vs VDP • Public vs Private • Scope • Policy • Earning Points on Bugcrowd • How do I get started? • Prerequisites • Resources • How do I become successful? • Background on my journey • Work Hard • My Methodology • Evolution • Bug bounty vs Pentesting • Live Hacking Events • Questions?
to reward security researchers for finding vulnerabilities on their assets. • Rewards can be bounties , swag (t-shirts, stickers, etc), Hall of Fame, points • Bug Bounty Program (BBP) vs Vulnerability Disclosure Program (VDP) • BBP offers monetary (bounty) rewards • VDP doesn’t offer monetary rewards • Company can run their own BBP (independent) ie. • Company can use a 3rd-party company like • A BBP can be public (open to all) or private (invitation only)
a S-SDLC in place • Typically rewards larger bounties (10-15k for critical bugs) • More competition since it’s open to the world • More challenging • Private BBP • A lot of time are companies that are just starting to do bug bounty • Typically rewards smaller bounties (1.5-5k for critical bugs) • Less competition since only a select few have been invited • Usually less challenging
• Submit valid bugs on public programs to get points (and bounties) • Consider starting with VDPs • Less competition • Good for practice and to get started (I started with VDPs) • More chances of finding high-impact bugs (P1-P2)
on the VRT https://bugcrowd.com/vulnerability-rating-taxonomy • Critical (P1): 40 Points • Duplicate: 10 Points • High (P2): 20 Points • Duplicate: 5 Points • Medium (P3): 10 Points • Duplicate: 0 Point* • Low (P4): 5 Points • Duplicate: 0 Poin • Informational (P5): 0 Points The hacker that reports the bug first gets all of the points and the bounty. Every other report for the same bug gets duplicate points without any bounty.
• Stay up to date with current security news and trends • Go on and follow people who post interesting write ups, tips, etc • Automate as much as you can • Be unique, don’t do exactly what others do, else you’ll get duplicates • Take your time, there’s no rush, there will always be bugs • Learn as much as you can – don’t do it for the money when starting out • Have fun!
hunting 1) Worked as a Systems Administrator for 5 years - Specialized in networking (Cisco) and virtualization (VMware) 2) Started to get bored 3) Curious of the infosec industry 4) Did a few security related certifications (Security+, CCNA: Security, CEH, SSCP, OSCP) 5) Got my first job in security as a Jr. Security Analyst in February 2017 6) Started doing some bug bounty – Got my first bounty in February 2017 ...
months? • Read as many write ups as I could • Read the books (twice) mentioned earlier • Practiced in CTFs • Spent a lot of time on reading #bugbountytips • I WORKED HARD AND LEARNED AS MUCH AS I COULD
successful? 1. Fast (Automation) 2. Unique (think out of the box) 3. Experience 4. Luck • Automate as much as you can • Look for low-hanging fruit • Be proactive, find bugs while you eat and sleep like todayisnew
What did the other hackers didn’t think of? • What possible mistake did the developer do? • What is the intended functionality? How can I make it do other stuff instead? • Experience • It simply comes with time and practice • You’ll start noticing certain patterns that leads to bugs • You’ll learn frameworks and their common vulnerabilities • Luck • Sometimes, you just need to be lucky
program? • I don’t necessarily like wide scopes like *.domain.com • I prefer smaller scopes (ie. 5 web apps and an API) • I like web apps with a lot of features and RBAC • A program that pays well and triages and resolves fast
Focus areas & bonuses 3. CTF mindset 1. Create your own flag 2. Do what it takes to find it 4. Other hackers have looked at this app 1. What did they miss? 2. What did they not think of and didn’t try 5. Recon
used • Look at headers • Use tools like Wappalyzer/BuiltWith • Looks at job postings • Look at developers on LinkedIn -> GitHub 2. Identify as many endpoints as possible • GitHub • Google Dork • WayBackMachine 3. Take note of anything potentially useful • User roles • 3rd party integrations • Goal of the recon is to maximize the attack surface
• Use the application like a regular user would • Identify intended behavior • See how certain functionality interacts with each other • Identify functionality only available to certain users • Identify potential attack plans and scenarios 3. Start Hacking!!!
testing Cost Pentest Yes * No Bug Bounty Yes & No Yes * Limited with company’s pentesters skills ** In a pentest, you pay for the time spent, even if the report is empty *** In bug bounty, you pay for results
top hackers to participate in a private event • Las Vegas, San Francisco, Miami, Vancouver, Buenos Aires, San Luis Obispo, Australia, etc • Scope is normally new • Bonuses and prizes • Collaboration with other hackers Bug bashes is starting to become hackers’ goal!