LINE Bug Bounty - Rich and Good Hackers

LINE Bug Bounty - Rich and Good Hackers

Presented by Koh You Liang, Jang Junho (Ramses) @ BECKS4 2019.09.18 https://becks.kktix.cc/events/twbecks4

2102a6b8760bd6f57f672805723dd83a?s=128

line_developers_tw

September 18, 2019
Tweet

Transcript

  1. 1.

    4 4

  2. 4.

    Profile Image Koh You Liang Application Security Team Member of

    Bug Bounty Team and Game Security Team Twitter: @kohyouliang Github: @isopach
  3. 5.

    Brief Introduction Running a Bug Bounty Program Process Flow Bug

    Bounty Guide Rules and Boundaries Experience Sharing Chapter title 01 02 03 04 05 06 07 Contents
  4. 6.

    Contents Running a Bug Bounty 1 Motivation Process Flow Team

    Atmosphere Bug Bounty Guide 2 How to Report Good Examples Improving your Report Ground Rules 3 Why do we need What are the rules Experience Sharing 4 Black hat hackers White hat hackers Share your knowledge
  5. 8.

    8 1. Owning a Bug Bounty Program Goals & History

    2017 $76,500 USD in Bounties 2015 Limited-time Launch 2019 Sep Over $60,000 USD in Bounties 2018 $104,500 USD in Bounties 2016 Full-time Launch 2019 Dec New record? Timeline
  6. 9.

    9 1. Owning a Bug Bounty Program Goals & History

    • Launched in 2015 • Create a contact point for reporters • Provide reward in exchange for bugs • Improve company security
  7. 10.

    10 1. Owning a Bug Bounty Program 2019 Statistics 23

    Hackers 200 Reports ※Data as of 13 September 2019 $60,000+ Bounty
  8. 13.

    13 1. Owning a Bug Bounty Program Member Motivation •

    Voluntary, yet essential • Harden Recon loopholes • Learn about 0-days
  9. 15.

    15 1. Owning a Bug Bounty Program Process Flow 1.

    Entire team gets notified 2. Reproduce steps 3. Triage 4. Check server logs 5. Contact developers 6. Award bounty 7. Publish notice
  10. 16.

    16 1. Owning a Bug Bounty Program Response handling •

    Professional response • Non-automated
  11. 17.

    17 1. Owning a Bug Bounty Program Deciding on Bounty

    • How much is an XSS worth? • Impact-based • Developers’ opinion • Reporter-defined severity vs Team-defined
  12. 18.

    18 1. Owning a Bug Bounty Program Handling data and

    response times • Legal paperwork (1st time only) • Background checks
  13. 20.

    20

  14. 21.

    21

  15. 22.

    22

  16. 23.

    23 1. Owning a Bug Bounty Program Scaling • Short

    of people • No specialized triage team
  17. 24.

    24

  18. 25.

    25

  19. 30.

    30

  20. 32.

    32

  21. 33.

    33 2. Bug Bounty Guide Improve your report • Clear

    Title • Easily reproducible steps • Proof-of-Concept Code
  22. 34.

    34

  23. 35.

    35

  24. 36.

    36

  25. 37.
  26. 38.

    Profile Image Ramses Graylab @ LINE • Joined LINE last

    year ◦ Used to be grayhash (South Korea) • Bug hunter ◦ Found bugs from safari and kernel ◦ Presented at HITCON this year
  27. 39.

    39 3. Ground Rules Why do we need rules? •

    Our duty/goal as security team ◦ To keep our customers safe GOAL: Protect users Make services/products safe Application security Infra protection Bug bounty program
  28. 40.

    40 3. Ground Rules Why do we need rules? •

    If there is no RULES? ◦ No boundaries between bug hunting and real-world hacking GOAL: Protect users Make services/products unsafe Bug bounty program with NO RULES!
  29. 41.

    41 3. Ground Rules Why do we need rules? •

    With the rules, ◦ Can decide whether Bug Bounty action or real-world hacking • So, we made the ground rules ◦ publicize them: https://github.com/line/bugbounty Security Hacking Bug Bounty Rules!
  30. 42.

    42 3. Ground Rules What are the rules? • Keep

    our scopes ◦ LINE applications, web servers ◦ NOT social engineering, internal servers • Check on eligibility section in https://bugbounty.linecorp.com/en/
  31. 43.

    43 3. Ground Rules What are the rules? • Is

    it bug bounty? Bug hunter Employee Internal servers
  32. 44.

    44 3. Ground Rules What are the rules? • It

    is called, APT! Bug hunter Employee Internal servers
  33. 45.

    45 3. Ground Rules What are the rules? • NOT

    Abusing bugs to gain confidential data ◦ Especially, mid(Member ID in LINE) ◦ According to the law, MID is categorized as “Personal Information” LINE servers Bug hunter Abuser 10 mids of your friends at LINE 10,000 mids of not your friends at LINE
  34. 46.

    46 3. Ground Rules What are the rules? • NO

    DoS(Denial of Services) ◦ Because we are Messenger company, ◦ DoS would be critical to us and to users
  35. 48.

    48 4. Experience Sharing Life as a black hat hackers

    • Life as a black hat hacker (heard from friends) ◦ To avoid getting caught, prepare all the time ◦ Keep untrackable from police and security team • Benefit? ◦ Low returns per laber ◦ Keep running away from the society
  36. 49.

    49 4. Experience Sharing Life as a white hat hackers

    • Life as a white hat hackers ◦ More opportunities, more returns ◦ Can get reputation, money, and fun life ◦ Absolutely better than black hat hackers ✓ In long term life as a security engineer
  37. 50.

    50 4. Experience Sharing Share your knowledge • Sharing knowledge

    for fun and profit! ◦ Security conference ◦ Blog posting • Research and get credits ◦ Security patch note ◦ Bug Bounty: money and Hall of Fame
  38. 51.

    51 Conclusion Let’s get rich! • To bug hunters: ◦

    Please be gentle to us, so that we can get you RICH • To white hat hackers: ◦ Let’s take advantages by sharing our knowledges.
  39. 52.