TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Hackfest presentation.pptx
1. GETTING BEYOND BUG
BOUNTY NOOB STATUS
@yaworsk
www.leanpub.com/web-hacking-101
www.youtube.com/yaworsk1
2. OVERVIEW
▪Who am I and why do you care?
▪What are bug bounties?
▪Lessons learned (with examples)
▪Getting started
3. WHO AM I?
▪ @yaworsk on HackerOne, Twitter, etc.
▪ 11 – months since I started bug bounties
▪ 24 – number of thanks received on HackerOne
▪ 105 – bugs found on HackerOne
▪ 67 – Rank on HackerOne (as of Nov 3, 2016)
▪ 0 – total security experience in November 2015
▪ Formal education in Public Policy
▪ Self taught “developer”
▪ Web Hacking 101 Book / Hacking Pro Tips
5. WHAT ARE BUG BOUNTIES (CONT’D)
▪ HackerOne (as of Nov 2, 2016)
▪ 32,470 bugs fixed
▪ 3,970 hackers thanked
▪ 155 public programs
▪ ~600+ total programs
▪ Hacktheplanet + Hacktivity
▪ Bugcrowd (as of Mar 31, 2016)
▪ 6,803 paid submissions
▪ 26,782 “researchers”
▪ ~100 public programs
(62 shown online as of Nov 2, 2016)
▪ ~180 private programs
▪ Monthly / yearly bonuses + Forum
6. WHAT ARE BUG BOUNTIES (CONT’D)
HackerOne Bugcrowd
7. LESSONS LEARNED
Hacking is not easy money
POC || GTFO
Your reputation is gold
Skill, observation & relationships
Pay it forward
8. 1. HACKING IS NOT EASY MONEY
▪ @ITSecurityGuard
▪ thanks from Uber, Google, Yahoo, Snapchat, Apple CVE
▪ first 7 bugs on Paypal, all dupes and unrewarded
▪ @filedescriptor
▪ over $200k from Twitter alone
▪ started with n/a’s and gave up for a short time
▪ @nahamsec
▪ 18th
on HackerOne, thanks from Yelp, Shopify, Apple, Uber, Yahoo
▪ Felt burnt out at the beginning of this year, said he wanted to walk away.
Source: Google Bughunter University