2. 2
ABOUT US
Alejandro Iacobelli
Application Security Manager at MELI and
OWASP Buenos Aires Chapter Leader
Appsec Profesor
alejandro.iacobelli@owasp.org
linkedin.com/in/aiacobellisec
twitter: @aiacobelli_sec
Pablo Garbossa
Information Security Manager at MELI and
OWASP Buenos Aires Chapter Leader
pablo.garbossa@owasp.org
ar.linkedin.com/in/pgarbossa
twitter: @pgarbossa
3. 3
DISCLOSURE
Las opiniones expresadas en la presentación y/o en los slides
siguientes son solamente nuestras y no necesariamente de
nuestro empleador.
4. 4
We will
talk about...
■ What is a bug bounty program?
■ Why it is important?
■ Company’s perspective
16. 16
NOT A SILVER BULLET
Security Requirements
Engineering
Threat modeling
Attack surface analysis
Misuse case analysis
SasT
Software Composition Analysis
Secure coding standards
DasT
Vulnerability Assessment
Peer Code Review
Security Culture
Software acceptance
Bug Bounty Program
Penetration testing
Vulnerability Assessments
Vulnerability
Management
Monitoring
Anomaly detection
Configuration
Management
Avoid Penetrate and Patch Model
17. 17
NOT A SILVER BULLET
Do not only use it as vulnerability detector
Tactic / Reactive Strategic / Proactive
Appsec program
MATURITY
● Celebrate findings
● Set objectives in order
to increase findings
● Generic Policy
● Every finding is seen as a fail
on some stage of the SDLC
● Root cause analysis per
finding
● Analice bounty information
to set new OKR’s
18. 18
DEFENSE IN DEPTH
Bug Bounty is not a replacement for pentesting
Vulnerability
Assessment
Penetration
Testing
19. 19
RESPONSE TIME
Measure times and analyze effect on researchers
First Response Time
Average time to triage
Average time to bounty
Average time to resolution
Managed programs
21. 21
RESPONSE TIME
Pay for risk reduction (> Mature) -> Resolution time and
internal SLA are important -> If not, angry community
Pay on valid report (< Mature) -> Careful with Dupi! ->
Angry community
Define your strategy: Pay for fix or pay for valid
report
22. 22
BUDGET
More money more interest
Pay a lot for trivial findings & Up
SHOW ME
THE MONEY
MATURITY
Money should go up according to maturity
¿How to choose how much to pay?
23. 23
SCOPE
Prudence to the unknown is good but too much prudence is not
● Makes recon and
learning curve
more complicated
● Products do not
depend of a single
domain
● Accepting 3 times
of vulnerabilities
makes first report
barrier very
difficult
24. 24
SCOPE
Prudence to the unknown is good but too much prudence is not
Cum hoc ergo propter hoc!!
25. 25
QUALITY OVER QUANTITY
More knowledge, better vulnerabilities
- More accurate documentation (Cards,Users,api’s)
- Announce new features
- Challenge researchers into specific targets
- Organize events to bond with the community
27. 27
Conclusions
- Before anything else, preparation is the key to success (make your pre-work)
- Un programa maduro de seguridad aplicativa no puede depender únicamente de este tipo de
iniciativas para detectar fallas en sus aplicaciones - (Not a silver bullet)
- Un programa de bug bounty no es un reemplazo a los ejercicios de pentest tradicionales, sino un
complemento” (Defense in depth)
- “Un hunter desmotivado genera un efecto avalancha en la comunidad y los tiempos de respuesta son
un factor influyente” (Response Time)
- “Del total de invitaciones rechazadas, el 20% son debidas a scope acotado ” (Scope)
- “Los montos a pagar deben tener relación a la madurez de los productos a testear, el presupuesto
disponible y lo riesgoso que puede ser ese producto para la empresa.”(Show me the money)
- “Por lo general, las vulnerabilidades de mayor impacto se detectan una vez que se logra entender las
funcionalidades de una aplicación a fondo.”(Quality and Quantity)
- Focus on making community.