SlideShare a Scribd company logo

Bugbounty Programs - Codemotion

O
Omar BV

The document discusses the importance and complexity of bug bounty programs, highlighting the need for structured policies, criteria for payments, and integration with existing tools. It emphasizes the significance of responsible disclosure, evaluation of vulnerabilities, and maintaining a robust hacker community for effective security management. Additionally, it outlines the expectations from researchers and the types of submissions deemed valid or invalid in the bug bounty process.

Presentations & Public Speaking
Related topics:
Information Security
1 of 40
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
BUGBOUNTY PROGRAMS Omar Benbouazza Madrid | November 30 - December 1, 2018
Bugbounty Programs - Codemotion
• InfoSecurity Leader at IKEA • More than 15 years experience. • Technology, Hacking, Bug Bounties, Investigation, Threats… • Organizer of RootedCON Security Conference (~2000 hackers) • Former EY, Nokia and Microsoft
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
6
7
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
• Cybercrime is raising, increasing the financial impact • Cost for defending companies is huge • Infrastructure complexity is growing • Some talent issues, you don’t have the best! MANAGE
MANAGE
• PENTESTING Activities • Compliance / Standards • Internal/External Audits • Secure Coding (SecDevOps) • HACKING COMMUNITY!! (Responsible Disclosure / Bug Bounty)
• Result guarantee: it is "paid" only for real vulnerabilities • AGILE and FLEXIBLE: Switch ON/OFF • Talented and Skilled people, don’t matter what technology
• Responsible Disclosure Program • BugBounty Program • Pentesting != BugBounty
✓ Plan the Budget $$$ ✓ Choose the Platform ✓ Integrations: Slack, JIRA… ✓ Think about the Scope / Targeted solutions ✓ Team / Teams supporting ✓ TEST Security before… ✓ Stablish criteria for payments beforehand ✓ Define SLA’s ✓ Write a policy for your program, what is not allowed! ✓ Monthly Committee
REPORT REJECT ACCEPTED ORIGINAL BUG? (Not duplicated) IN SCOPE? WEB MOBILE APPS YES NO VALID REPORT? (Reproducible) INFORM hackerTEST REQUEST INFO to hacker FW TO TEAM + INFO NEEDED? WON’T FIXFIX THANKS to hacker ELEGIBLE? $$$ THANKS to hacker CHECK THANKS to hacker INFORM hacker BB IT SEC INFORM hacker WORKING ON REPORT
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
* The 2018 H1 Report
* The 2018 H1 Report
* The 2018 H1 Report
Bugbounty Programs - Codemotion
Limit Information Disclosure
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
• Technical Description: ✓ We want to know what you can do, and how you can use it ✓ We want to know an exploitation vector ✓ CVSS (Common Vulnerability Scoring System) ✓ We want steps to reproduce the issue • Script code • URL (SQLi – with getting RDBMS version, XSS – with alert) • Packet sample (pcap) • Screenshots • Etc.
Bugbounty Programs - Codemotion
• NO THANKS: ✓ Attachments: PDF, DOC, EXE… ✓ Acunetix Reports (Automated scanners) ✓ Non exploitable bugs /* self XSS */ ✓ Bugs without evidences ✓ Bugs based on blog articles of someone…
Bugbounty Programs - Codemotion
• Create a DB, make easy to find stuff • Check before you process • Avoid duplicates… later will be complicated • Evaluate the risk • If some information is missing, contact the researcher!
Bugbounty Programs - Codemotion
• Web Services ✓ All Nokia sites are in scope ✓ Marketing Sites • Nokia/HERE Apps (Lumia/Asha) • OS Vulnerabilities (Lumia/Asha) • Firmware • Client Software
• Dealers / Online Shops • Enterprise-Corporate Systems • Non-Nokia Services
CASE STUDIES
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
Bugbounty Programs - Codemotion
THANKS!

More Related Content

PDF
Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018
Codemotion
 
PPTX
Programatori cu capul in nori
Alex Popescu
 
PPTX
Building a Hacker Resistant Network
Sentry Global Technologies, LLC
 
PPTX
Aegis Personal Cybersecurity 101
Nick Powers
 
PPTX
ThingStudio_persys17
alessio tirabasso
 
PPTX
How to make the move towards hybrid cloud computing
David Strom
 
PPTX
Picking the right Single Sign On Tool to protect your network
David Strom
 
PPTX
Understanding passwordless technologies
David Strom
 
Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018
Codemotion
 
Programatori cu capul in nori
Alex Popescu
 
Building a Hacker Resistant Network
Sentry Global Technologies, LLC
 
Aegis Personal Cybersecurity 101
Nick Powers
 
ThingStudio_persys17
alessio tirabasso
 
How to make the move towards hybrid cloud computing
David Strom
 
Picking the right Single Sign On Tool to protect your network
David Strom
 
Understanding passwordless technologies
David Strom
 

What's hot (17)

PPT
How to keep track of cloud costs
David Strom
 
PDF
Grega Pušnik: The development of IOT products and concern for user privacy
Domen Savič
 
PDF
Identity-Based Privacy (IBP) - Cloud Computing and Privacy Protection
Igor Zboran
 
PDF
Things I wish I'd known before I started with Microservices - GOTO Amsterdam ...
Steve Judd
 
PDF
ArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock
 
PPTX
Using OpenStack to Control VM Chaos
David Strom
 
PPTX
How to Keep Your Databases Secure in Just Minutes a Day
Ed Leighton-Dick
 
PDF
Moodle self-hosting - some things to consider Mike Hughes, Amanda Doughty, ...
Ireland & UK Moodlemoot 2012
 
PDF
A Breathless Tour of Blockchain
Eoin Woods
 
DOCX
Dc resume
David Clark
 
PPTX
Plain talk about security public - ms1
Mike Stone
 
PDF
Visualizing Threats: Network Visualization for Cyber Security
Cambridge Intelligence
 
PDF
Solving problems with authentication
MecklerMedia
 
PDF
Liferay cloud services lnlug-6-march-2014
Ruud Kluivers
 
PPTX
Career in IT - HMTIF UB Platform 2014
Eryk Budi Pratama
 
PPTX
Cybersecurity Careers: Setting Yourself Apart in a Competitive Field
Infosec
 
PPTX
MultPoint Ltd.company overview 2014 3214 short version
Ricardo Resnik
 
How to keep track of cloud costs
David Strom
 
Grega Pušnik: The development of IOT products and concern for user privacy
Domen Savič
 
Identity-Based Privacy (IBP) - Cloud Computing and Privacy Protection
Igor Zboran
 
Things I wish I'd known before I started with Microservices - GOTO Amsterdam ...
Steve Judd
 
ArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock
 
Using OpenStack to Control VM Chaos
David Strom
 
How to Keep Your Databases Secure in Just Minutes a Day
Ed Leighton-Dick
 
Moodle self-hosting - some things to consider Mike Hughes, Amanda Doughty, ...
Ireland & UK Moodlemoot 2012
 
A Breathless Tour of Blockchain
Eoin Woods
 
Dc resume
David Clark
 
Plain talk about security public - ms1
Mike Stone
 
Visualizing Threats: Network Visualization for Cyber Security
Cambridge Intelligence
 
Solving problems with authentication
MecklerMedia
 
Liferay cloud services lnlug-6-march-2014
Ruud Kluivers
 
Career in IT - HMTIF UB Platform 2014
Eryk Budi Pratama
 
Cybersecurity Careers: Setting Yourself Apart in a Competitive Field
Infosec
 
MultPoint Ltd.company overview 2014 3214 short version
Ricardo Resnik
 
Ad

Similar to Bugbounty Programs - Codemotion (20)

PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
PDF
IT security for all. Bootcamp slides
Wallarm
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PPTX
Security for Humans
Dustin Collins
 
PDF
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PPTX
Protect your Database with Data Masking & Enforced Version Control
DBmaestro - Database DevOps
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPTX
Security For Humans
conjur_inc
 
PDF
C days2015
Nuno Loureiro
 
PPTX
7 Secrets to Becoming a Citrix Hero
eG Innovations
 
PPTX
Open Source Defense for Edge 2017
Adrian Sanabria
 
PPTX
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
PPTX
Threat Modeling All Day!
Steven Carlson
 
PPT
JDA: Building an Open Source Center of Excellence
Black Duck by Synopsys
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PDF
AppSec in an Agile World
David Lindner
 
PDF
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
PDF
The Lost Tales of Platform Design (February 2017)
Julien SIMON
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
IT security for all. Bootcamp slides
Wallarm
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
ProdSec: A Technical Approach
Jeremy Brown
 
Security for Humans
Dustin Collins
 
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Protect your Database with Data Masking & Enforced Version Control
DBmaestro - Database DevOps
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Security For Humans
conjur_inc
 
C days2015
Nuno Loureiro
 
7 Secrets to Becoming a Citrix Hero
eG Innovations
 
Open Source Defense for Edge 2017
Adrian Sanabria
 
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Threat Modeling All Day!
Steven Carlson
 
JDA: Building an Open Source Center of Excellence
Black Duck by Synopsys
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
AppSec in an Agile World
David Lindner
 
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
The Lost Tales of Platform Design (February 2017)
Julien SIMON
 
Ad

Recently uploaded (20)

PPTX
Effective_Handling_Information_Presentation.pptx
HarisKaimKhani
 
PPTX
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
PDF
oil_refinery_presentation_v1 sllfmfls.pdf
TusharPrajapati65
 
PPTX
Anesthesia and it's stage with mnemonic and images
panchalkhushal24
 
PPTX
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
PPTX
Presentation for DGJV QMS (PQP)_12.03.2025.pptx
M. Alper SAHIN
 
PPTX
water for all cao bang - a charity project
tungln
 
PPTX
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
PDF
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
PPTX
lesson6-211001025531lesson plan ppt.pptx
ajp27480
 
PPTX
Tour Presentation Educational Activity.pptx
PaulineAngeliqueBere
 
PPTX
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
PDF
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
PPTX
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
PPTX
worship songs, in any order, compilation
wilmalenetoledo
 
PPTX
chapter8-180915055454bycuufucdghrwtrt.pptx
ajp27480
 
PDF
Tunisia's Founding Father(s) Pitch-Deck 2022.pdf
Hafedh Hafez Mechergui
 
PPTX
Primary and secondary sources, and history
valenciamarcchristia
 
PPTX
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
Effective_Handling_Information_Presentation.pptx
HarisKaimKhani
 
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
oil_refinery_presentation_v1 sllfmfls.pdf
TusharPrajapati65
 
Anesthesia and it's stage with mnemonic and images
panchalkhushal24
 
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
Presentation for DGJV QMS (PQP)_12.03.2025.pptx
M. Alper SAHIN
 
water for all cao bang - a charity project
tungln
 
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
lesson6-211001025531lesson plan ppt.pptx
ajp27480
 
Tour Presentation Educational Activity.pptx
PaulineAngeliqueBere
 
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
worship songs, in any order, compilation
wilmalenetoledo
 
chapter8-180915055454bycuufucdghrwtrt.pptx
ajp27480
 
Tunisia's Founding Father(s) Pitch-Deck 2022.pdf
Hafedh Hafez Mechergui
 
Primary and secondary sources, and history
valenciamarcchristia
 
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 

Bugbounty Programs - Codemotion

  • 1. BUGBOUNTY PROGRAMS Omar Benbouazza Madrid | November 30 - December 1, 2018
  • 3. • InfoSecurity Leader at IKEA • More than 15 years experience. • Technology, Hacking, Bug Bounties, Investigation, Threats… • Organizer of RootedCON Security Conference (~2000 hackers) • Former EY, Nokia and Microsoft
  • 6. 6
  • 7. 7
  • 10. • Cybercrime is raising, increasing the financial impact • Cost for defending companies is huge • Infrastructure complexity is growing • Some talent issues, you don’t have the best! MANAGE
  • 12. • PENTESTING Activities • Compliance / Standards • Internal/External Audits • Secure Coding (SecDevOps) • HACKING COMMUNITY!! (Responsible Disclosure / Bug Bounty)
  • 13. • Result guarantee: it is "paid" only for real vulnerabilities • AGILE and FLEXIBLE: Switch ON/OFF • Talented and Skilled people, don’t matter what technology
  • 14. • Responsible Disclosure Program • BugBounty Program • Pentesting != BugBounty
  • 15. ✓ Plan the Budget $$$ ✓ Choose the Platform ✓ Integrations: Slack, JIRA… ✓ Think about the Scope / Targeted solutions ✓ Team / Teams supporting ✓ TEST Security before… ✓ Stablish criteria for payments beforehand ✓ Define SLA’s ✓ Write a policy for your program, what is not allowed! ✓ Monthly Committee
  • 16. REPORT REJECT ACCEPTED ORIGINAL BUG? (Not duplicated) IN SCOPE? WEB MOBILE APPS YES NO VALID REPORT? (Reproducible) INFORM hackerTEST REQUEST INFO to hacker FW TO TEAM + INFO NEEDED? WON’T FIXFIX THANKS to hacker ELEGIBLE? $$$ THANKS to hacker CHECK THANKS to hacker INFORM hacker BB IT SEC INFORM hacker WORKING ON REPORT
  • 20. * The 2018 H1 Report
  • 21. * The 2018 H1 Report
  • 22. * The 2018 H1 Report
  • 28. • Technical Description: ✓ We want to know what you can do, and how you can use it ✓ We want to know an exploitation vector ✓ CVSS (Common Vulnerability Scoring System) ✓ We want steps to reproduce the issue • Script code • URL (SQLi – with getting RDBMS version, XSS – with alert) • Packet sample (pcap) • Screenshots • Etc.
  • 30. • NO THANKS: ✓ Attachments: PDF, DOC, EXE… ✓ Acunetix Reports (Automated scanners) ✓ Non exploitable bugs /* self XSS */ ✓ Bugs without evidences ✓ Bugs based on blog articles of someone…
  • 32. • Create a DB, make easy to find stuff • Check before you process • Avoid duplicates… later will be complicated • Evaluate the risk • If some information is missing, contact the researcher!
  • 34. • Web Services ✓ All Nokia sites are in scope ✓ Marketing Sites • Nokia/HERE Apps (Lumia/Asha) • OS Vulnerabilities (Lumia/Asha) • Firmware • Client Software
  • 35. • Dealers / Online Shops • Enterprise-Corporate Systems • Non-Nokia Services