SlideShare a Scribd company logo

LKNOG3 - Bug Bounty

Download as PPTX, PDF
LKNOG, profile picture
LKNOG

A document discusses bug bounty programs and security research. It defines bug bounty programs as initiatives that reward individuals for discovering and ethically reporting software flaws. It discusses the history of bug bounties dating back to the 1980s. It also outlines why bug bounty programs are important for finding vulnerabilities before malicious hackers, and describes common vulnerabilities, critical vulnerabilities, and how to start a bug bounty program.

Internet
1 of 38
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
ILLUSIVE MINDS ARE AT WORK Your home, business and Organizations are at risk PROTECT YOUR SELF TODAY |Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa Lets get Friendly First I am not a hacker I am a Bug Bounty Hunter I break security not Heart 💘 PASAN RAWANA LAMAHEWA  Civil Aviation Pilot Trainee  Undergrad in Cyber Security  Undergrad in Biz Management  Undergrad in IATA  Cyber Security Researcher  Lyricist Security Researcher with a FACE
TOPIC S  Understanding Bug Bounty  Bug Bounty Programs  Why Bug Bounty Programs Important in todays’ Context  Bug Bounty Platforms  Bug Bounty Hunter  Type of Hackers  How to Start a Bug Bounty Program  Forums of Incident Response and Security Teams  Crowdsource platforms  Rewards  My experience as a Security Researcher  Things to Consider  Useful Links  Questions | Pasan Rawana Lamahewa
What is Bug Bounty Bounty and bounty hunting dates back to many centuries and synonymous with England and USA | Pasan Rawana Lamahewa Bug Bounty Hunting
| Pasan Rawana Lamahewa  The IT Teams at many organizations don’t have enough time or they lack in skills to think “beyond the routine” in order to identify and squash bugs in their systems.  So organizations ‘reach out to private individuals for help’. This is called a Bug Bounty Program.  The Bug Bounty Hunter uses his tools to break into systems, write up a vulnerability report to the organization who issued the bounty and then get paid or rewarded.
A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP) could be simply defined as an organizational initiative that rewards & recognize individual who discover flaws/loopholes in software/systems/web and ACTING ETHICALLY to report them to the organization. In other words BBP/VRP is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and rewards. | Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 HISTORY
WHY BUG BOUNTY PROGRAM Bug bounty program is not Fighting the Fire with Fire, but prevention of fire! It takes a White Hacker to think before a bad guy creeps in. Remember the story of Frank Abagnale, the most talented fraudster in history, who ended up helping FBI. The winning formula for any organization is to recognize cyber security researcher who helped discover vulnerabilities. This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities/loopholes before the bad guys creep in. In other words: Getting Ahead. This is all about Bug Bounty Program. | Pasan Rawana Lamahewa
Hacking takes place in Vicious Minds & Divine Minds • Divine Minds White Hackers Black Hackers Gray Hackers | Pasan Rawana Lamahewa
As organizations implements latest with technology, so the destructive minds are getting more and more sophisticated | Pasan Rawana Lamahewa Organizations and their IT professionals are aware of this impending danger, but many believe they are satisfactorily protected, they can swiftly restore or that their organizations are too small to be observed by vicious minds.
Why Bug Bounty Program Bugs exist in any software or system, and that is a fact. Cybercrimes are committed using a computer or computer technology or smart phone as primary tool. Types of Criminals • Social Engineer - manipulates human minds • Phisher - information / password theft • Hacker - blocking systems • Disgruntle Employee - information theft / blocking systems • Ransom Artist - spread malware /demand ransom | Pasan Rawana Lamahewa
Common Vulnerabilities SQL Injection flaws. Cross Site Scripting - XSS Broken Authentication. Insecure Direct Object References. Cross Site Request Forgery. - CSRF Security Misconfiguration. Insecure Cryptographic Storage. Sensitive data Exposure Failure to restrict URL Access. Missing function Level Access Control Using Components with known vulnerabilities Invalidated redirects and forwards | Pasan Rawana Lamahewa
Critical Vulnerabilities Source & Information Credit to: 2019 edescan vulnerability Stats report: Eoin & The Security | Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa WHY BUG BOUNTY PROGRAMS ARE IMPORTANT Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing Security Researchers thinks differently and we the White Hat Hackers must think beyond the box, think beyond a “hacker’s thinking pattern” and “act ethically & responsibly”
How to Start a Bug Bounty Program  Evaluate your Organization, its Systems and IT / Security Team  Decide on a Bug Bounty / Reward System  Decide on a Flatform / Direct approach to Security Researcher  Prepare a draft Vulnerability Disclosure Policy  The Rules of Engagement - define the Scope of Bug Bounty Program  Decide on unquestionable clarity about the authorized conduct of the Security Researcher and decide what proof need to confirm a vulnerability and how both ethical hacker and organization share the findings.  Discuss with your Team, Senior Management and agree  Document > Validate> Authorization>Public Knowledge/Web | Pasan Rawana Lamahewa VERY IMPORTANT  Select your point person very carefully  Provide the contact details of your point person, he must be responsive and tech savvy  Provide the clear instructions about the program, along with the specifications of the overall surface which may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
BUG BOUNTY PROGRAM - LIFECYCLE Invite Security Researchers / Flatforms to test and find flaws ORGANIZATIONS Research PenTest/ SECURITY RESEARCHERS Vulnerabilities Found Not Found REPORT IT / Security Teams Validate the Issue Valid issues are REWARDED
Consider Bug Bounties Carefully bug bounty programs are all about creating a culture of openness, transparency, responsibility and above all the thrust. Even if an organization doesn't offer bug bounties, it is pertinent to establish a “vulnerability disclosure policy” or ethical disclosure policy: A legal statement stating that an organization will not prosecute ethical hackers who detect vulnerabilities in systems / webs and report them ethically . • Since a bounty program is about trust and transparency, an organization ethically be open about how it will pay, reward or recognize for vulnerability detection. | Pasan Rawana Lamahewa
Hand Pic your Goose for Golden Egg  Register in Good Flatforms  Research for Security Researchers  Conversation  Be Sure and mindful of side effects  Vulnerability Discloser Agreements  Connect and implement | Pasan Rawana Lamahewa SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
The Testimonies  Marten Mickos, CEO of bug bounty platform HackerOne, said we need Hackers. “Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.“ “Ethical Hackers are truly the immune system of the internet," he added.  Justin Brookman, director of the Privacy and Technology Policy Consumers Union, said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law.“ Google operates one of the largest bug bounty programs. Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing | Pasan Rawana Lamahewa
SOME HISTORY | Pasan Rawana Lamahewa Source WIKIPEDIA  Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real -Time Executive operating system. • Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.  In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication Corporation given the phrase 'Bugs Bounty’. • Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the Netscape Executive Team, everyone except the VP of Engineering did not agree thinking it to be a waste of time and resources. • However, Ridlinghafer was given an initial $50 budget to run with the proposal and the first official 'Bug Bounty' program was launched in 1995. • The program was such a huge success, it's mentioned in many of the books detailing Netscape's successes.
| Pasan Rawana Lamahewa  In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in 100’s of prominent high-tech companies, some of them are Facebook, Google, Apple, Microsoft, and Twitter.  While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne, a crowed sourcing platform.  In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs funded by Microsoft and Facebook. By June 2015, HackerOne's had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. In April the company announced 240% year-over-year customer growth in
Katie Moussouris had created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cyber security researchers. This is one of the first companies, along with Synack andBugCrowd, to utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of July 2018, HackerOne’s network consisted of approximately 200,000 researchers and had resolved 72,000 vulnarabilities across over 1,000 customer programs and HackerOne had paid $31 Million in bounties | Pasan Rawana Lamahewa
• Facebook operates a large bug bounty program • HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories. • Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451. | Pasan Rawana Lamahewa
REWARDS In year 2018 HackerOne paid $11Millions in Bounties | Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa 10: Even More Facebook Data Exposure When: April 2018 The payout: $8,000 The bug: Data exposure by third-party app. 9: Google Administrative Authentication Bypass When: February 2018 The payout: $13,337 The bug: Broken authentication for YouTube TV’s admin panel. 8:Shopify Open to Takeovers When: December 2017-February 2018 The payout: $15,250 Free Games from Valve When: November 2018 The payout: $20,000 The bug: An API exploit allowing generation of game activation keys. 7.Google’s RCE Flaw When: May 2018 The payout: $36,337 The bug: A remote code execution flaw in Google’s deployment environment. 6. Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. 5: Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also the largest ever bounty payout from Facebook of $50,000.
| Pasan Rawana Lamahewa 4.New Variants of Spectre When: July 2018 The payout: $100,000 The bug: New subvariants of the Spectre processor vulnerability. 3 Two Google Pixel Bugs When: August 2017-January 2018 The payout: $112,500 The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone. 2. Hack the Marines and Hack the Air Force When: October-November 2018 The payout: $150,000 from the Marines; $130,000 from the Air Force The bug: Hundreds of security vulnerabilities. 1. Oath’s Days of Bounties When: April and November 2018 The payout: Over $400,000 - twice The bug: Hundreds of bugs across two hacking events. Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000. Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
| Pasan Rawana Lamahewa DOs  Earlier the better  Be the user first  Understand the logic to break it  Think beyond mind set of Black or Gray Hacker  Have custom methods/payloads  Not just XSS, CSRF, IDOR, SQL  Act Ethically and Report  Be professional Approach for happy hunting DON’Ts × XSS, Cntrl C, Cntrl V everywhere × Easy way is not the right way × Half filled submissions & reports × Unethical / irresponsible behavior × Unethical disclosure × Unethical reporting × Selfishness × Abusing info /data accessed × Don’t do BEG HUNTING / Never beg for rewards
MOTIVATORS FOR A SECURITY RESEARCHER Motivator #1 Set Self Target Motivator #2 Recognition Motivator #3 Money Motivator #4 Self Satisfaction – “I am not a Common Hacker wearing a Black Hat” “I keep on Collecting and Counting my White Hats” | Pasan Rawana Lamahewa
My Experience Types of Organizations 1. The Genius - take ethical reports very seriously, rewards, recognizes and partner with the security researcher. 2. The Bulletproof – Never recognize or acknowledge and think they are Immortals. 3. Mr. Know it All– oops, we knew this before you and planning to fix 4. The Blind & Deaf – Never response 5. The Neutrals – a bug?, bug bounty program ?! News to us, anyway thank you, we’ll look into this. | Pasan Rawana Lamahewa
My Experience The “Fixed Line Telecommunication Company” in a South Asian Country | Pasan Rawana Lamahewa I reported a serious flaw in their system, which can certainly expose subscribers sensitive information and many more, if found by a bad guy. It has now passed 8 months since my responsible responsible reporting of this vulnerability to their IT Team, no action has been initiated to de-bug it to-date This is a good example for organizations and its IT Professionals are thinking that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are liabilities to their customers and to the society.
Useful Links https://www.hackerone.com https://www.bugcrowd.com https://www.openbugbounty.org | Pasan Rawana Lamahewa HackerOne Bugcrowd Vulnerability Lab Fire Bounty
Please feel free to contact me | Pasan Rawana Lamahewa pasanrlamahewa@gmail.com 🐦 https://twitter.com/Pasan_Rav
Happy to be with you all and gain knowledge in my pursue of Cyber Security Ethical Research | Pasan Rawana Lamahewa

More Related Content

PDF
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
PDF
Bug Bounty Secrets
n|u - The Open Security Community
 
PDF
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
PPTX
Bug bounty hunting
redteamacademypromo
 
PPTX
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
PPTX
Bug Bounty
Hariprasad KA
 
PDF
Bug Bounty - Hackers Job
Arbin Godar
 
PPTX
Bug Bounty 101
Shahee Mirza
 
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
Bug Bounty Secrets
n|u - The Open Security Community
 
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Bug bounty hunting
redteamacademypromo
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Bug Bounty
Hariprasad KA
 
Bug Bounty - Hackers Job
Arbin Godar
 
Bug Bounty 101
Shahee Mirza
 

What's hot (20)

PPTX
7 Bug Bounty Myths, BUSTED
bugcrowd
 
PPTX
Bug bounty
n|u - The Open Security Community
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PPTX
Bug bounty
Ramin Farajpour Cami
 
PDF
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
PDF
Understanding Information Security Assessment Types
HackerOne
 
PDF
Hijacking Softwares for fun and profit
Nipun Jaswal
 
PDF
Yet another talk on bug bounty
vinoth kumar
 
PDF
What Is Spyware?
Lookout
 
PPT
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
PDF
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
PDF
It's not about you: Mobile security in 2016
NowSecure
 
PDF
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
PDF
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
PDF
Basics of Meterpreter Evasion
Nipun Jaswal
 
PDF
Simplified Security Code Review Process
Sherif Koussa
 
PDF
Spyware
Farheen Naaz
 
PPTX
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
PPT
Spyware
Babur Rahmadi
 
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Bug bounty
n|u - The Open Security Community
 
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Bug bounty
Ramin Farajpour Cami
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
Understanding Information Security Assessment Types
HackerOne
 
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Yet another talk on bug bounty
vinoth kumar
 
What Is Spyware?
Lookout
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
It's not about you: Mobile security in 2016
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
Basics of Meterpreter Evasion
Nipun Jaswal
 
Simplified Security Code Review Process
Sherif Koussa
 
Spyware
Farheen Naaz
 
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Spyware
Babur Rahmadi
 
Ad

Similar to LKNOG3 - Bug Bounty (20)

PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
DOCX
Earn Money from bug bounty
Jay Nagar
 
PPTX
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
PPTX
bug_bountybug_bountybug_bountybug_bounty.pptx
FutureTechnologies3
 
PDF
Hunting bugs - C0r0n4con
Anchises Moraes
 
PPTX
Bug bounties - cén scéal?
Ciaran McNally
 
PDF
BSides LA/PDX
leifdreizler
 
PDF
Owasp LA
leifdreizler
 
PPTX
Getting_Started_with_Bug_Bounty program.
glcrushgaming
 
PDF
Bug Bounty Guide Tools and Resource.pdf
hacktube5
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
PDF
HACKER-POWERED SECURITY REPORT
E.S.G. JR. Consulting, Inc.
 
PDF
Bugbounty Cybersecurity Trends and Threats 2025
adibostoninstitute12
 
PDF
Bug Bounty for Blockchain Projects by Evgenia Broshevan, Project Lead at Hack...
HackenProof
 
PPTX
ABCD of Bugbounty.pptx
Md Atikqur Rahman
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
PPTX
Bug bounty programs
Yassine Aboukir
 
PDF
Enigma 2018 - Combining the Power of Builders and Breakers
Casey Ellis
 
PPTX
Nbt con december-2014-slides
Behrouz Sadeghipour
 
PPTX
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
Earn Money from bug bounty
Jay Nagar
 
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
bug_bountybug_bountybug_bountybug_bounty.pptx
FutureTechnologies3
 
Hunting bugs - C0r0n4con
Anchises Moraes
 
Bug bounties - cén scéal?
Ciaran McNally
 
BSides LA/PDX
leifdreizler
 
Owasp LA
leifdreizler
 
Getting_Started_with_Bug_Bounty program.
glcrushgaming
 
Bug Bounty Guide Tools and Resource.pdf
hacktube5
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
HACKER-POWERED SECURITY REPORT
E.S.G. JR. Consulting, Inc.
 
Bugbounty Cybersecurity Trends and Threats 2025
adibostoninstitute12
 
Bug Bounty for Blockchain Projects by Evgenia Broshevan, Project Lead at Hack...
HackenProof
 
ABCD of Bugbounty.pptx
Md Atikqur Rahman
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
Bug bounty programs
Yassine Aboukir
 
Enigma 2018 - Combining the Power of Builders and Breakers
Casey Ellis
 
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Ad

Recently uploaded (20)

PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Funds Management Learning Material for Beg
NKKumar16
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 

LKNOG3 - Bug Bounty

  • 1. | Pasan Rawana Lamahewa
  • 2. | Pasan Rawana Lamahewa
  • 3. ILLUSIVE MINDS ARE AT WORK Your home, business and Organizations are at risk PROTECT YOUR SELF TODAY |Pasan Rawana Lamahewa
  • 4. | Pasan Rawana Lamahewa Lets get Friendly First I am not a hacker I am a Bug Bounty Hunter I break security not Heart 💘 PASAN RAWANA LAMAHEWA  Civil Aviation Pilot Trainee  Undergrad in Cyber Security  Undergrad in Biz Management  Undergrad in IATA  Cyber Security Researcher  Lyricist Security Researcher with a FACE
  • 5. TOPIC S  Understanding Bug Bounty  Bug Bounty Programs  Why Bug Bounty Programs Important in todays’ Context  Bug Bounty Platforms  Bug Bounty Hunter  Type of Hackers  How to Start a Bug Bounty Program  Forums of Incident Response and Security Teams  Crowdsource platforms  Rewards  My experience as a Security Researcher  Things to Consider  Useful Links  Questions | Pasan Rawana Lamahewa
  • 6. What is Bug Bounty Bounty and bounty hunting dates back to many centuries and synonymous with England and USA | Pasan Rawana Lamahewa Bug Bounty Hunting
  • 7. | Pasan Rawana Lamahewa  The IT Teams at many organizations don’t have enough time or they lack in skills to think “beyond the routine” in order to identify and squash bugs in their systems.  So organizations ‘reach out to private individuals for help’. This is called a Bug Bounty Program.  The Bug Bounty Hunter uses his tools to break into systems, write up a vulnerability report to the organization who issued the bounty and then get paid or rewarded.
  • 8. A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP) could be simply defined as an organizational initiative that rewards & recognize individual who discover flaws/loopholes in software/systems/web and ACTING ETHICALLY to report them to the organization. In other words BBP/VRP is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and rewards. | Pasan Rawana Lamahewa
  • 9. | Pasan Rawana Lamahewa Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 HISTORY
  • 10. WHY BUG BOUNTY PROGRAM Bug bounty program is not Fighting the Fire with Fire, but prevention of fire! It takes a White Hacker to think before a bad guy creeps in. Remember the story of Frank Abagnale, the most talented fraudster in history, who ended up helping FBI. The winning formula for any organization is to recognize cyber security researcher who helped discover vulnerabilities. This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities/loopholes before the bad guys creep in. In other words: Getting Ahead. This is all about Bug Bounty Program. | Pasan Rawana Lamahewa
  • 11. Hacking takes place in Vicious Minds & Divine Minds • Divine Minds White Hackers Black Hackers Gray Hackers | Pasan Rawana Lamahewa
  • 12. As organizations implements latest with technology, so the destructive minds are getting more and more sophisticated | Pasan Rawana Lamahewa Organizations and their IT professionals are aware of this impending danger, but many believe they are satisfactorily protected, they can swiftly restore or that their organizations are too small to be observed by vicious minds.
  • 13. Why Bug Bounty Program Bugs exist in any software or system, and that is a fact. Cybercrimes are committed using a computer or computer technology or smart phone as primary tool. Types of Criminals • Social Engineer - manipulates human minds • Phisher - information / password theft • Hacker - blocking systems • Disgruntle Employee - information theft / blocking systems • Ransom Artist - spread malware /demand ransom | Pasan Rawana Lamahewa
  • 14. Common Vulnerabilities SQL Injection flaws. Cross Site Scripting - XSS Broken Authentication. Insecure Direct Object References. Cross Site Request Forgery. - CSRF Security Misconfiguration. Insecure Cryptographic Storage. Sensitive data Exposure Failure to restrict URL Access. Missing function Level Access Control Using Components with known vulnerabilities Invalidated redirects and forwards | Pasan Rawana Lamahewa
  • 15. Critical Vulnerabilities Source & Information Credit to: 2019 edescan vulnerability Stats report: Eoin & The Security | Pasan Rawana Lamahewa
  • 16. | Pasan Rawana Lamahewa WHY BUG BOUNTY PROGRAMS ARE IMPORTANT Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing Security Researchers thinks differently and we the White Hat Hackers must think beyond the box, think beyond a “hacker’s thinking pattern” and “act ethically & responsibly”
  • 17. How to Start a Bug Bounty Program  Evaluate your Organization, its Systems and IT / Security Team  Decide on a Bug Bounty / Reward System  Decide on a Flatform / Direct approach to Security Researcher  Prepare a draft Vulnerability Disclosure Policy  The Rules of Engagement - define the Scope of Bug Bounty Program  Decide on unquestionable clarity about the authorized conduct of the Security Researcher and decide what proof need to confirm a vulnerability and how both ethical hacker and organization share the findings.  Discuss with your Team, Senior Management and agree  Document > Validate> Authorization>Public Knowledge/Web | Pasan Rawana Lamahewa VERY IMPORTANT  Select your point person very carefully  Provide the contact details of your point person, he must be responsive and tech savvy  Provide the clear instructions about the program, along with the specifications of the overall surface which may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
  • 18. BUG BOUNTY PROGRAM - LIFECYCLE Invite Security Researchers / Flatforms to test and find flaws ORGANIZATIONS Research PenTest/ SECURITY RESEARCHERS Vulnerabilities Found Not Found REPORT IT / Security Teams Validate the Issue Valid issues are REWARDED
  • 19. Consider Bug Bounties Carefully bug bounty programs are all about creating a culture of openness, transparency, responsibility and above all the thrust. Even if an organization doesn't offer bug bounties, it is pertinent to establish a “vulnerability disclosure policy” or ethical disclosure policy: A legal statement stating that an organization will not prosecute ethical hackers who detect vulnerabilities in systems / webs and report them ethically . • Since a bounty program is about trust and transparency, an organization ethically be open about how it will pay, reward or recognize for vulnerability detection. | Pasan Rawana Lamahewa
  • 20. Hand Pic your Goose for Golden Egg  Register in Good Flatforms  Research for Security Researchers  Conversation  Be Sure and mindful of side effects  Vulnerability Discloser Agreements  Connect and implement | Pasan Rawana Lamahewa SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
  • 21. The Testimonies  Marten Mickos, CEO of bug bounty platform HackerOne, said we need Hackers. “Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.“ “Ethical Hackers are truly the immune system of the internet," he added.  Justin Brookman, director of the Privacy and Technology Policy Consumers Union, said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law.“ Google operates one of the largest bug bounty programs. Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing | Pasan Rawana Lamahewa
  • 22. SOME HISTORY | Pasan Rawana Lamahewa Source WIKIPEDIA  Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real -Time Executive operating system. • Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.  In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication Corporation given the phrase 'Bugs Bounty’. • Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the Netscape Executive Team, everyone except the VP of Engineering did not agree thinking it to be a waste of time and resources. • However, Ridlinghafer was given an initial $50 budget to run with the proposal and the first official 'Bug Bounty' program was launched in 1995. • The program was such a huge success, it's mentioned in many of the books detailing Netscape's successes.
  • 23. | Pasan Rawana Lamahewa  In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in 100’s of prominent high-tech companies, some of them are Facebook, Google, Apple, Microsoft, and Twitter.  While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne, a crowed sourcing platform.  In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs funded by Microsoft and Facebook. By June 2015, HackerOne's had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. In April the company announced 240% year-over-year customer growth in
  • 24. Katie Moussouris had created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cyber security researchers. This is one of the first companies, along with Synack andBugCrowd, to utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of July 2018, HackerOne’s network consisted of approximately 200,000 researchers and had resolved 72,000 vulnarabilities across over 1,000 customer programs and HackerOne had paid $31 Million in bounties | Pasan Rawana Lamahewa
  • 25. • Facebook operates a large bug bounty program • HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories. • Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451. | Pasan Rawana Lamahewa
  • 26. REWARDS In year 2018 HackerOne paid $11Millions in Bounties | Pasan Rawana Lamahewa
  • 27. | Pasan Rawana Lamahewa
  • 28. | Pasan Rawana Lamahewa
  • 29. | Pasan Rawana Lamahewa
  • 30. | Pasan Rawana Lamahewa 10: Even More Facebook Data Exposure When: April 2018 The payout: $8,000 The bug: Data exposure by third-party app. 9: Google Administrative Authentication Bypass When: February 2018 The payout: $13,337 The bug: Broken authentication for YouTube TV’s admin panel. 8:Shopify Open to Takeovers When: December 2017-February 2018 The payout: $15,250 Free Games from Valve When: November 2018 The payout: $20,000 The bug: An API exploit allowing generation of game activation keys. 7.Google’s RCE Flaw When: May 2018 The payout: $36,337 The bug: A remote code execution flaw in Google’s deployment environment. 6. Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. 5: Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also the largest ever bounty payout from Facebook of $50,000.
  • 31. | Pasan Rawana Lamahewa 4.New Variants of Spectre When: July 2018 The payout: $100,000 The bug: New subvariants of the Spectre processor vulnerability. 3 Two Google Pixel Bugs When: August 2017-January 2018 The payout: $112,500 The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone. 2. Hack the Marines and Hack the Air Force When: October-November 2018 The payout: $150,000 from the Marines; $130,000 from the Air Force The bug: Hundreds of security vulnerabilities. 1. Oath’s Days of Bounties When: April and November 2018 The payout: Over $400,000 - twice The bug: Hundreds of bugs across two hacking events. Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000. Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
  • 32. | Pasan Rawana Lamahewa DOs  Earlier the better  Be the user first  Understand the logic to break it  Think beyond mind set of Black or Gray Hacker  Have custom methods/payloads  Not just XSS, CSRF, IDOR, SQL  Act Ethically and Report  Be professional Approach for happy hunting DON’Ts × XSS, Cntrl C, Cntrl V everywhere × Easy way is not the right way × Half filled submissions & reports × Unethical / irresponsible behavior × Unethical disclosure × Unethical reporting × Selfishness × Abusing info /data accessed × Don’t do BEG HUNTING / Never beg for rewards
  • 33. MOTIVATORS FOR A SECURITY RESEARCHER Motivator #1 Set Self Target Motivator #2 Recognition Motivator #3 Money Motivator #4 Self Satisfaction – “I am not a Common Hacker wearing a Black Hat” “I keep on Collecting and Counting my White Hats” | Pasan Rawana Lamahewa
  • 34. My Experience Types of Organizations 1. The Genius - take ethical reports very seriously, rewards, recognizes and partner with the security researcher. 2. The Bulletproof – Never recognize or acknowledge and think they are Immortals. 3. Mr. Know it All– oops, we knew this before you and planning to fix 4. The Blind & Deaf – Never response 5. The Neutrals – a bug?, bug bounty program ?! News to us, anyway thank you, we’ll look into this. | Pasan Rawana Lamahewa
  • 35. My Experience The “Fixed Line Telecommunication Company” in a South Asian Country | Pasan Rawana Lamahewa I reported a serious flaw in their system, which can certainly expose subscribers sensitive information and many more, if found by a bad guy. It has now passed 8 months since my responsible responsible reporting of this vulnerability to their IT Team, no action has been initiated to de-bug it to-date This is a good example for organizations and its IT Professionals are thinking that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are liabilities to their customers and to the society.
  • 37. Please feel free to contact me | Pasan Rawana Lamahewa pasanrlamahewa@gmail.com 🐦 https://twitter.com/Pasan_Rav
  • 38. Happy to be with you all and gain knowledge in my pursue of Cyber Security Ethical Research | Pasan Rawana Lamahewa