Decoding Bug Bounty Programs

Transcript

1. Decoding  Bug   Bounty  Programs Jon  Rose

2. It’s  all  about   YOU

3. Builder
 
 Breaker
 
 Defender What  is  your  Role?

4. Bug  Bounty  Programs  are RevoluBonizing the  way  businesses    

   protect  themselves

5. O  RLY?

6. TradiBonal  security   tesBng  is  
 Dead

7. 1.  Automated  tools  don’t  work   2.  Waterfall  security  isn’t

    Agile   3.  Massive  shortage  of  talent   4.  Cost  prohibiBve
8. None

9. Responsible   Disclosure   Plus   CrowdSourcing     With

       Ca$h

10. 2004 2013 8-­‐2004 11-­‐2010 9-­‐2010 7-­‐2011 2010 6-­‐2012 5-­‐2012 9-­‐2012

    11-­‐2010 9-­‐2012 3-­‐2009 No  More     Free  Bugs 8-­‐2005 2002 Chrome

11. Any  Bug   Reporters?

12. Bounty 
 Programs

13. Keys  to  Running   a  Bug  Bounty

14. 5  Simple   Rules

15. Remote   Code   ExecuBon SQL   InjecBon Auth  

    Bypass XSS Bug  Payouts

16. Not  all  bugs  are   EQUAL

17. Disclosure
 Policy

18. First  In,   Best     Dressed

19. Well  Defined   Targets  and  Scope

20. Do  you  pay  for  valid   bugs  that  are  


    out  of  scope?

21. 5  Major   Benefits

22. Embrace  ConBnuous   TesBng

23. Market   Your  Security

24. Diversity  in   Tools,   Techniques,   Approach

25. Only  Pay  for  results Only  Pay  For   Results

26. Are
 companies  with  
 bug  bounBes
 
 secure? MORE

27. 8  PotenBal   Problems

28. Legal  Issues

29. Fixing  bugs  is  hard   and  requires   teamwork

30. Spot the difference

31. Understanding   Language  Barriers

32. FALSE     POSITIVES   ARE  A   NECESSARY  

      EVIL

33. Weak  Security   FoundaBon

34. Unclear  Policies   and  Processes

35. Hackers Cheat

36. Bounty 
 Hunters

37. Helping   secure   popular   services,   improving  

    my   skills,   the   credit,   and   of   course  the  payment  for  a   job  well  done “ @NightRang3r   Bug  Bounty  Hunter

38. …enhances  my  logical   bug   finding   crea2vity  

    a n d   a p p r o a c h .   I t   mo2vates  me.. “ @AjaySinghNegi   Bug  Bounty  Hunter

39. First   of   all   is   the  

    c h a l l e n g e ,   a n d   s e c o n d ,   t h e   acknowledgement   of   researcher’s   hard   work   and   rewarding   them  accordingly “ @NightRang3r   Bug  Bounty  Hunter

40. 3   Themes

41. PresBge,   RecogniBon,     and  Fame

42. PracBce   Makes   Perfect

43. Cash   Money

44. Money   Fame   Experience Pick  One:

45. 4   Problems  

46. No   Visibility

47. Terms  can  change  at   any  Bme

48. Inefficient   use  of   testers  Bme

49. Fixes  Take   Time

50. In  the   News

51. 51 ';alert(String.fromChar Code(88,83,83))//';  

52. 52 To  be  eligible  you  *must  not*:   Be  less

     than  18  years  of  age.   ...   PayPal  will  remove  that  researcher  from   the  Bug  Bounty  Program  and  disqualify   them  from  receiving  any  bounty. “ PayPal  Site  Security  

53. 53 Full   Disclosure

54. 54

55. 55 OAuth  Regex  Bypass 3/2013

56. 56 UBlize  facebook.facebook.com   subdomain  bypasses  subdomain   regex  protecBon

     in  OAuth

57. 57 Abuse  strange  redirecBon   behavior  in  facebook.com  domain  

    with  mulBple-­‐hash  signs

58. 58 Get  past  the  warning  message   in  l.php  with

     5  byte  hack

59. 59 Redirect  the  vicBm  to  external   websites  located  through

      Facebook  app  in  order  to  save   the  vicBm’s  access_token

60. 60 hlps://www.facebook.com/connect/ uiserver.php? app_id=220764691281998&next=hlps:// facebook.facebook.com/%23/x/%23/l/ggggg %3btouch.facebook.com/apps/sdfsdsdsgs %23&display=page&sconnect=1&method= permissions.request&response_type=token

61. 61 Post  to  any  users  wall 9/2013

62. 62 Denied • Lack  of  Technical  Detail   • Language

     Barrier

63. 63

64. 64 We  are  unfortunately  not  able  to  pay   you

     for  this  vulnerability  because  your   ac2ons  violated  our  Terms  of  Service.   We  do  hope,  however,  that  you   con2nue  to  work  with  us  to  find   vulnerabili2es  in  the  site. “ Facebook  

65. 65

66. 66 I  could  sell  on  the  black  (hat)  hackers'  

    websites  and  I  could  make  more   money  than  Facebook  could  pay  me.   But  for  me  -­‐-­‐  I  am  a  good  guy.  I  don't   deal  with  the  black  (hat)  stuff." “ Khalil - Interview with CNN  

67. 67 What  about  black   market  bug  sales?

68. StaBsBcs   Don’t  Lie

69. 44%  percent  of  all  bugs   are  the  first  and

     only  bug   sent  by  a  researcher PayPal

70. Almost  80%  of  bug   submissions  are  sent  in  

    by  researchers  who   submit  less  than  10  bugs   total PayPal

71. 10%  of  the  researchers   submit  25  bugs  or  more

    PayPal

72. Google  has  paid  out  
    over  $1M Google

73. Facebook  has  paid  out   over  $1M  in  the  last

     2   years Facebook

74. 329  bounty  hunters  have   been  paid  at  least  $500

      by  Facebook Facebook

75. Almost  70%  of  valid  bugs   are  Cross-­‐Site  Scrip2ng Google

    XSS XSRF

76. Does  it   Work?

77. 
 Google  is  reporBng  fewer   bug  submissions
 
 “Harder

     to  find”  
 Google  Bug  Hunter

78. Crowd-­‐Sourced  Security  is
   changing   tes2ng

79. Free   Advice

80. Be  prepared  to  run  such   a  program,  have  the

      professional  man   power  to  deal  with  bug   submissions  and  to   understand  them “ @NightRang3r   Bug  Bounty  Hunter

81. Proper  verifica2on  of   logical  bugs,  2mely   reply  to

     bugs   submissions  with  status “ @AjaySinghNegi   Bug  Bounty  Hunter

82. ?

83. 
 Submit  bugs
 Accept  bugs  
 Provide  Rewards
 Get  Secure

84. Thank  You! [email protected] Jon  Rose