SlideShare a Scribd company logo

Bug Bounty @ Swisscom

Cyber Security Alliance
Cyber Security Alliance

Florian Badertscher presents on Swisscom's Bug Bounty program. Swisscom started the program after an incident to provide a central point of contact for vulnerability reports and incentives for researchers. The program offers bounties from 150-10,000 CHF depending on risk. It receives around 200 submissions per year, mostly for web vulnerabilities. The program helps Swisscom identify issues and improve security awareness, though coordinating fixes can be challenging.

Technology
1 of 19
Download to read offline
Bug Bounty @ Swisscom #cybsec16, Yverdon, Switzerland Florian Badertscher, 04.10.2016 C1 - public
About me • Security Analyst at Swisscom CSIRT, since 2015 – Incident handling – Develop monitoring infrastructure – Security initiatives and projects – Responsible for the creation and running of the Bug Bounty program • Background as pen tester and IT security consultant / teacher 03/11/2016 2 C1-public,FlorianBadertscher,SwisscomCSIRT
03/11/2016 3 C1-public,FlorianBadertscher,SwisscomCSIRT Agenda • Part 1: Bug Bounty @ Swisscom • Part 2: Discussion
Bug Bounty @ Swisscom Part 1
Why do we have a Bug Bounty program? • There was an incident… • 2 options: – Going public with a press release – De-escalate the situation using clear rules for both parties à a Bug Bounty program 03/11/2016 5 C1-public,FlorianBadertscher,SwisscomCSIRT
The basic idea behind our program Goals • Central point of contact • Streamlined process to handle vulnerability notifications • Set the rules • Create incentives • Create transparency about security issues Scope • All our services and products • We expect from the researcher to identify the system properly Bounties • Risk based approach • CHF 150 – CHF 10’000 03/11/2016 6 C1-public,FlorianBadertscher,SwisscomCSIRT
Legal questions Current situation • Enable the payout of bounties • All test-activities have to be within the bounds of the law – No permit to perform all kind of tests on our systems • And in reality..? Payout • Comply with sanctions / embargos – Identify the researcher and check all the lists • Our approach: leave it to the bank – No PayPal 03/11/2016 7 C1-public,FlorianBadertscher,SwisscomCSIRT
How do you start it? • You probably won’t announce it with a big bang • Simple page on the website • Page on HackerOne 03/11/2016 8 C1-public,FlorianBadertscher,SwisscomCSIRT
Results Facts • 200 submissions per year • 75% web-related • 50kCHF bounties per year What works well? • Quality of the reports • Some high-risk findings Where are our difficulties? • Find the owner of the system X with IP Y out of 3.4 Mio. • Convince the (external) dev/ops team to address the issue fast 03/11/2016 9 C1-public,FlorianBadertscher,SwisscomCSIRT
Results More results • Clear guidelines about publishing advisories • Measure the effectiveness of the education – Internal developed code has much less vulnerabilities • Spot your weak points – It shows you very clearly, where you’re good and where not 03/11/2016 10 C1-public,FlorianBadertscher,SwisscomCSIRT
Return on investment • Learn about vulnerabilities • Gain insights into the situation at the frontlines – All the low-impact submissions are useful as well • Clean-up old stuff • Create awareness for security • Secure software development and Bug Bounty programs complement each other perfectly • Push agile approaches 03/11/2016 11 C1-public,FlorianBadertscher,SwisscomCSIRT
What we are working on • Include the program in our contracts • Create awareness in the important departments • Improve the handling / tracking • Assign some more manpower 03/11/2016 12 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE • Affected devices: – Centro Grande / Centro Business • Vulnerability: – Did you see the talk from SCRT? J – Chain of vulnerabilities – Remote root access – Precondition: remote administration enabled / CSRF 03/11/2016 13 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE Swisscom devices are managed • HDM (Home Device Manager) / ACS (Auto Configuration Server) • TR-069 or CPE WAN Management Protocol (CWMP) • It is the responsibility of Swisscom to update the devices 03/11/2016 14 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE • Challenges – Update = replace the firmware – Heavy functional testing necessary – Many ISP’s use the software • Mitigation – Deploy a quick fix – Stopping remote exploitation – Prepare and test the complete fix – Solve the root cause – Coordinate with the vendor 03/11/2016 15 C1-public,FlorianBadertscher,SwisscomCSIRT
Example: CPE Impact • ~800’000 – 1’000’000 vulnerable devices deployed • ~3’500 – 4’000 with remote administration enabled Bounty • 3’000 CHF 03/11/2016 16 C1-public,FlorianBadertscher,SwisscomCSIRT
Questions? / Discussion Part 2
Thank you!
Contact information / Links Links • https://www.swisscom.ch/en/about/sustainability/digital- switzerland/security/bug-bounty.html • https://hackerone.com/swisscom/ Swisscom (Schweiz) AG GSE-MON Florian Badertscher Postfach 3050 Bern florian.badertscher@swisscom.com 03/11/2016 19 C1-public,FlorianBadertscher,SwisscomCSIRT

Recommended

You can't teach an old dog new tricks
You can't teach an old dog new tricksYou can't teach an old dog new tricks
You can't teach an old dog new tricks
Watchful Software
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
Cyber Security Alliance
 
Integrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroomIntegrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroom
Barbara Oakley
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
Cyber Security Alliance
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
APNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
MyNOG
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Capgemini
 
Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0
Maikel Meeuwse
 

Recommended

You can't teach an old dog new tricks
You can't teach an old dog new tricksYou can't teach an old dog new tricks
You can't teach an old dog new tricks
Watchful Software
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
Cyber Security Alliance
 
Integrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroomIntegrating teamwork and active learning into the classroom
Integrating teamwork and active learning into the classroom
Barbara Oakley
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
Cyber Security Alliance
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
APNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
MyNOG
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Capgemini
 
Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0Introductie slides Continuous Delivery 3.0
Introductie slides Continuous Delivery 3.0
Maikel Meeuwse
 
20180528 reflex presentation
20180528 reflex presentation20180528 reflex presentation
20180528 reflex presentation
Javier Núñez, CAIA
 
ba_interview_assignment.pptx
ba_interview_assignment.pptxba_interview_assignment.pptx
ba_interview_assignment.pptx
ssuser991a01
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10
FRSecure
 
Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdf
Association for Project Management
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
SAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicSAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global Pandemic
Richard Williams
 
What legacy will your project leave
What legacy will your project leaveWhat legacy will your project leave
What legacy will your project leave
Greg Hyde
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemma
Watchful Software
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
APNIC
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
Resilient Systems
 
Stu r36 b
Stu r36 bStu r36 b
Stu r36 b
SelectedPresentations
 
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
priestmanmable
 
PMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsPMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for Professionals
Daniel_Mccrea
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
2016-02-03 research seminar
2016-02-03 research seminar2016-02-03 research seminar
2016-02-03 research seminar
ifi8106tlu
 
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
Martin Thompson
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
Cyber Security Alliance
 

More Related Content

Similar to Bug Bounty @ Swisscom

Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdf
Association for Project Management
 
What legacy will your project leave
What legacy will your project leaveWhat legacy will your project leave
What legacy will your project leave
Greg Hyde
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemma
Watchful Software
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
Resilient Systems
 
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
priestmanmable
 

Similar to Bug Bounty @ Swisscom (20)

20180528 reflex presentation
20180528 reflex presentation20180528 reflex presentation
20180528 reflex presentation
 
ba_interview_assignment.pptx
ba_interview_assignment.pptxba_interview_assignment.pptx
ba_interview_assignment.pptx
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10
 
Introducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdfIntroducing Ethical Hacking to the Ministry of Defence.pdf
Introducing Ethical Hacking to the Ministry of Defence.pdf
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
SAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global PandemicSAP Project Delivery during a Global Pandemic
SAP Project Delivery during a Global Pandemic
 
What legacy will your project leave
What legacy will your project leaveWhat legacy will your project leave
What legacy will your project leave
 
Secure information sharing - the external user dilemma
Secure information sharing - the external user dilemmaSecure information sharing - the external user dilemma
Secure information sharing - the external user dilemma
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Stu r36 b
Stu r36 bStu r36 b
Stu r36 b
 
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docxITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
ITP-1 – Project CharterGroup 3 - The Project Management Masters .docx
 
PMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for ProfessionalsPMP - Project Initiation Template for Professionals
PMP - Project Initiation Template for Professionals
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
2016-02-03 research seminar
2016-02-03 research seminar2016-02-03 research seminar
2016-02-03 research seminar
 
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016In2SAM Audit Defence_ITAM Review Amsterdam April 2016
In2SAM Audit Defence_ITAM Review Amsterdam April 2016
 

More from Cyber Security Alliance

Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 

More from Cyber Security Alliance (20)

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Colt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinalColt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinal
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Bug Bounty @ Swisscom

  • 1. Bug Bounty @ Swisscom #cybsec16, Yverdon, Switzerland Florian Badertscher, 04.10.2016 C1 - public
  • 2. About me • Security Analyst at Swisscom CSIRT, since 2015 – Incident handling – Develop monitoring infrastructure – Security initiatives and projects – Responsible for the creation and running of the Bug Bounty program • Background as pen tester and IT security consultant / teacher 03/11/2016 2 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 4. Bug Bounty @ Swisscom Part 1
  • 5. Why do we have a Bug Bounty program? • There was an incident… • 2 options: – Going public with a press release – De-escalate the situation using clear rules for both parties à a Bug Bounty program 03/11/2016 5 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 6. The basic idea behind our program Goals • Central point of contact • Streamlined process to handle vulnerability notifications • Set the rules • Create incentives • Create transparency about security issues Scope • All our services and products • We expect from the researcher to identify the system properly Bounties • Risk based approach • CHF 150 – CHF 10’000 03/11/2016 6 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 7. Legal questions Current situation • Enable the payout of bounties • All test-activities have to be within the bounds of the law – No permit to perform all kind of tests on our systems • And in reality..? Payout • Comply with sanctions / embargos – Identify the researcher and check all the lists • Our approach: leave it to the bank – No PayPal 03/11/2016 7 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 8. How do you start it? • You probably won’t announce it with a big bang • Simple page on the website • Page on HackerOne 03/11/2016 8 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 9. Results Facts • 200 submissions per year • 75% web-related • 50kCHF bounties per year What works well? • Quality of the reports • Some high-risk findings Where are our difficulties? • Find the owner of the system X with IP Y out of 3.4 Mio. • Convince the (external) dev/ops team to address the issue fast 03/11/2016 9 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 10. Results More results • Clear guidelines about publishing advisories • Measure the effectiveness of the education – Internal developed code has much less vulnerabilities • Spot your weak points – It shows you very clearly, where you’re good and where not 03/11/2016 10 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 11. Return on investment • Learn about vulnerabilities • Gain insights into the situation at the frontlines – All the low-impact submissions are useful as well • Clean-up old stuff • Create awareness for security • Secure software development and Bug Bounty programs complement each other perfectly • Push agile approaches 03/11/2016 11 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 12. What we are working on • Include the program in our contracts • Create awareness in the important departments • Improve the handling / tracking • Assign some more manpower 03/11/2016 12 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 13. Example: CPE • Affected devices: – Centro Grande / Centro Business • Vulnerability: – Did you see the talk from SCRT? J – Chain of vulnerabilities – Remote root access – Precondition: remote administration enabled / CSRF 03/11/2016 13 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 14. Example: CPE Swisscom devices are managed • HDM (Home Device Manager) / ACS (Auto Configuration Server) • TR-069 or CPE WAN Management Protocol (CWMP) • It is the responsibility of Swisscom to update the devices 03/11/2016 14 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 15. Example: CPE • Challenges – Update = replace the firmware – Heavy functional testing necessary – Many ISP’s use the software • Mitigation – Deploy a quick fix – Stopping remote exploitation – Prepare and test the complete fix – Solve the root cause – Coordinate with the vendor 03/11/2016 15 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 16. Example: CPE Impact • ~800’000 – 1’000’000 vulnerable devices deployed • ~3’500 – 4’000 with remote administration enabled Bounty • 3’000 CHF 03/11/2016 16 C1-public,FlorianBadertscher,SwisscomCSIRT
  • 19. Contact information / Links Links • https://www.swisscom.ch/en/about/sustainability/digital- switzerland/security/bug-bounty.html • https://hackerone.com/swisscom/ Swisscom (Schweiz) AG GSE-MON Florian Badertscher Postfach 3050 Bern florian.badertscher@swisscom.com 03/11/2016 19 C1-public,FlorianBadertscher,SwisscomCSIRT