Tweet
Tweet

Slide 1

Slide 1 text

Decoding  Bug   Bounty  Programs Jon  Rose

Slide 2

Slide 2 text

It’s  all  about   YOU

Slide 3

Slide 3 text

Builder
 
 Breaker
 
 Defender What  is  your  Role?

Slide 4

Slide 4 text

Bug  Bounty  Programs  are RevoluBonizing the  way  businesses     protect  themselves

Slide 5

Slide 5 text

O  RLY?

Slide 6

Slide 6 text

TradiBonal  security   tesBng  is  
 Dead

Slide 7

Slide 7 text

1.  Automated  tools  don’t  work   2.  Waterfall  security  isn’t  Agile   3.  Massive  shortage  of  talent   4.  Cost  prohibiBve

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Responsible   Disclosure   Plus   CrowdSourcing     With     Ca$h

Slide 10

Slide 10 text

2004 2013 8-­‐2004 11-­‐2010 9-­‐2010 7-­‐2011 2010 6-­‐2012 5-­‐2012 9-­‐2012 11-­‐2010 9-­‐2012 3-­‐2009 No  More     Free  Bugs 8-­‐2005 2002 Chrome

Slide 11

Slide 11 text

Any  Bug   Reporters?

Slide 12

Slide 12 text

Bounty 
 Programs

Slide 13

Slide 13 text

Keys  to  Running   a  Bug  Bounty

Slide 14

Slide 14 text

5  Simple   Rules

Slide 15

Slide 15 text

Remote   Code   ExecuBon SQL   InjecBon Auth   Bypass XSS Bug  Payouts

Slide 16

Slide 16 text

Not  all  bugs  are   EQUAL

Slide 17

Slide 17 text

Disclosure
 Policy

Slide 18

Slide 18 text

First  In,   Best     Dressed

Slide 19

Slide 19 text

Well  Defined   Targets  and  Scope

Slide 20

Slide 20 text

Do  you  pay  for  valid   bugs  that  are  
 out  of  scope?

Slide 21

Slide 21 text

5  Major   Benefits

Slide 22

Slide 22 text

Embrace  ConBnuous   TesBng

Slide 23

Slide 23 text

Market   Your  Security

Slide 24

Slide 24 text

Diversity  in   Tools,   Techniques,   Approach

Slide 25

Slide 25 text

Only  Pay  for  results Only  Pay  For   Results

Slide 26

Slide 26 text

Are
 companies  with  
 bug  bounBes
 
 secure? MORE

Slide 27

Slide 27 text

8  PotenBal   Problems

Slide 28

Slide 28 text

Legal  Issues

Slide 29

Slide 29 text

Fixing  bugs  is  hard   and  requires   teamwork

Slide 30

Slide 30 text

Spot the difference

Slide 31

Slide 31 text

Understanding   Language  Barriers

Slide 32

Slide 32 text

FALSE     POSITIVES   ARE  A   NECESSARY     EVIL

Slide 33

Slide 33 text

Weak  Security   FoundaBon

Slide 34

Slide 34 text

Unclear  Policies   and  Processes

Slide 35

Slide 35 text

Hackers Cheat

Slide 36

Slide 36 text

Bounty 
 Hunters

Slide 37

Slide 37 text

Helping   secure   popular   services,   improving   my   skills,   the   credit,   and   of   course  the  payment  for  a   job  well  done “ @NightRang3r   Bug  Bounty  Hunter

Slide 38

Slide 38 text

…enhances  my  logical   bug   finding   crea2vity   a n d   a p p r o a c h .   I t   mo2vates  me.. “ @AjaySinghNegi   Bug  Bounty  Hunter

Slide 39

Slide 39 text

First   of   all   is   the   c h a l l e n g e ,   a n d   s e c o n d ,   t h e   acknowledgement   of   researcher’s   hard   work   and   rewarding   them  accordingly “ @NightRang3r   Bug  Bounty  Hunter

Slide 40

Slide 40 text

3   Themes

Slide 41

Slide 41 text

PresBge,   RecogniBon,     and  Fame

Slide 42

Slide 42 text

PracBce   Makes   Perfect

Slide 43

Slide 43 text

Cash   Money

Slide 44

Slide 44 text

Money   Fame   Experience Pick  One:

Slide 45

Slide 45 text

4   Problems  

Slide 46

Slide 46 text

No   Visibility

Slide 47

Slide 47 text

Terms  can  change  at   any  Bme

Slide 48

Slide 48 text

Inefficient   use  of   testers  Bme

Slide 49

Slide 49 text

Fixes  Take   Time

Slide 50

Slide 50 text

In  the   News

Slide 51

Slide 51 text

51 ';alert(String.fromChar Code(88,83,83))//';  

Slide 52

Slide 52 text

52 To  be  eligible  you  *must  not*:   Be  less  than  18  years  of  age.   ...   PayPal  will  remove  that  researcher  from   the  Bug  Bounty  Program  and  disqualify   them  from  receiving  any  bounty. “ PayPal  Site  Security  

Slide 53

Slide 53 text

53 Full   Disclosure

Slide 54

Slide 54 text

54

Slide 55

Slide 55 text

55 OAuth  Regex  Bypass 3/2013

Slide 56

Slide 56 text

56 UBlize  facebook.facebook.com   subdomain  bypasses  subdomain   regex  protecBon  in  OAuth

Slide 57

Slide 57 text

57 Abuse  strange  redirecBon   behavior  in  facebook.com  domain   with  mulBple-­‐hash  signs

Slide 58

Slide 58 text

58 Get  past  the  warning  message   in  l.php  with  5  byte  hack

Slide 59

Slide 59 text

59 Redirect  the  vicBm  to  external   websites  located  through   Facebook  app  in  order  to  save   the  vicBm’s  access_token

Slide 60

Slide 60 text

60 hlps://www.facebook.com/connect/ uiserver.php? app_id=220764691281998&next=hlps:// facebook.facebook.com/%23/x/%23/l/ggggg %3btouch.facebook.com/apps/sdfsdsdsgs %23&display=page&sconnect=1&method= permissions.request&response_type=token

Slide 61

Slide 61 text

61 Post  to  any  users  wall 9/2013

Slide 62

Slide 62 text

62 Denied • Lack  of  Technical  Detail   • Language  Barrier

Slide 63

Slide 63 text

63

Slide 64

Slide 64 text

64 We  are  unfortunately  not  able  to  pay   you  for  this  vulnerability  because  your   ac2ons  violated  our  Terms  of  Service.   We  do  hope,  however,  that  you   con2nue  to  work  with  us  to  find   vulnerabili2es  in  the  site. “ Facebook  

Slide 65

Slide 65 text

65

Slide 66

Slide 66 text

66 I  could  sell  on  the  black  (hat)  hackers'   websites  and  I  could  make  more   money  than  Facebook  could  pay  me.   But  for  me  -­‐-­‐  I  am  a  good  guy.  I  don't   deal  with  the  black  (hat)  stuff." “ Khalil - Interview with CNN  

Slide 67

Slide 67 text

67 What  about  black   market  bug  sales?

Slide 68

Slide 68 text

StaBsBcs   Don’t  Lie

Slide 69

Slide 69 text

44%  percent  of  all  bugs   are  the  first  and  only  bug   sent  by  a  researcher PayPal

Slide 70

Slide 70 text

Almost  80%  of  bug   submissions  are  sent  in   by  researchers  who   submit  less  than  10  bugs   total PayPal

Slide 71

Slide 71 text

10%  of  the  researchers   submit  25  bugs  or  more PayPal

Slide 72

Slide 72 text

Google  has  paid  out   over  $1M Google

Slide 73

Slide 73 text

Facebook  has  paid  out   over  $1M  in  the  last  2   years Facebook

Slide 74

Slide 74 text

329  bounty  hunters  have   been  paid  at  least  $500   by  Facebook Facebook

Slide 75

Slide 75 text

Almost  70%  of  valid  bugs   are  Cross-­‐Site  Scrip2ng Google XSS XSRF

Slide 76

Slide 76 text

Does  it   Work?

Slide 77

Slide 77 text


 Google  is  reporBng  fewer   bug  submissions
 
 “Harder  to  find”  
 Google  Bug  Hunter

Slide 78

Slide 78 text

Crowd-­‐Sourced  Security  is
   changing   tes2ng

Slide 79

Slide 79 text

Free   Advice

Slide 80

Slide 80 text

Be  prepared  to  run  such   a  program,  have  the   professional  man   power  to  deal  with  bug   submissions  and  to   understand  them “ @NightRang3r   Bug  Bounty  Hunter

Slide 81

Slide 81 text

Proper  verifica2on  of   logical  bugs,  2mely   reply  to  bugs   submissions  with  status “ @AjaySinghNegi   Bug  Bounty  Hunter

Slide 82

Slide 82 text

?

Slide 83

Slide 83 text


 Submit  bugs
 Accept  bugs  
 Provide  Rewards
 Get  Secure

Slide 84

Slide 84 text

Thank  You! [email protected] Jon  Rose