Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.
1. If You Can’t Beat ‘Em Join ‘Em:
Practical Tips for Running a Successful Bug Bounty Program
Grant McCracken and Daniel Trauner
AppSecUSA 2016
2. Grant
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
• Solutions Architect @Bugcrowd
– Formerly an AppSec Engineer
• Before that, WhiteHat
• Traveling, music, stuff.
3. Dan
• Senior AppSec Engineer @Bugcrowd
• Before that, Software Security @HP
– Static analysis – lots of languages
– Focused on Apple iOS
• Art history and collecting
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
9. Do you really want to let people attack you?
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Hyperbole and a Half)
10. Yes! (They’re doing it anyways…)
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Hyperbole and a Half)
11. You vs. and Them
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
12. Who are these people?
• All ages
• All levels of experience
• All over the world
• Users and and non-users
• Passionate about security!
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
13. The Value of Crowdsourced Testing
Formal Methodologies The Crowd’s Creativity
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
03
19. …but first, Step 0
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
• Basic resources and requirements
– A full-time resource
– Escalation policies
– Organization-wide awareness
Find all of
the dank
memes for
your slides
20. Scope
• Scope defines the researcher’s universe
– Leave nothing open to interpretation
– Understand your attack surface
– Recognize the path of least resistance
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Flickr)
21. Focus
• You might care about specific:
– Targets
– Vulnerability Types
– Functionality (e.g. payment processing)
• How?
– Incentives
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (xkcd)
22. Exclusions
• You might not care about:
– (Low-impact) “low hanging fruit”
– Intended functionality
– Known issues
– Accepted risks
– Issues based on pivoting
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Meme Generator)
23. Environment
• Production vs. staging
• Make sure it can stand up to testing!
– Scanners
– Contact forms
– Pentesting requests
• Special bounty types
• Researcher environments
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Twitter @PokemonGoApp)
24. This is what a shared environment looks like…
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
25. Access
• Easier = better
• Provide adequate resources for success
– E.g. sandbox credit cards
• No shared credentials
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Demotivation)
30. Communication is Key
• Researchers like:
– Concise, unambiguous responses
• ESL
– Short response time
– Predictable reward time
• Stay on top of these issues!
• Public disclosure?
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
🔑
32. Define a Vulnerability Rating Taxonomy (VRT)
• For program owners:
– Speeds up triage process
– Track your organization’s security posture
– Arrive at a reward amount more quickly
• For researchers:
– Focus on high-value bugs
– Avoid wasting time on non-rewardable bugs
– Alongside brief, helps build trust
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
33. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
THINK LIKE A RESEARCHER
35. The Bughunter’s Methodology
• Identify roads less traveled
– Acquisitions (define the rules)
– Functionality changes or redesigns
– Mobile websites or apps
• Think like a researcher
– Wikipedia (acquisitions)
– Google dorks, recon-ng, altdns, etc.
• jhaddix/domain (enumall)
• ChrisTruncer/EyeWitness
– Researchers’ Blogs
– And many more we can’t fit into this
talk!
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Meme Generator)