B B H
C R
By:
Mazin Ahmed
@mazen160
mazin AT mazinahmed DOT net
Bounty Hunting in Sudan and Abroad
WHO AM I?
Mazin Ahmed
– Freelancing Information Security Specialist / Penetration Tester
– Freelancing Security Researche...
And I have contributed to the security of the following:
BUG BOUNTY PLATFORMS
PROCESS
AGENDA
MY STORY
WHAT ARE BUG BOUNTY PROGRAM?
BUG BOUNTY PROGRAM (HISTORY)
WHY BUG BOUNTY PROG...
• First ever public bug bounty platform.
• 37,000+ researchers/hackers.
• Largest-ever security team.
• Offers managed – u...
• A “security inbox” for companies, and a bug bounty
platform.
• The client handles the submissions validating process.
• ...
• Only hires the best of best.
• requiring written exams, practical exams, and
background-checks for researchers.
• Larger...
• Bug Bounty Platform + Crowdsourced
Pentesting Services.
• Different pentesting + bounties services.
• A team of 5000 res...
• Amsterdam-based bug bounty platform.
• Invite-only platform for researchers.
• Around 100 chosen researchers.
• Handles ...
• Can be done by handling reports by emails, forms, etc...
• Less opportunity of having hackers noticing it, (unless
the c...
• Bug Bounties do not replace traditional security
assessment.
• Before getting into bug bounties:
– Evaluate your systems...
Vs
Responsible
Disclosure Program
Bug Bounty Program
Vs
[Preferably]
Start with a
bug bounty
platform.
check with
bug bounty
platforms
support.
Write an
explicit and
clear
bounty...
Bug Bounty Platforms Process
When you receive a submission,
respond with an acknowledgment.
Try to fix issues ASAP.Payouts are vital part!
Tips & Notes (for Researchers)
• Bug bounty program is NOT a way to get free or almost-free
pentests.
Common Pitfalls/Mistakes
Common Pitfalls/Mistakes
• Not paying researchers, while having a full bounty program,
aka playing dodgy with researchers....
Common Pitfalls/Mistakes
Example: Yandex
Check: http://www.rafayhackingarticles.net/2012/10/yandex-bug-bounty-program-is-i...
Common Pitfalls/Mistakes
Internal Policies Issues
To fix or not? to reward or not??
Internal Policies Issues
Cool Findings
“The Fun Part”
Cool Findings
“The Fun
Part”

Why?
Because we are in Switzerland!
• One day, I woke-up, and I said to myself, let’s hack
Symantec!
• Of course, Symantec has a responsible disclosure
policy...
Bug #1: Backup-File Artifacts on nortonmail.Symantec.com
Bug #2: Multiple SQL Injection Vulnerabilities
#1
Bug #2: Multiple SQL Injection Vulnerabilities
#2
Dumb the
DB
Get root
(the server
used
deprecated
and
vulnerable
kernel)
Access
the CMS
as Admin
Reverse
TCP
connecti
on to...
Executing the Plan
Found that I have access to 61 databases!
I Immediately stopped, and report it without exploitation.
Ju...
How is it like to be a bug bounty hunter from the middle
east?
How is the knowledge level in IT security in the Middle-E...
How powerful are Arabian BlackHat Hackers?
• When it comes to defacing public property, they get crazy.
• Motivated by: p...
• Christian Folini - @ChrFolini
• Bernhard Tellenbach
• @SwissCyberStorm Team
and everyone for attending and listening!
Questions?
Mazin Ahmed
Twitter: @mazen160
Email: mazin AT mazinahmed DOT net
Website: https://mazinahmed.net
LinkedIn: htt...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
Upcoming SlideShare
Loading in …5
×

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad

130 views

Published on

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad

http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
130
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad

  1. 1. B B H C R By: Mazin Ahmed @mazen160 mazin AT mazinahmed DOT net Bounty Hunting in Sudan and Abroad
  2. 2. WHO AM I? Mazin Ahmed – Freelancing Information Security Specialist / Penetration Tester – Freelancing Security Researcher at Bugcrowd, Inc – Security Contributor at ProtonMail – Interested in web-security, networks-security, WAF evasions, mobile-security, responsible disclosure, and software automation. – One of top 50 researchers at Bugcrowd out of 37,000+ researchers. – Acknowledged by Facebook, Twitter, Oracle, LinkedIn, and many… You can read more at https://mazinahmed.net
  3. 3. And I have contributed to the security of the following:
  4. 4. BUG BOUNTY PLATFORMS PROCESS AGENDA MY STORY WHAT ARE BUG BOUNTY PROGRAM? BUG BOUNTY PROGRAM (HISTORY) WHY BUG BOUNTY PROGRAMS? POPULAR BUG BOUNTY PLATFORMS SELF-HOSTED BUG BOUNTY PROGRAM TIPS & NOTES • RESPONSIBLE DISCLOSURE PROGRAM VS. BUG BOUNTY PROGRAM WHAT HAPPENS AFTER STARTING BUG BOUNTY COMMON PITFALLS/MISTAKES COOL FINDINGS INFOSEC, BUG HUNTING IN SUDAN & THE MIDDLE EAST ACKNOWLEDGEMENTS QUESTIONS
  5. 5. • First ever public bug bounty platform. • 37,000+ researchers/hackers. • Largest-ever security team. • Offers managed – unmanaged - on-going - time-limited – public - private bug bounties.
  6. 6. • A “security inbox” for companies, and a bug bounty platform. • The client handles the submissions validating process. • Around 3700 researchers were thanked in the platform.
  7. 7. • Only hires the best of best. • requiring written exams, practical exams, and background-checks for researchers. • Larger payouts than its competitors. • Private number of researchers, private clients.
  8. 8. • Bug Bounty Platform + Crowdsourced Pentesting Services. • Different pentesting + bounties services. • A team of 5000 researchers, 200 vetted researchers, 329 submitted valid reports.
  9. 9. • Amsterdam-based bug bounty platform. • Invite-only platform for researchers. • Around 100 chosen researchers. • Handles all reports (aka managed bounty programs). • Run scanners on systems to find hanging fruits before launching the program.
  10. 10. • Can be done by handling reports by emails, forms, etc... • Less opportunity of having hackers noticing it, (unless the company is very well-known) • Example: Facebook, Google, PayPal, United Airlines) • Bugcrowd hosts a list of self-hosted bounty programs https://bugcrowd.com/list-of-bug-bounty-programs https://firebounty.com
  11. 11. • Bug Bounties do not replace traditional security assessment. • Before getting into bug bounties: – Evaluate your systems and networks. – Perform internal vulnerability assessments – Fix everything!
  12. 12. Vs Responsible Disclosure Program Bug Bounty Program Vs
  13. 13. [Preferably] Start with a bug bounty platform. check with bug bounty platforms support. Write an explicit and clear bounty brief. When getting into bug bounties
  14. 14. Bug Bounty Platforms Process
  15. 15. When you receive a submission, respond with an acknowledgment. Try to fix issues ASAP.Payouts are vital part!
  16. 16. Tips & Notes (for Researchers)
  17. 17. • Bug bounty program is NOT a way to get free or almost-free pentests.
  18. 18. Common Pitfalls/Mistakes
  19. 19. Common Pitfalls/Mistakes • Not paying researchers, while having a full bounty program, aka playing dodgy with researchers. – Some companies actually do that! Example: Yandex
  20. 20. Common Pitfalls/Mistakes Example: Yandex Check: http://www.rafayhackingarticles.net/2012/10/yandex-bug-bounty-program-is-it-worth.html
  21. 21. Common Pitfalls/Mistakes Internal Policies Issues To fix or not? to reward or not??
  22. 22. Internal Policies Issues
  23. 23. Cool Findings “The Fun Part” Cool Findings “The Fun Part” 
  24. 24. Why? Because we are in Switzerland!
  25. 25. • One day, I woke-up, and I said to myself, let’s hack Symantec! • Of course, Symantec has a responsible disclosure policy that I follow.
  26. 26. Bug #1: Backup-File Artifacts on nortonmail.Symantec.com
  27. 27. Bug #2: Multiple SQL Injection Vulnerabilities #1
  28. 28. Bug #2: Multiple SQL Injection Vulnerabilities #2
  29. 29. Dumb the DB Get root (the server used deprecated and vulnerable kernel) Access the CMS as Admin Reverse TCP connecti on to my box Upload a web-shell Crack (if hashed) Get password Exploit SQLI Report it to vendor. DONE Plan There was a CMS on the same web environment
  30. 30. Executing the Plan Found that I have access to 61 databases! I Immediately stopped, and report it without exploitation. Just imagine if I was a bad guy
  31. 31. How is it like to be a bug bounty hunter from the middle east? How is the knowledge level in IT security in the Middle-East?
  32. 32. How powerful are Arabian BlackHat Hackers? • When it comes to defacing public property, they get crazy. • Motivated by: politics, human-rights, money, and ego. • Seriously, don’t underestimate their powers, don’t mess with them, you won’t like the outcome! Note: I do not support any form of unethical hacking by no means
  33. 33. • Christian Folini - @ChrFolini • Bernhard Tellenbach • @SwissCyberStorm Team and everyone for attending and listening!
  34. 34. Questions? Mazin Ahmed Twitter: @mazen160 Email: mazin AT mazinahmed DOT net Website: https://mazinahmed.net LinkedIn: https://linkedin.com/in/infosecmazinahmed

×