Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bug Bounty 101

4,467 views

Published on

A brief discussion about bug bounty and its impacts.

Published in: Technology

Bug Bounty 101

  1. 1. Bug Bounty 101 Shahee Mirza
  2. 2. About Me System Security Engineer at Tasawr Interactive Security Researcher OWASP contributor Bug Bounty Hunter FB: http://fb.me/shahee.mirza.5 Twitter: @shaheemirza WEB: http://www.shaheemirza.com
  3. 3. What is Bug Bounty? Bug bounties, also known as responsible disclosure programmes, are setup by companies to encourage people to report potential issues discovered on their sites. Some companies chose to reward a researcher with money, swag, or an entry in their hall-of-fame. If you’re interested in web application security then they’re a great way of honing your skills, with the potential of earning some money and/or credibility at the same time.
  4. 4. History of Bug Bounty At October 1995 by Netscape. At August 2002 by iDefense [VCP]. At August 2004 by Mozilla. 2007 CanSecWest……ZDI…$10k.. March 24, 2010…pwn2own..big money. Days before 2008 was Tough for Security Researchers. 2009, the year of revolution.
  5. 5. Vendor Response
  6. 6. Then ..Our Response
  7. 7. Now…… :p
  8. 8. Why bug bounties ?
  9. 9. For us Values of your Resume. Increase Possibility of getting a job in the industry. Opportunity to make money on spare time. Glory and Fame.  Knowledge.  The proven one.
  10. 10. For Vendors Less Hacks and Breaches. Better and more secure apps or services. Faster security implementation. More researchers. More experience. More bugs.
  11. 11. My favorite programs !!
  12. 12. GOOGLE – Min $1337 – Acquisitions’ min: $100 – Max.: $20,000 URL: http://www.google.com.bd/about/appsecurity/reward-program/
  13. 13. FACEBOOK – Min.: $500 – Max. payout: ………… URL: https://www.facebook.com/whitehat
  14. 14. MORE https://bugcrowd.com/list-of-bug-bounty-programs
  15. 15. My favorite platforms !!
  16. 16. BugCrowd URL: https://bugcrowd.com/
  17. 17. HackerOne URL: https://hackerone.com/
  18. 18. ..and URL: https://www.synack.com/ URL: https://www.crowdcurity.com/
  19. 19. READY !!
  20. 20. Lesson 000 Patience – The Patience
  21. 21. Lesson 001 Avoid – OS Arguments. Avoid – Browser Arguments. Avoid – Language Arguments.
  22. 22. Lesson 010 Do not use automated scanners: - Acunetix - Nikto - Etc Learn to Code - Python - PHP - Etc
  23. 23. Lesson 011 TOOLS:
  24. 24. Lesson 011 cont. URL: Burp Suite - http://portswigger.net/burp/ ZAP - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Nmap - http://nmap.org/ DNS-Discovery - http://dns-discovery.googlecode.com Fierce - http://ha.ckers.org/fierce/
  25. 25. Lesson 100 Self Practice ground: URL: http://www.dvwa.co.uk/
  26. 26. Lesson 100 cont. Self Education: Attack: https://www.owasp.org/index.php/Category:Attack Code Snippet: https://www.owasp.org/index.php/Category:Code_Snippet Control: https://www.owasp.org/index.php/Category:Control Vulnerability: https://www.owasp.org/index.php/Category:Vulnerability
  27. 27. Lesson 101 The Base and Basics: Read the Rules of programs. Read the Scope and Limits. Read the Payment scheme and Methods. Read, how to get a test account. Respect the Panel Decisions.
  28. 28. Lesson 101 cont. Please DO NOT: Don’t be a Shit. Don’t Lie. Don’t cry for SWAG /Money /HOF if it’s out of rules. Don’t disrespect other researchers. Don’t Copy-Paste from other reports. Please, Don’t share your payouts. [amounts]
  29. 29. Lesson 101 cont. Quality > Quantity Quality ==> Reputation ==> Opportunities
  30. 30. Lesson 101 cont. Be very Sharp and Clear on Issue description. Steps to reproduce the issue Impact Attach screenshot(s) if needed. If you recorded any video: - Don’t use music. - Make it quick. - Use Mp4 or Flv format. How to write Report: Bad Report
  31. 31. Lesson 101 cont. GOOGLE for us: URL: https://sites.google.com/site/bughunteruniversity/
  32. 32. Lesson 101 cont. Bugs on Fire: URL: http://osvdb.org/
  33. 33. Lesson 101 cont. Just a demo: Rate limiting bypass
  34. 34. Lesson 101 cont. Public Disclosure: Ask for permission. Hide sensitive information.
  35. 35. Future of Bug Bounties: More companies, More bounty. More money, More opportunities.
  36. 36. Bangladeshi Hackers on Bug Bounty …………………………We are everywhere Google <> Facebook <> Twitter Microsoft <> PayPal <> GitHub
  37. 37. When I was Alone I love to dance:
  38. 38. When rest of all came I love to dance with them:
  39. 39. Thank you buddies: Tarek Siddiki Faisal Ahmed Md. Ishrat Shahriyar Abdullah Shahriar …………..and rest of all
  40. 40. Helpful Books
  41. 41. Helpful Blogs http://www.breaksec.com/ http://homakov.blogspot.co.uk/ https://bitquark.co.uk/blog/ https://nealpoole.com/blog/ http://nahamsec.com/ http://stephensclafani.com/ http://insertco.in/articles http://josipfranjkovic.blogspot.co.uk/ http://olivierbeg.nl/ https://fin1te.net/
  42. 42. THANK YOU ALL

×