Представитель одного из самых авторитетных в мире белых хакерских сообществ HackerOne, который присоединится к нам по видеосвязи, коснется разных организационных тонкостей, а также поделится опытом сотрудничества с международными компаниями.
2. Bounties and Other Incentives
Katie Moussouris
Chief Policy Officer
http://twitter.com/k8em0 <-- that’s a zero
3. Who I am
Chief Policy Officer, HackerOne
Mother of Microsoft’s Bounty Programs, Internet Bug Bounty Panelist
Chair of BlueHat Content Board 2010-2013
My (security*) work in bullet points:
◆ Linux Dev and Security Tzarina - TurboLinux, circa 2000
◆ Pen Tester - Artist formerly known as @stake
◆ Founder - Symantec Vulnerability Research (SVR)
◆ Founder - Microsoft Vulnerability Research (MSVR)
◆ Policy Maker
◆ Editor for ISO standard on Vulnerability Handling (30111)
◆ Lead SME for US National Body on Vulnerability Disclosure (29147)
◆ Lead editor for Penetration Testing as it applies to Common Criteria (20004-
2)and Secure Application Development processes (27034-3)
* Was a molecular biologist in a past professional life; worked on the Human
Genome Project
4. ● Vulnerability Coordination Platform
o Built by Facebook, Microsoft, Chrome security folks
● 100+ live programs with well over $100k paid out each month
● 1,000+ users hackers (researchers?) recognized for their work
● Important: We only host these programs.
o Researchers & Security Teams manage their own programs.
o HackerOne employees do not have access to reports.
What is HackerOne?
7. Signal-to-Noise Ratio
● There's noise on the internet
● Researcher Reputation - Good for researchers and teams
o The best researchers stand out from noisier ones
Mutual incentives to maintain a high-signal environment
o Security Teams benefit from additional context
o An Anecdote!
"Noisiest" researcher had 1,500+ submissions and a <5% success rate.
One month later: same researcher now has 60%+ success rate.
9. ● Sharing knowledge is valuable to the entire community
o Those who do not learn from the mistakes of the past are doomed
to repeat them
● Q: How can we encourage more vulnerability sharing?
o One-click disclosures
o Streamlined coordination
o Shared goals
o No surprises
Knowledge
11. IE Preview Bug Bounty: All in the timing
● Running a bounty program during the Preview (beta)
period for IE11 addressed the greatest number of
issues with the least impact to customers AND
engineers
● Vulnerability brokers don’t offer payment for the IE
browser in beta, so there is a gap in the marketplace
● Actual Results: 23 submissions, 18 bulletin-class
issues – including 4 sandbox escapes