Bug bounty program offer numerous benefits to the sponsoring companies. Government organizations as well as private organizations will benefit if they have bug hunters sniffing around on their network.
1. Bug Bounty PROGRAMS:
GOOD FOR Government
आपकी दुनिया
मेरे हाथों सुरक्षित
My hands…
&
Your world
is secured!
Presented at The Hackers Conference, New Delhi
August 25, 2013
2. Time
For
Real Change
A Security budget is inversely
proportional to a CxO’s “feel-good”
factor
Is
NOW!
Bug Bounty Programs
will attract the best
Security brains for
~ZERO cost!
NOW
3.
4.
5. The Bounty Hunter
He hunted humans !
WILDWESTTIMES…
Better than the best gunslinger or tracker
Harrison Ford as
Han Solo in Star Wars
12. Star Wars Episode IV (1977)
Han Solo (Harrison Ford), to
Princess Leia (Carrie Fisher)
Lucas Films/Courtesy Everett Collection
I'm not in it for
you, princess.
Look, I ain't in this for
your revolution, and
I expect to be well
paid.
I'm in it for
the money.
14. • Govt Dept was target of spear phishing
• Malware was put out for analysis to bounty of 25k – this was
increased to 50k due to increase in scope and tie between two teams
in phase 1
• Bounty hunter has to identify the malicious activity and the command
centre
• Time bound results expected (24 hours)
• Maximum information and good presentation to be given weightage
• Information was of high quality and the department was able to
contain the attack malware and the attacker
• Market Value of work done
– Man hours if assignment was carried out internally: min 100
– Value of work if I had quoted: Rs. 5,00,000
15.
16. Bounteous rewards await the
Government department that starts a
BB program. They are able to identify
(actually) good testers who will
HONESTLY disclose vulnerabilities.
17. • Capability for Security management, protection or
response – primarily with intelligence agencies
• Departments depend on CERT empanelled firms
and carry out only one time assessment
• Total lack of awareness (or respect for IS) among
HoDs and security expertise in Ops team
• Most government infrastructure is waiting for a
“kehar”
• Someone’s Death Wish!
18. • Capacity and Capability building sans
resources
• Lack of skills, awareness and knowledge
• Uncertainty about skills / ethics of testers
• Big PPP players work (only) on big projects
• Attain high level of assurance at low cost
• Supporting independent research
19. • Fulfill our national Mission Impossible:
–500k IS professionals in 3 yrs
–PPP (Public + Professional Participation
will work better than the Public, Private
Participation)
• Continuous Testing by proven professionals
• Critical Infrastructure Protection
• Information Sharing
20. • Identify professional friends-in-need
• Find vulnerabilities missed by your team
• Save BIG money on housekeeping
• Best brains in the business work free !!
• Success fee based – non negotiable.
• Potential candidates for hire
• Crowd sourced quality control
21. • Use a BB Escrow Service
• Start one on your own or crowd-source
• Contact hackers in Hall of Fame
• Reach out via Social Media
• Word of Mouth
• Offer Good Bounty
22. • Companies have to be as ethical as the hackers
• Admin – super geek
• Workflow / bug tracking system
• Your terms and conditions – transparent and in
plain simple language
• Escalation path (in case one does not agree to
the admin’s decision for payout)
23. • Open playing field for unknowns
• Researcher sells in the underground
• Revenge attack by unhappy hunter
• Rogue hacker steals data
• Wrong, slow or improper
communication
• Dealing with young hot professionals
OOPS!
25. • Technically sound head geek !
• Quick Communication Plan
• Transparency
• Acknowledge and Pamper
• Pay Good Money (be the best)
• Media Announcements
• Wall of Fame
27. • Cost of Web Application Testing using automated
open source tools = 50k to 200k
• Cost paid by a very “aware” govt department to a
CERT empaneled ‘auditor’ = 20k to 50k
the audit firm will be foolish to carry out one
manual test!
• With this pricing the client can forget getting
anyone to even give a ‘jhalak’ of a commercial
tool like Core, IBM, Qualys
28. मैं बड़ी कं पिी हूँ
और मेरे िाम के
लिए यह बग शग
मेरे िाम के लिए
अच्छा िह ं
Me a big
corporation, or
me a big guy –
it’s not good
for my image
or reputation
30. • Age: 0 > 25
• Started BH: 3 – 5 years
• Amount of money made:
– Y0 – Y2 .. About $ 0 – 500 (unless
very lucky or good)
– Y2 onwards – average minimum $
800 – 1000 per mo growing to av
$ 2 – 3k
• Daily work life:
– Regular life; average 6 to 8 hours
daily, less on weekends
– Bug Hunting: 8 – 10 hours, more if
excited, more on weekends
– Sleep: whenever !
• Social Acceptability:
– Y0 – Y3 .. BAD, parents gave
up
– Y2 onwards… great !
• Taxable Income: who
knows !
• Has PAN Number, Bank
account
31. you do not want your anyone from here!
- visiting you…
- buying your data…
- selling your data…
… NO Siree !
32.
33.
34. • Facebook Whitehat List https://www.facebook.com/whitehat/thanks/
• Twitter Whitehat List https://www.twitter.com/about/security
• Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of-
fame/distinction/
• PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of-
fame-honorable-mention
• Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks
• Adobe Security Acknowledgments
http://www.adobe.com/support/security/bulletins/securiacknowledgments.html
• Apple Security Notifications http://support.apple.com/kb/HT1318
• Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy
• Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-
• Facebook Whitehat List https://www.facebook.com/whitehat/thanks/
• Twitter Whitehat List https://www.twitter.com/about/security
• Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-
of-fame/distinction/
• PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-
tools/wall-of-fame-honorable-mention
• Dropbox "Special Thanks" for
Security https://www.dropbox.com/special_thanks
• Adobe Security Acknowledgments
http://www.adobe.com/support/security/bulletins/securiacknowledgments.html
• Apple Security Notifications http://support.apple.com/kb/HT1318
• Zendesk Security http://www.zendesk.com/company/responsible-disclosure-
policy
• Nokia Siemens Networks Hall of Fame
http://www.nokiasiemensnetworks.com/about-
46. • Open Security Alliance, Principal and CEO
• Jharkhand Police, Cyber Security Advisor
• Pyramid Cyber Security & Forensics, Principal Advisor
• Indian Honeynet Project, Co Founder
• Professional skills and special interest areas
– Security Consulting and Advisory services for IS Architecture, Analysis, Optimization.
– Government – policy, strategy, law enforcement
– Technologies: SOC, DLP, IRM, SIEM…
– Practices: Incident Response, SAM, Forensics, Regulatory guidance..
– Community: mentoring, training, citizen outreach, India research..
• Opinioned Blogger, occasional columnist, wannabe photographer
47. Contact Information
E: dinesh@opensecurityalliance.org
T: +91.9769890505
Twitter: @bizsprite
L: http://in.linkedin.com/in/dineshbareja
Facebook: dineshobareja
Acknowledgements & Disclaimer
Various resources on the internet have been referred to contribute to the information presented. Images have been
acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate
understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or
otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this will be wholly
unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).