Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bug Bounty 101

4,631 views

Published on

A brief discussion about bug bounty and its impacts.

Published in: Technology
  • Dating for everyone is here: ❶❶❶ http://bit.ly/39pMlLF ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ♥♥♥ http://bit.ly/39pMlLF ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • why can't i download it :( ?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Bug Bounty 101

  1. 1. Bug Bounty 101 Shahee Mirza
  2. 2. About Me System Security Engineer at Tasawr Interactive Security Researcher OWASP contributor Bug Bounty Hunter FB: http://fb.me/shahee.mirza.5 Twitter: @shaheemirza WEB: http://www.shaheemirza.com
  3. 3. What is Bug Bounty? Bug bounties, also known as responsible disclosure programmes, are setup by companies to encourage people to report potential issues discovered on their sites. Some companies chose to reward a researcher with money, swag, or an entry in their hall-of-fame. If you’re interested in web application security then they’re a great way of honing your skills, with the potential of earning some money and/or credibility at the same time.
  4. 4. History of Bug Bounty At October 1995 by Netscape. At August 2002 by iDefense [VCP]. At August 2004 by Mozilla. 2007 CanSecWest……ZDI…$10k.. March 24, 2010…pwn2own..big money. Days before 2008 was Tough for Security Researchers. 2009, the year of revolution.
  5. 5. Vendor Response
  6. 6. Then ..Our Response
  7. 7. Now…… :p
  8. 8. Why bug bounties ?
  9. 9. For us Values of your Resume. Increase Possibility of getting a job in the industry. Opportunity to make money on spare time. Glory and Fame.  Knowledge.  The proven one.
  10. 10. For Vendors Less Hacks and Breaches. Better and more secure apps or services. Faster security implementation. More researchers. More experience. More bugs.
  11. 11. My favorite programs !!
  12. 12. GOOGLE – Min $1337 – Acquisitions’ min: $100 – Max.: $20,000 URL: http://www.google.com.bd/about/appsecurity/reward-program/
  13. 13. FACEBOOK – Min.: $500 – Max. payout: ………… URL: https://www.facebook.com/whitehat
  14. 14. MORE https://bugcrowd.com/list-of-bug-bounty-programs
  15. 15. My favorite platforms !!
  16. 16. BugCrowd URL: https://bugcrowd.com/
  17. 17. HackerOne URL: https://hackerone.com/
  18. 18. ..and URL: https://www.synack.com/ URL: https://www.crowdcurity.com/
  19. 19. READY !!
  20. 20. Lesson 000 Patience – The Patience
  21. 21. Lesson 001 Avoid – OS Arguments. Avoid – Browser Arguments. Avoid – Language Arguments.
  22. 22. Lesson 010 Do not use automated scanners: - Acunetix - Nikto - Etc Learn to Code - Python - PHP - Etc
  23. 23. Lesson 011 TOOLS:
  24. 24. Lesson 011 cont. URL: Burp Suite - http://portswigger.net/burp/ ZAP - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Nmap - http://nmap.org/ DNS-Discovery - http://dns-discovery.googlecode.com Fierce - http://ha.ckers.org/fierce/
  25. 25. Lesson 100 Self Practice ground: URL: http://www.dvwa.co.uk/
  26. 26. Lesson 100 cont. Self Education: Attack: https://www.owasp.org/index.php/Category:Attack Code Snippet: https://www.owasp.org/index.php/Category:Code_Snippet Control: https://www.owasp.org/index.php/Category:Control Vulnerability: https://www.owasp.org/index.php/Category:Vulnerability
  27. 27. Lesson 101 The Base and Basics: Read the Rules of programs. Read the Scope and Limits. Read the Payment scheme and Methods. Read, how to get a test account. Respect the Panel Decisions.
  28. 28. Lesson 101 cont. Please DO NOT: Don’t be a Shit. Don’t Lie. Don’t cry for SWAG /Money /HOF if it’s out of rules. Don’t disrespect other researchers. Don’t Copy-Paste from other reports. Please, Don’t share your payouts. [amounts]
  29. 29. Lesson 101 cont. Quality > Quantity Quality ==> Reputation ==> Opportunities
  30. 30. Lesson 101 cont. Be very Sharp and Clear on Issue description. Steps to reproduce the issue Impact Attach screenshot(s) if needed. If you recorded any video: - Don’t use music. - Make it quick. - Use Mp4 or Flv format. How to write Report: Bad Report
  31. 31. Lesson 101 cont. GOOGLE for us: URL: https://sites.google.com/site/bughunteruniversity/
  32. 32. Lesson 101 cont. Bugs on Fire: URL: http://osvdb.org/
  33. 33. Lesson 101 cont. Just a demo: Rate limiting bypass
  34. 34. Lesson 101 cont. Public Disclosure: Ask for permission. Hide sensitive information.
  35. 35. Future of Bug Bounties: More companies, More bounty. More money, More opportunities.
  36. 36. Bangladeshi Hackers on Bug Bounty …………………………We are everywhere Google <> Facebook <> Twitter Microsoft <> PayPal <> GitHub
  37. 37. When I was Alone I love to dance:
  38. 38. When rest of all came I love to dance with them:
  39. 39. Thank you buddies: Tarek Siddiki Faisal Ahmed Md. Ishrat Shahriyar Abdullah Shahriar …………..and rest of all
  40. 40. Helpful Books
  41. 41. Helpful Blogs http://www.breaksec.com/ http://homakov.blogspot.co.uk/ https://bitquark.co.uk/blog/ https://nealpoole.com/blog/ http://nahamsec.com/ http://stephensclafani.com/ http://insertco.in/articles http://josipfranjkovic.blogspot.co.uk/ http://olivierbeg.nl/ https://fin1te.net/
  42. 42. THANK YOU ALL

×