SlideShare a Scribd company logo
1 of 38
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
ILLUSIVE MINDS ARE AT WORK
Your home, business and
Organizations are at risk
PROTECT YOUR SELF TODAY
|Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
Lets get Friendly First
I am not a hacker
I am a Bug Bounty Hunter
I break security not Heart 💘
PASAN RAWANA LAMAHEWA
 Civil Aviation Pilot Trainee
 Undergrad in Cyber Security
 Undergrad in Biz Management
 Undergrad in IATA
 Cyber Security Researcher
 Lyricist
Security
Researcher
with a
FACE
TOPIC S
 Understanding Bug Bounty
 Bug Bounty Programs
 Why Bug Bounty Programs Important in todays’ Context
 Bug Bounty Platforms
 Bug Bounty Hunter
 Type of Hackers
 How to Start a Bug Bounty Program
 Forums of Incident Response and Security Teams
 Crowdsource platforms
 Rewards
 My experience as a Security Researcher
 Things to Consider
 Useful Links
 Questions
| Pasan Rawana Lamahewa
What is Bug Bounty
Bounty and bounty
hunting dates back to
many centuries and
synonymous with
England and USA
| Pasan Rawana Lamahewa
Bug Bounty Hunting
| Pasan Rawana Lamahewa
 The IT Teams at many organizations don’t have enough
time or they lack in skills to think “beyond the routine”
in order to identify and squash bugs in their systems.
 So organizations ‘reach out to private individuals for
help’. This is called a Bug Bounty Program.
 The Bug Bounty Hunter uses his tools to break into
systems, write up a vulnerability report to the
organization who issued the bounty and then get paid
or rewarded.
A simple DEFINITION
Bug Bounty Program
Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP)
could be simply defined as an organizational initiative that
rewards & recognize individual who discover flaws/loopholes in
software/systems/web and ACTING ETHICALLY to report them to
the organization.
In other words BBP/VRP is a deal offered by many websites,
organizations and software developers by which individuals can
receive recognition and rewards.
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
Source:
https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3
HISTORY
WHY BUG BOUNTY PROGRAM
Bug bounty program is not Fighting the Fire with Fire, but prevention of fire!
It takes a White Hacker to think before a bad guy creeps in.
Remember the story of Frank
Abagnale, the most
talented fraudster in
history, who ended
up helping FBI.
The winning formula for any organization is to recognize cyber security
researcher who helped discover vulnerabilities.
This is what a bug bounty program is about:
Ethical hackers help businesses detect
vulnerabilities/loopholes before the bad
guys creep in.
In other words: Getting Ahead. This is all
about Bug Bounty Program.
| Pasan Rawana Lamahewa
Hacking takes place in
Vicious Minds
&
Divine Minds
• Divine Minds White Hackers
Black Hackers
Gray Hackers
| Pasan Rawana Lamahewa
As organizations implements latest with
technology, so the destructive minds are
getting more and more sophisticated
| Pasan Rawana Lamahewa
Organizations and their IT professionals are
aware of this impending danger, but many
believe they are satisfactorily protected, they
can swiftly restore or that their organizations
are too small to be observed by vicious
minds.
Why Bug Bounty Program
Bugs exist in any software or system, and that is a fact.
Cybercrimes are committed using a computer or computer technology
or smart phone as primary tool.
Types of Criminals
• Social Engineer - manipulates human minds
• Phisher - information / password theft
• Hacker - blocking systems
• Disgruntle Employee - information theft / blocking systems
• Ransom Artist - spread malware /demand ransom
| Pasan Rawana Lamahewa
Common Vulnerabilities
SQL Injection flaws.
Cross Site Scripting - XSS
Broken Authentication.
Insecure Direct Object References.
Cross Site Request Forgery. - CSRF
Security Misconfiguration.
Insecure Cryptographic Storage.
Sensitive data Exposure
Failure to restrict URL Access.
Missing function Level Access Control
Using Components with known vulnerabilities
Invalidated redirects and forwards
| Pasan Rawana Lamahewa
Critical Vulnerabilities
Source & Information Credit to:
2019 edescan vulnerability Stats report: Eoin &
The Security
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
WHY BUG BOUNTY PROGRAMS ARE IMPORTANT
Bug bounties are an important tool that helps finding potential
vulnerabilities or flaws
But this has been often misunderstood.
That was why the nature and the purpose of bug bounty
schemes are openly discussed in a U.S. Senate hearing
Security Researchers thinks differently and
we the White Hat Hackers must think beyond
the box, think beyond a “hacker’s thinking
pattern” and “act ethically & responsibly”
How to Start a Bug Bounty Program
 Evaluate your Organization, its Systems and IT / Security Team
 Decide on a Bug Bounty / Reward System
 Decide on a Flatform / Direct approach to Security Researcher
 Prepare a draft Vulnerability Disclosure Policy
 The Rules of Engagement - define the Scope of Bug Bounty Program
 Decide on unquestionable clarity about the authorized conduct of
the Security Researcher and decide what proof need to confirm a
vulnerability and how both ethical hacker and organization share the
findings.
 Discuss with your Team, Senior Management and agree
 Document > Validate> Authorization>Public Knowledge/Web
| Pasan Rawana Lamahewa
VERY IMPORTANT
 Select your point person very carefully
 Provide the contact details of your point person, he must be responsive and tech savvy
 Provide the clear instructions about the program, along with the specifications of the overall surface which
may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
BUG BOUNTY PROGRAM - LIFECYCLE
Invite Security
Researchers / Flatforms
to test and find flaws
ORGANIZATIONS
Research
PenTest/
SECURITY RESEARCHERS
Vulnerabilities Found Not Found
REPORT
IT / Security Teams
Validate the Issue
Valid issues are
REWARDED
Consider Bug Bounties Carefully
bug bounty programs are all about creating a culture of openness, transparency,
responsibility and above all the thrust.
Even if an organization doesn't offer bug bounties, it is pertinent to establish a
“vulnerability disclosure policy” or ethical disclosure policy: A legal statement
stating that an organization will not prosecute ethical hackers who detect
vulnerabilities in systems / webs and report them ethically .
• Since a bounty program is about trust and transparency, an organization
ethically be open about how it will pay, reward or recognize for
vulnerability detection.
| Pasan Rawana Lamahewa
Hand Pic your Goose for Golden Egg
 Register in Good Flatforms
 Research for Security Researchers
 Conversation
 Be Sure and mindful of side effects
 Vulnerability Discloser Agreements
 Connect and implement
| Pasan Rawana Lamahewa
SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or
MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
The Testimonies
 Marten Mickos, CEO of bug bounty platform
HackerOne, said we need Hackers. “Our goal
must be an internet that enables privacy and
protects consumers. This is not achievable
without ethical hackers taking an active role in
safeguarding our collective security.“ “Ethical
Hackers are truly the immune system of the
internet," he added.
 Justin Brookman, director of the Privacy and
Technology Policy Consumers Union, said
during the Senate hearing. "Used properly,
bug bounty programs enable companies to
learn of breaches and vulnerabilities, in
service to the larger goals of protecting
consumer data and alerting consumers to
threats as warranted and/or required by law.“
Google operates one of the largest bug
bounty programs.
Bug bounties are an
important tool that helps
finding potential
vulnerabilities or flaws
But this has been often
misunderstood.
That was why the nature
and the purpose of bug
bounty schemes are openly
discussed in a U.S. Senate
hearing
| Pasan Rawana Lamahewa
SOME HISTORY
| Pasan Rawana Lamahewa
Source WIKIPEDIA
 Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile
Real -Time Executive operating system.
• Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug)
in return.
 In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication
Corporation given the phrase 'Bugs Bounty’.
• Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the
Netscape Executive Team, everyone except the VP of Engineering did not agree
thinking it to be a waste of time and resources.
• However, Ridlinghafer was given an initial $50 budget to run with the proposal and
the first official 'Bug Bounty' program was launched in 1995.
• The program was such a huge success, it's mentioned in many of the books detailing
Netscape's successes.
| Pasan Rawana Lamahewa
 In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in
100’s of prominent high-tech companies, some of them are Facebook, Google,
Apple, Microsoft, and Twitter.
 While many firms ignored their disclosure attempts, the COO of Facebook,
Sheryl Sandberg, gave the warning to their head of product security, Alex
Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne,
a crowed sourcing platform.
 In November 2013, the company hosted a program encouraging the
discovery and responsible disclosure of software bugs funded by Microsoft
and Facebook.
By June 2015, HackerOne's had identified approximately 10,000
vulnerabilities and paid researchers over $1 million in bounties. In April
the company announced 240% year-over-year customer growth in
Katie Moussouris had created the bug bounty program at
Microsoft and was directly involved in creating the U.S.
Department of Defense's first bug bounty program for hackers
HackerOne is a vulnerability coordination and bug
bounty platform that connects businesses with penetration
testers and cyber security researchers. This is one of the first
companies, along with Synack andBugCrowd, to utilize
crowd-sourced security and cybersecurity researchers as
linchpins of its business model; it is the largest cybersecurity
firm of its kind. As of July 2018, HackerOne’s network
consisted of approximately 200,000 researchers and had
resolved 72,000 vulnarabilities across over 1,000 customer
programs and HackerOne had paid $31 Million in bounties
| Pasan Rawana Lamahewa
• Facebook operates a large bug bounty program
• HackerOne, which provides managed bug bounty
programs for organizations, found that in 2017
the average bug bounty for a critical vulnerability
was $1,923, although payment varies across
different industry categories.
• Bugcrowd also provides a managed bug bounty
platform and has its own set of data on
vulnerability payouts. Bugcrowd's 2017 State of
the Bug Bounty report found that the average
bug across all categories was $451.
| Pasan Rawana Lamahewa
REWARDS
In year 2018 HackerOne paid $11Millions in
Bounties
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
10: Even More Facebook Data Exposure
When: April 2018
The payout: $8,000
The bug: Data exposure by third-party app.
9: Google Administrative Authentication Bypass
When: February 2018
The payout: $13,337
The bug: Broken authentication for YouTube TV’s admin panel.
8:Shopify Open to Takeovers
When: December 2017-February 2018
The payout: $15,250
Free Games from Valve
When: November 2018
The payout: $20,000
The bug: An API exploit allowing generation of game activation keys.
7.Google’s RCE Flaw
When: May 2018
The payout: $36,337
The bug: A remote code execution flaw in Google’s deployment environment.
6. Facebook’s Largest Ever Bug Bounty
When: Undisclosed; part of bounty program launched in April.
The payout: $50,000
The bug: A privacy/monitoring vulnerability.
5: Facebook’s Largest Ever Bug Bounty
When: Undisclosed; part of bounty program launched in April.
The payout: $50,000
The bug: A privacy/monitoring vulnerability.
Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also
the largest ever bounty payout from Facebook of $50,000.
| Pasan Rawana Lamahewa
4.New Variants of Spectre
When: July 2018
The payout: $100,000
The bug: New subvariants of the Spectre processor vulnerability.
3 Two Google Pixel Bugs
When: August 2017-January 2018
The payout: $112,500
The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone.
2. Hack the Marines and Hack the Air Force
When: October-November 2018
The payout: $150,000 from the Marines; $130,000 from the Air Force
The bug: Hundreds of security vulnerabilities.
1. Oath’s Days of Bounties
When: April and November 2018
The payout: Over $400,000 - twice
The bug: Hundreds of bugs across two hacking events.
Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company
which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event.
Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000.
Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
| Pasan Rawana Lamahewa
DOs
 Earlier the better
 Be the user first
 Understand the logic to break it
 Think beyond mind set of Black
or Gray Hacker
 Have custom methods/payloads
 Not just XSS, CSRF, IDOR, SQL
 Act Ethically and Report
 Be professional
Approach for happy hunting
DON’Ts
× XSS, Cntrl C, Cntrl V everywhere
× Easy way is not the right way
× Half filled submissions & reports
× Unethical / irresponsible behavior
× Unethical disclosure
× Unethical reporting
× Selfishness
× Abusing info /data accessed
× Don’t do BEG HUNTING / Never
beg for rewards
MOTIVATORS FOR A SECURITY RESEARCHER
Motivator #1
Set Self Target
Motivator #2
Recognition
Motivator #3
Money
Motivator #4
Self Satisfaction – “I am not a Common Hacker wearing a Black Hat”
“I keep on Collecting and Counting my White Hats”
| Pasan Rawana Lamahewa
My Experience
Types of Organizations
1. The Genius - take ethical reports very seriously,
rewards, recognizes and partner with the security
researcher.
2. The Bulletproof – Never recognize or acknowledge
and think they are Immortals.
3. Mr. Know it All– oops, we knew this before you and
planning to fix
4. The Blind & Deaf – Never response
5. The Neutrals – a bug?, bug bounty program ?! News
to us, anyway thank you, we’ll look into this.
| Pasan Rawana Lamahewa
My Experience
The “Fixed Line Telecommunication Company”
in a South Asian Country
| Pasan Rawana Lamahewa
I reported a serious flaw in their system, which can certainly expose
subscribers sensitive information and many more, if found by a bad guy.
It has now passed 8 months since my responsible responsible reporting of
this vulnerability to their IT Team, no action has been initiated to de-bug it
to-date
This is a good example for organizations and its IT Professionals are thinking
that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are
liabilities to their customers and to the society.
Useful Links
https://www.hackerone.com
https://www.bugcrowd.com
https://www.openbugbounty.org
| Pasan Rawana Lamahewa
HackerOne
Bugcrowd
Vulnerability Lab
Fire Bounty
Please feel free to contact me
| Pasan Rawana Lamahewa
pasanrlamahewa@gmail.com
🐦 https://twitter.com/Pasan_Rav
Happy to be with you all and gain
knowledge in my pursue of Cyber
Security Ethical Research
| Pasan Rawana Lamahewa

More Related Content

What's hot

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...HackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profitNipun Jaswal
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bountyvinoth kumar
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?Lookout
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chaincentralohioissa
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter EvasionNipun Jaswal
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bountieskunwaratul hax0r
 

What's hot (20)

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bounty
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter Evasion
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Spyware
SpywareSpyware
Spyware
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
 
Spyware
SpywareSpyware
Spyware
 

Similar to Understanding Bug Bounty Programs

I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextBrian Pichman
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiCopy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiAlleneMcclendon878
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?TechSoup
 
Investigating the Universe of Moral Hacking.pdf
Investigating the Universe of Moral Hacking.pdfInvestigating the Universe of Moral Hacking.pdf
Investigating the Universe of Moral Hacking.pdfnehash4637
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsSirius
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessGreg Wartes, MCP
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber AttackersSirius
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 

Similar to Understanding Bug Bounty Programs (20)

I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiCopy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
 
Investigating the Universe of Moral Hacking.pdf
Investigating the Universe of Moral Hacking.pdfInvestigating the Universe of Moral Hacking.pdf
Investigating the Universe of Moral Hacking.pdf
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 

Recently uploaded

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxErYashwantJagtap
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 

Recently uploaded (15)

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 

Understanding Bug Bounty Programs

  • 1. | Pasan Rawana Lamahewa
  • 2. | Pasan Rawana Lamahewa
  • 3. ILLUSIVE MINDS ARE AT WORK Your home, business and Organizations are at risk PROTECT YOUR SELF TODAY |Pasan Rawana Lamahewa
  • 4. | Pasan Rawana Lamahewa Lets get Friendly First I am not a hacker I am a Bug Bounty Hunter I break security not Heart 💘 PASAN RAWANA LAMAHEWA  Civil Aviation Pilot Trainee  Undergrad in Cyber Security  Undergrad in Biz Management  Undergrad in IATA  Cyber Security Researcher  Lyricist Security Researcher with a FACE
  • 5. TOPIC S  Understanding Bug Bounty  Bug Bounty Programs  Why Bug Bounty Programs Important in todays’ Context  Bug Bounty Platforms  Bug Bounty Hunter  Type of Hackers  How to Start a Bug Bounty Program  Forums of Incident Response and Security Teams  Crowdsource platforms  Rewards  My experience as a Security Researcher  Things to Consider  Useful Links  Questions | Pasan Rawana Lamahewa
  • 6. What is Bug Bounty Bounty and bounty hunting dates back to many centuries and synonymous with England and USA | Pasan Rawana Lamahewa Bug Bounty Hunting
  • 7. | Pasan Rawana Lamahewa  The IT Teams at many organizations don’t have enough time or they lack in skills to think “beyond the routine” in order to identify and squash bugs in their systems.  So organizations ‘reach out to private individuals for help’. This is called a Bug Bounty Program.  The Bug Bounty Hunter uses his tools to break into systems, write up a vulnerability report to the organization who issued the bounty and then get paid or rewarded.
  • 8. A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP) could be simply defined as an organizational initiative that rewards & recognize individual who discover flaws/loopholes in software/systems/web and ACTING ETHICALLY to report them to the organization. In other words BBP/VRP is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and rewards. | Pasan Rawana Lamahewa
  • 9. | Pasan Rawana Lamahewa Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 HISTORY
  • 10. WHY BUG BOUNTY PROGRAM Bug bounty program is not Fighting the Fire with Fire, but prevention of fire! It takes a White Hacker to think before a bad guy creeps in. Remember the story of Frank Abagnale, the most talented fraudster in history, who ended up helping FBI. The winning formula for any organization is to recognize cyber security researcher who helped discover vulnerabilities. This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities/loopholes before the bad guys creep in. In other words: Getting Ahead. This is all about Bug Bounty Program. | Pasan Rawana Lamahewa
  • 11. Hacking takes place in Vicious Minds & Divine Minds • Divine Minds White Hackers Black Hackers Gray Hackers | Pasan Rawana Lamahewa
  • 12. As organizations implements latest with technology, so the destructive minds are getting more and more sophisticated | Pasan Rawana Lamahewa Organizations and their IT professionals are aware of this impending danger, but many believe they are satisfactorily protected, they can swiftly restore or that their organizations are too small to be observed by vicious minds.
  • 13. Why Bug Bounty Program Bugs exist in any software or system, and that is a fact. Cybercrimes are committed using a computer or computer technology or smart phone as primary tool. Types of Criminals • Social Engineer - manipulates human minds • Phisher - information / password theft • Hacker - blocking systems • Disgruntle Employee - information theft / blocking systems • Ransom Artist - spread malware /demand ransom | Pasan Rawana Lamahewa
  • 14. Common Vulnerabilities SQL Injection flaws. Cross Site Scripting - XSS Broken Authentication. Insecure Direct Object References. Cross Site Request Forgery. - CSRF Security Misconfiguration. Insecure Cryptographic Storage. Sensitive data Exposure Failure to restrict URL Access. Missing function Level Access Control Using Components with known vulnerabilities Invalidated redirects and forwards | Pasan Rawana Lamahewa
  • 15. Critical Vulnerabilities Source & Information Credit to: 2019 edescan vulnerability Stats report: Eoin & The Security | Pasan Rawana Lamahewa
  • 16. | Pasan Rawana Lamahewa WHY BUG BOUNTY PROGRAMS ARE IMPORTANT Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing Security Researchers thinks differently and we the White Hat Hackers must think beyond the box, think beyond a “hacker’s thinking pattern” and “act ethically & responsibly”
  • 17. How to Start a Bug Bounty Program  Evaluate your Organization, its Systems and IT / Security Team  Decide on a Bug Bounty / Reward System  Decide on a Flatform / Direct approach to Security Researcher  Prepare a draft Vulnerability Disclosure Policy  The Rules of Engagement - define the Scope of Bug Bounty Program  Decide on unquestionable clarity about the authorized conduct of the Security Researcher and decide what proof need to confirm a vulnerability and how both ethical hacker and organization share the findings.  Discuss with your Team, Senior Management and agree  Document > Validate> Authorization>Public Knowledge/Web | Pasan Rawana Lamahewa VERY IMPORTANT  Select your point person very carefully  Provide the contact details of your point person, he must be responsive and tech savvy  Provide the clear instructions about the program, along with the specifications of the overall surface which may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
  • 18. BUG BOUNTY PROGRAM - LIFECYCLE Invite Security Researchers / Flatforms to test and find flaws ORGANIZATIONS Research PenTest/ SECURITY RESEARCHERS Vulnerabilities Found Not Found REPORT IT / Security Teams Validate the Issue Valid issues are REWARDED
  • 19. Consider Bug Bounties Carefully bug bounty programs are all about creating a culture of openness, transparency, responsibility and above all the thrust. Even if an organization doesn't offer bug bounties, it is pertinent to establish a “vulnerability disclosure policy” or ethical disclosure policy: A legal statement stating that an organization will not prosecute ethical hackers who detect vulnerabilities in systems / webs and report them ethically . • Since a bounty program is about trust and transparency, an organization ethically be open about how it will pay, reward or recognize for vulnerability detection. | Pasan Rawana Lamahewa
  • 20. Hand Pic your Goose for Golden Egg  Register in Good Flatforms  Research for Security Researchers  Conversation  Be Sure and mindful of side effects  Vulnerability Discloser Agreements  Connect and implement | Pasan Rawana Lamahewa SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
  • 21. The Testimonies  Marten Mickos, CEO of bug bounty platform HackerOne, said we need Hackers. “Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.“ “Ethical Hackers are truly the immune system of the internet," he added.  Justin Brookman, director of the Privacy and Technology Policy Consumers Union, said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law.“ Google operates one of the largest bug bounty programs. Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing | Pasan Rawana Lamahewa
  • 22. SOME HISTORY | Pasan Rawana Lamahewa Source WIKIPEDIA  Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real -Time Executive operating system. • Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.  In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication Corporation given the phrase 'Bugs Bounty’. • Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the Netscape Executive Team, everyone except the VP of Engineering did not agree thinking it to be a waste of time and resources. • However, Ridlinghafer was given an initial $50 budget to run with the proposal and the first official 'Bug Bounty' program was launched in 1995. • The program was such a huge success, it's mentioned in many of the books detailing Netscape's successes.
  • 23. | Pasan Rawana Lamahewa  In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in 100’s of prominent high-tech companies, some of them are Facebook, Google, Apple, Microsoft, and Twitter.  While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne, a crowed sourcing platform.  In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs funded by Microsoft and Facebook. By June 2015, HackerOne's had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. In April the company announced 240% year-over-year customer growth in
  • 24. Katie Moussouris had created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cyber security researchers. This is one of the first companies, along with Synack andBugCrowd, to utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of July 2018, HackerOne’s network consisted of approximately 200,000 researchers and had resolved 72,000 vulnarabilities across over 1,000 customer programs and HackerOne had paid $31 Million in bounties | Pasan Rawana Lamahewa
  • 25. • Facebook operates a large bug bounty program • HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories. • Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451. | Pasan Rawana Lamahewa
  • 26. REWARDS In year 2018 HackerOne paid $11Millions in Bounties | Pasan Rawana Lamahewa
  • 27. | Pasan Rawana Lamahewa
  • 28. | Pasan Rawana Lamahewa
  • 29. | Pasan Rawana Lamahewa
  • 30. | Pasan Rawana Lamahewa 10: Even More Facebook Data Exposure When: April 2018 The payout: $8,000 The bug: Data exposure by third-party app. 9: Google Administrative Authentication Bypass When: February 2018 The payout: $13,337 The bug: Broken authentication for YouTube TV’s admin panel. 8:Shopify Open to Takeovers When: December 2017-February 2018 The payout: $15,250 Free Games from Valve When: November 2018 The payout: $20,000 The bug: An API exploit allowing generation of game activation keys. 7.Google’s RCE Flaw When: May 2018 The payout: $36,337 The bug: A remote code execution flaw in Google’s deployment environment. 6. Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. 5: Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also the largest ever bounty payout from Facebook of $50,000.
  • 31. | Pasan Rawana Lamahewa 4.New Variants of Spectre When: July 2018 The payout: $100,000 The bug: New subvariants of the Spectre processor vulnerability. 3 Two Google Pixel Bugs When: August 2017-January 2018 The payout: $112,500 The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone. 2. Hack the Marines and Hack the Air Force When: October-November 2018 The payout: $150,000 from the Marines; $130,000 from the Air Force The bug: Hundreds of security vulnerabilities. 1. Oath’s Days of Bounties When: April and November 2018 The payout: Over $400,000 - twice The bug: Hundreds of bugs across two hacking events. Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000. Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
  • 32. | Pasan Rawana Lamahewa DOs  Earlier the better  Be the user first  Understand the logic to break it  Think beyond mind set of Black or Gray Hacker  Have custom methods/payloads  Not just XSS, CSRF, IDOR, SQL  Act Ethically and Report  Be professional Approach for happy hunting DON’Ts × XSS, Cntrl C, Cntrl V everywhere × Easy way is not the right way × Half filled submissions & reports × Unethical / irresponsible behavior × Unethical disclosure × Unethical reporting × Selfishness × Abusing info /data accessed × Don’t do BEG HUNTING / Never beg for rewards
  • 33. MOTIVATORS FOR A SECURITY RESEARCHER Motivator #1 Set Self Target Motivator #2 Recognition Motivator #3 Money Motivator #4 Self Satisfaction – “I am not a Common Hacker wearing a Black Hat” “I keep on Collecting and Counting my White Hats” | Pasan Rawana Lamahewa
  • 34. My Experience Types of Organizations 1. The Genius - take ethical reports very seriously, rewards, recognizes and partner with the security researcher. 2. The Bulletproof – Never recognize or acknowledge and think they are Immortals. 3. Mr. Know it All– oops, we knew this before you and planning to fix 4. The Blind & Deaf – Never response 5. The Neutrals – a bug?, bug bounty program ?! News to us, anyway thank you, we’ll look into this. | Pasan Rawana Lamahewa
  • 35. My Experience The “Fixed Line Telecommunication Company” in a South Asian Country | Pasan Rawana Lamahewa I reported a serious flaw in their system, which can certainly expose subscribers sensitive information and many more, if found by a bad guy. It has now passed 8 months since my responsible responsible reporting of this vulnerability to their IT Team, no action has been initiated to de-bug it to-date This is a good example for organizations and its IT Professionals are thinking that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are liabilities to their customers and to the society.
  • 36. Useful Links https://www.hackerone.com https://www.bugcrowd.com https://www.openbugbounty.org | Pasan Rawana Lamahewa HackerOne Bugcrowd Vulnerability Lab Fire Bounty
  • 37. Please feel free to contact me | Pasan Rawana Lamahewa pasanrlamahewa@gmail.com 🐦 https://twitter.com/Pasan_Rav
  • 38. Happy to be with you all and gain knowledge in my pursue of Cyber Security Ethical Research | Pasan Rawana Lamahewa