Bug Bounty Programs For The Web

Security Evolution - Bug Bounty Programs for Web Applications Michael Coates - Mozilla September, 2011OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

AgendaHistory of Bounty ProgramsMozilla Web Bounty ResultsLaunching a Web Bounty ProgramCommon Bounty ConcernsConclusion OWASP 2

History of Bounty Programs1995 - Netscape 20102002 - iDefense Google Chromium2004 - Mozilla Firefox Deutsche Post E-Postbrief Google Web2005 - ZDI Mozilla Web2007 - Pwn2Own Barracuda 2011 Hex Rays Facebook OWASP 4

Types of ProgramsOpen to all - Reported Central “Clearing House” direct to software maker (2002) iDefense (1995) Netscape (2005) ZDI TippingPoint (2004) Mozilla Firefox (2010) Google Chromium Pre-Approved Teams / (2010) Google Web Competition (2010) Mozilla Web (2007) Pwn2Own (2010) Barracuda (2010) Deutsche Post E- (2011) Hex Rays Postbrief (2011) Facebook OWASP 5

Programs for the WebMozilla Web Bounty General Policies $500 - $3000 Select web sites inGoogle Web Bounty scope $500 - $3137 Critical issuesFacebook Security Bounty Paid for new issues Typically $500, paid up to (not dupes) $5000 OWASP 6

Bounty Programs - Why?User & user data safety is #1Productive relationship with communityWork directly with researchersConsistent security at scale is hardNot competing with black market OWASP 7

Mozilla Web Bounty - Scope‣ Goal: Protect Users‣ Critical issues such as xss, csrf, code injection, authentication flaws Sites In Scope- bugzilla.mozilla.org - www.getfirefox.com- *.services.mozilla.com - addons.mozilla.org- getpersonas.com - services.addons.mozilla.org- aus*.mozilla.org - versioncheck.addons.mozilla.org- www.mozilla.com/org - pfs.mozilla.org- www.firefox.com - download.mozilla.org OWASP 9

Mozilla Web Bounty - Submission Timeline +,-."+/"0123"#!!" #$" +!" *!" )!" (!" !" %&" &!" %!" *" $!" !" !" )" (" &" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 10

Mozilla Web Bounty - Bugs Reported !"#$%&"()*+,(-(."/(0,(1*#2345&"( %&#$ ()$*+,-$ !"#$ .+/01234(-$ OWASP 11

Mozilla Web Bounty - Types of Issues Reported !"#$%&%()*+#,-% (#$ &#$ )#$ #$ *++$ %"#$ ,-./0$ 1+02$ !"#$ %&#$ 3456-$ +78349/1-$ :6-.$ -8+$ OWASP 12

Mozilla Web Bounty - The Reporters How Many Bugs Are People Submitting? Number of Bugs Submitted Percentage of Reporters 1 Bug 47% 2-5 Bugs 33% 6+ Bugs 20% Top 11% of bug finders contribute 56% of bugs OWASP 13

Mozilla Web Bounty - What is SubmittedFailure in design patterns - ex: image uploadsProcedural gaps / forgotten serversSmaller traditional bugs OWASP 14

Mozilla Web Bounty - The Bounties $104,000* Total Paid (since Dec, 2010) 175 Bugs Submitted 64 Qualifying bugs 24 Paid Contributors* Mozilla Web Bounty, not including Firefox Bounties OWASP 15

Mozilla Web Bounty - Bounty Payments !"#$%&(&"#$%(& %#" %#" %!" %!" $#" $$" $!" )" #" !" &#!!" &$!!!" &$#!!" &(!!!" OWASP 16

Mozilla Web Bounty - Bounty Payments -)*./0.1)%*2()%"*314%,5$6&+ !$%"""# !"%"""# (# !&$%"""# &&# !&"%"""# $# )# $# !$%"""# )# # *# &# &# &# &# &# # &# &# # &# &# &# &# &# &# !"# !"#$%&()"*+$,%*)+ OWASP 17

Mozilla Web Bounty - BenefitsEngages communityProduces many high value bugsBounty is not purchasing silenceSecurity at huge scopeIdentifies clever attacks & edge cases OWASP 18

Mozilla Web Bounty - Lessons LearnedInitial spike of work loadPrepare necessary teamsResponse time & communication is criticalResearchers & directions - not always a perfect match +,-."+/"0123"#!!" #$" +!" *!" )!" (!" !" %&" &!" %!" *" $!" !" !" )" (" &" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 19

Mozilla Web Bounty - Worth It? YES! OWASP 20

Bounty Programs - Why?User & user data safety is #1Productive relationship with communityConsistent security at scale is hardNot competing with black market OWASP 22

Launching Your Own Web Bounty Program Bug bounties are an enhancement, not a substitute for any portion of a secure SDLC OWASP 23

Bounty Programs - PreparationGain developer & team lead supportCheck your codeDefine clear reporting processDefine scope and types of issuesBuild team to respond to reports & establish response time goalsAnnounce programRoot cause analysisLearn & adjust OWASP 24

Bounty ConcernsCommon concerns with web bounty programs Encourages attackers Too expensive Veil of cover for attackers Bounty program duplicates internal security work Can’t compete with black marketWe’ll address why these concerns aren’t necessarily valid OWASP 26

Bounty Concerns - Encourages attackersBad guys already attacking youWithout bounty program good guys afraid to test or reportBounty program enables participants that will help you OWASP 27

Bounty Concerns - Too ExpensiveVery high valueCompare bounty payout with equivalent 3rd party testingProvides continual testingUse individual bugs to identify root cause flawsWhat percentage of profit spent on security? OWASP 28

Bounty Concerns - Veil of cover for attackersGoal is to identify flaws, not identify bad guysOne possible deployment: Full security controls & active blocking in prod Setup public stage for testing with dummy data Configure production to actively blocks attackers Stage area could be next revision of code for prod OWASP 29

Bounty Concerns - Duplicates Internal SecurityWorkYou don’t know what you don’t knowIdentifies process breakdownsIdentifies areas for training in secure sdlcAnother tactic to protect users & critical data OWASP 30

Bounty Concerns - Can’t Compete with BlackMarketBounty programs and black market target different audiencesSome people are bad, but many people are goodMany don’t want hassle or questionable ethics/ legalities of black market OWASP 31

Bounty Concerns - Can’t Compete with BlackMarketBlack market process Bug bounty process Identify critical issue Identify critical issue Weaponize exploit Report issue to Find buyer on underground reputable program market Negotiate price Receive bounty from Give bank account info for organization wire transfer? Arrange Feel happy you’ve meeting for large cash helped the world be exchange? safer File appropriate tax returns? OWASP 32

Conclusion Web Bounty Program works great for Mozilla Recommend exploring how this may work for you Leverage lessons learned & evaluate risk/benefit OWASP 34

Question? @_mwcmichael-coates.blogspot.com OWASP 35

http://blog.segu-info.com.ar	954
http://blog.hackaserver.com	470
http://blog.bugcrowd.com	309
http://paper.li	53
http://seguinfo.wordpress.com	52
https://twitter.com	15
http://blog--hackaserver--com--v1-8b2b0dfc9994f89313afa4d6c3f211a4.p.shopproxy.de	1

Bug Bounty Programs For The Web

by Michael Coates on Sep 26, 2011

Accessibility

Categories

Upload Details

Usage Rights

7 Embeds 1,854

Statistics

Bug Bounty Programs For The Web Presentation Transcript