋ࢀߟʹͳΔใࠂ΋

    View Slide

  28. 1೥΍͖ͬͯͯɺ࠷ߴֹۚΛ෷ͬͨͷ͸4ճ
    pngʹِ૷ͨ͠psϑΝΠϧΛʢ͝ʹΐ͝ʹΐʣ
    ಛఆͷURLΛ։͔ͤΔ͚ͩͰʢ΋͝΋͝ʣ
    ଞਓͷอଘͨ͠σʔλΛʢ͛;Μ͛;Μʣ
    Flash༻ͷݹ͍APIͰʢ͋ʔ͏ʔʣ

    View Slide

  29. ใࠂऀ΁ͷଚܟ͸ॏཁ

    View Slide

  30. ·ͨใࠂ͍ͨ͠ɺͱࢥͬͯ΋Β͏ͨΊʹ
    ͳΔ΂͘ૣͯ͘త֬ͳฦ৴Λ৺͕͚Δ
    ੬ऑੑͰ͸ͳ͍ͱ൑அͨ͠ΓɺॏෳͰ͋ͬͯ΋ɺ
    ࢀߟʹͳͬͨ৔߹͸ੵۃతʹใ঑ۚΛࢧ෷͏
    ࣦྱʹͳΒͳ͍ݴ༿ݣ͍
    ใࠂͷ൒෼͙Β͍͸ӳޠͳͷͰɺӳޠͰͷద੾
    ͳදݱʹ໎͏͜ͱ͕͋Δ

    View Slide

  31. ·ͱΊ

    View Slide

  32. BugBounty.jpΛ࢖ͬͯॳظίετΛ཈͑ͯ੬ऑੑใ঑
    ੍ۚ౓Λ࢝Ί·ͨ͠
    ӡ༻ͷखؒ͸ͦΕͳΓʹ͔͔͍ͬͯΔ
    ͱݴͬͯ΋ਫ਼͕ࠪि1࣌ؒఔ౓+मਖ਼ίετ͙Β͍
    ใ঑ֹۚ͸ɺग़ͤΔൣғ+ॲཧͰ͖ΔൣғͰ΍Δͷ͕
    ྑ͍ͷͰ͸
    ใࠂऀͷํʑʹ͸େมײँ͍ͯ͠·͢

    View Slide