LINE Bug Bounty - Rich and Good Hackers

Transcript

1. 4 4

2. Bug Bounty Rich and Good Hackers

3. Who are we? LINE Koh You Liang, Jang Junho (Ramses)

   2019.09.18

4. Profile Image Koh You Liang Application Security Team Member of

   Bug Bounty Team and Game Security Team Twitter: @kohyouliang Github: @isopach

5. Brief Introduction Running a Bug Bounty Program Process Flow Bug

   Bounty Guide Rules and Boundaries Experience Sharing Chapter title 01 02 03 04 05 06 07 Contents

6. Contents Running a Bug Bounty 1 Motivation Process Flow Team

   Atmosphere Bug Bounty Guide 2 How to Report Good Examples Improving your Report Ground Rules 3 Why do we need What are the rules Experience Sharing 4 Black hat hackers White hat hackers Share your knowledge

7. Bug Bounty Program

8. 8 1. Owning a Bug Bounty Program Goals & History

   2017 $76,500 USD in Bounties 2015 Limited-time Launch 2019 Sep Over $60,000 USD in Bounties 2018 $104,500 USD in Bounties 2016 Full-time Launch 2019 Dec New record? Timeline

9. 9 1. Owning a Bug Bounty Program Goals & History

   • Launched in 2015 • Create a contact point for reporters • Provide reward in exchange for bugs • Improve company security

10. 10 1. Owning a Bug Bounty Program 2019 Statistics 23

    Hackers 200 Reports ※Data as of 13 September 2019 $60,000+ Bounty

11. Owning a Bug Bounty Program

12. Two Perspectives Hacker Company

13. 13 1. Owning a Bug Bounty Program Member Motivation •

    Voluntary, yet essential • Harden Recon loopholes • Learn about 0-days

14. 14 1. Owning a Bug Bounty Program Team Atmosphere

15. 15 1. Owning a Bug Bounty Program Process Flow 1.

    Entire team gets notified 2. Reproduce steps 3. Triage 4. Check server logs 5. Contact developers 6. Award bounty 7. Publish notice

16. 16 1. Owning a Bug Bounty Program Response handling •

    Professional response • Non-automated

17. 17 1. Owning a Bug Bounty Program Deciding on Bounty

    • How much is an XSS worth? • Impact-based • Developers’ opinion • Reporter-defined severity vs Team-defined

18. 18 1. Owning a Bug Bounty Program Handling data and

    response times • Legal paperwork (1st time only) • Background checks

19. 19 1. Owning a Bug Bounty Program Swag • T-shirts

    • Yubikey

20. 20

21. 21

22. 22

23. 23 1. Owning a Bug Bounty Program Scaling • Short

    of people • No specialized triage team

24. 24

25. 25

26. Bug Bounty Guide For veterans and newcomers

27. 27 2. Bug Bounty Guide How to report? https://bugbounty.linecorp.com/en/

28. 28 2. Bug Bounty Guide How to report? WAIT!

29. 29 2. Bug Bounty Guide Improve your report • Descriptive

    Title

30. 30

31. 31 Type of bug Location

32. 32

33. 33 2. Bug Bounty Guide Improve your report • Clear

    Title • Easily reproducible steps • Proof-of-Concept Code

34. 34

35. 35

36. 36

37. THANK YOU

38. Profile Image Ramses Graylab @ LINE • Joined LINE last

    year ◦ Used to be grayhash (South Korea) • Bug hunter ◦ Found bugs from safari and kernel ◦ Presented at HITCON this year

39. 39 3. Ground Rules Why do we need rules? •

    Our duty/goal as security team ◦ To keep our customers safe GOAL: Protect users Make services/products safe Application security Infra protection Bug bounty program

40. 40 3. Ground Rules Why do we need rules? •

    If there is no RULES? ◦ No boundaries between bug hunting and real-world hacking GOAL: Protect users Make services/products unsafe Bug bounty program with NO RULES!

41. 41 3. Ground Rules Why do we need rules? •

    With the rules, ◦ Can decide whether Bug Bounty action or real-world hacking • So, we made the ground rules ◦ publicize them: https://github.com/line/bugbounty Security Hacking Bug Bounty Rules!

42. 42 3. Ground Rules What are the rules? • Keep

    our scopes ◦ LINE applications, web servers ◦ NOT social engineering, internal servers • Check on eligibility section in https://bugbounty.linecorp.com/en/

43. 43 3. Ground Rules What are the rules? • Is

    it bug bounty? Bug hunter Employee Internal servers

44. 44 3. Ground Rules What are the rules? • It

    is called, APT! Bug hunter Employee Internal servers

45. 45 3. Ground Rules What are the rules? • NOT

    Abusing bugs to gain confidential data ◦ Especially, mid(Member ID in LINE) ◦ According to the law, MID is categorized as “Personal Information” LINE servers Bug hunter Abuser 10 mids of your friends at LINE 10,000 mids of not your friends at LINE

46. 46 3. Ground Rules What are the rules? • NO

    DoS(Denial of Services) ◦ Because we are Messenger company, ◦ DoS would be critical to us and to users

47. 47 3. Ground Rules What are the rules? • Please

    be nice to us!

48. 48 4. Experience Sharing Life as a black hat hackers

    • Life as a black hat hacker (heard from friends) ◦ To avoid getting caught, prepare all the time ◦ Keep untrackable from police and security team • Benefit? ◦ Low returns per laber ◦ Keep running away from the society

49. 49 4. Experience Sharing Life as a white hat hackers

    • Life as a white hat hackers ◦ More opportunities, more returns ◦ Can get reputation, money, and fun life ◦ Absolutely better than black hat hackers ✓ In long term life as a security engineer

50. 50 4. Experience Sharing Share your knowledge • Sharing knowledge

    for fun and profit! ◦ Security conference ◦ Blog posting • Research and get credits ◦ Security patch note ◦ Bug Bounty: money and Hall of Fame

51. 51 Conclusion Let’s get rich! • To bug hunters: ◦

    Please be gentle to us, so that we can get you RICH • To white hat hackers: ◦ Let’s take advantages by sharing our knowledges.

52. THANK YOU