Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Low Overhead Bug-Bounty Program

Building a Low Overhead Bug-Bounty Program

This is the story of why and how we built an in-house Bug Bounty program with almost all features of a SaSS platform at invideo.io in 15days; using tools that were available to us:
- Zapier
- Google Forms
- Google Sheets
- Linear.app
- Slack
- Gmail

Joy Bhattacherjee

September 29, 2022
Tweet

More Decks by Joy Bhattacherjee

Other Decks in Technology

Transcript

  1. We are… 2 Joy B. Pankaj Mouriya DevOps & Security

    Architect @invideo.io Sr. Security Engineer @invideo.io
  2. Roadmap 3 1 3 5 6 4 2 Why? The

    Pipeline Thinking ahead How? Is it Perfect? Tips & Tricks
  3. Why did we need a bug-bounty program? ▸ Vulnerabilities reports

    were already being piped to us via informal channels and unstructured mail-threads. ▸ This was significantly taking up leadership’s time for ad hoc responses ▸ We wanted to formalize this process and bring in a semblance of order to the chaos. ▸ Engineering needed prioritized and grouped list of vulnerabilities to fix, focusing their energies for maximum impact. ▸ Dedicated engineering bandwidth to classify and rank reported vulnerabilities. 5
  4. Tools & Platforms ▸ Build In-house bug bounty Program? ▸

    Go with Well known/Crowdsourced vulnerability disclosure platforms ▹ BugCrowd ▹ HackerOne 7 https://github.com/disclose/bug-bounty-platforms ▸ List of known bug bounty platforms
  5. What did we choose & Why? ▸ In-house bug bounty

    program 8 ▸ Exposing our applications to a global community of security researchers using crowdsourced platforms would invite a significant volume of threat actors. ▸ It would cause a significant engineering overhead to fix discovered vulnerabilities at scale and within expected turn-around times. ▸ Our applications were not yet internally pentested for vulnerabilities. Why?
  6. The End to End Pipeline ▸ Tools we used? ▹

    Google Form ▹ Google Spreadsheet ▹ Google Apps Script ▹ Zapier ▹ Linear.app (Issue tracking) ▹ Slack ▹ Gmail 9 ▸ Miro - For brainstorming and the Bug Bounty program workflow
  7. What worked 15 ▸ For us, the integrations does the

    job well ▸ The implementation gives enough confidence like any other well-known bug bounty management platform ▸ Most of the comms between the InVideo security team and external researcher is handled via this workflow ▸ Within less than 2 months, our workflow was setup and we were hands free, managing everything inside Linear.app with just Labels
  8. And, what did not ▸ While using this workflow we

    identified few gaps ▸ The Zapier integration takes few seconds to trigger the events 16
  9. Thinking ahead ▸ The program is completely managed by our

    security team ▸ We made the choice of not offloading the program management to a third party 17 ▸ End to end control of the program ▸ Not at the mercy of third parties when it comes to the report timeline or fixing bugs ▸ Complete control lets us build our product and fix the bugs depending upon severity and org priorities ▸ The volume of bugs that gets fixed by an internal program due to lack of external pressure is lesser Rewards?
  10. Tips & Tricks 19 CVSS Product Goals CRIT HIGH MID

    LOW Vulnerable Services Internal Test / Red team Security Research Community Secure services Automation Subject Matter Expertise Velocity Qualitative Assessment Fast and Impactful Security Fixes Security Posture Acceptable Risk
  11. 20 THANKS! Any questions? You can find us at: ▸

    @pankajmouriya ▸ pankaj.mouriya@invideo.io ▸ @hashfyre ▸ joy.bhattacherjee@invideo.io