This talk is going to talk about how I got 50 CVE's in a week. I used to play bug bounties and other security penetration testing challenges. After realization I started contributing to Open Source Community and found several critical bugs and got proper satisfaction for the work. Then I met like minded people and started bug hunter with Code Vigilant (http://codevigilant.com), Project for Securing Open Source Software.

1. My Bug Hunting With Open Source
Madhu Akula
Information Security Enthusiastic

2. root@localhost:~# whoami
in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
● Network Security Consultant @Payatu
● Chapter lead at null
● Cr3w Member at Nullcon
● Contributor @ Codevigilant
● Bug Huner & Opensource Contributor
● Never ending Learner !

3. Agenda
My journey so far in the world of
bug finding
This is all about how I have done and
how you can also do

4. History
Started hunting for bugs on several bug bounty programs for

5. History
Started with Duplicates...

6. Digging into deep

9. Realization
● It's enough
● I'm wasting everyday 2hrs
● Luck is the best kick
● Started as noob and got some experience with
app security
● Increased friends network

10. Then what's next ???

11. CVE-2014-4329
CVE-2014-4722
CVE-2014-4853

12. After some days...
● I am not the only person thinking this, Found
something similar

13. What is Code Vigilnat
● A community collaboration effort to make
opensource software’s secure.
● Finding bugs and responsibly disclosing them
to respective author and preferable getting
software updated.
● Responsible disclosure on website after
sufficient interval.

14. About Code Vigilant
Anant Shrivastava Prajal Kulkarni
Chaitu Madhu Akula

15. Target A EcoSystem
● We Picked WordPress Ecosystem which meant
– WordPress Plugins (current focus)
– WordPress Themes (current Focus)
– WordPress Core (future check)
● Pick an ecosystem which you think is near and
dear to you and the language which you can
easily understand.

16. Why
● 60 million websites world wide
● Current stable release 4.0

17. Why Wordpress ?

18. Let's Find Zero Days

19. Feedback

20. Let's Automate

21. Result
More than 50 CVE's in 1 Week

22. Expectation
We are seeking for more volunteers to come
forward and help us make opensource
softwares a more secure plateform.

23. For 'U'
● Appeal to use codevigilant plateform
●
You find flaws
– Either join our team and do continuous contribution
• You get an author’s page at codevigilant
• If you get any bounty for the bug you keep it.
– Send Details as one off cases of finding
● We will do co-ordination with third party
● We will try to get it patched or remove it from internet if not patched.
● We will publish advisory on website with yours and co-ordinator’s
name in advisory.

24. For 'U'
● If you want a open source product tested
contact us and we will see what we can do
about it.
● If you want quick test’s you can think about
donating to the project.

25. Code Vigilant
● http://www.codevigilant.com
● https://github.com/Codevigilant
● https://facebook.com/Codevigilant
● https://twitter.com/Codevigilant

26. Thanks