1. The document discusses how to write effective bug bounty reports by understanding what security teams look for in reports. It emphasizes providing detailed reproduction steps, analyzing exploitability and potential impact, and considering the perspective of the security team. 2. Common elements of an effective report include clear reproduction steps, analysis of how an attack could actually work in the real world, and understanding what types of vulnerabilities are important to the specific organization based on their industry and needs. 3. The presentation provides examples of good and bad reports, outlines typical service level agreements, and emphasizes asking questions to understand the priorities and scope of individual security programs.

1. Bug Bounty Reports -
How Do They Work?
Adam Bacchus, Chief Bounty Officer - HackerOne
Nullcon - March 2017

2. 2
AGENDA 1. Intro
2. Know your audience
3. The Report
4. Security Team 101
5. The Good, The Bad, The Ugly
6. Resources
7. Next Steps
8. Q & A

3. Intro
3
Let’s get it started

4. Work
● Pentester (~4 yrs)
● Google (~4 years)
● Snapchat (~1 year)
● HackerOne (~1 year)
Play
● Gaming
● Playing with fire
Adam Bacchus
4

5. ● Bug bounty platform where you
can find organizations to hack on
● Uber, Twitter, Snapchat,
Starbucks… tons more
● 100,000+ hackers to learn from,
like our buddy geekboy :)
● $14 mill USD (₹ 934m) in bounties
paid to hackers!
HackerOne
5

6. Why does this matter?
6

7. Why does this matter?
...better bug reports...
7

8. Why does this matter?
...better bug reports...
...better relationships...
8

9. Why does this matter?
...better bug reports...
...better relationships...
...better bounties!
9

10. Some Quick Terminology
10

11. Vulnerability
11
weakness of software, hardware, or online service that can be exploited

12. Report
12
an awesome write-up of the bug you’ve found

13. Vulnerability Disclosure
13
the process by which an organization receives and disseminates information
about vulnerabilities in their products or online services

14. Bug Bounty Program
14
vulnerability disclosure, but with monetary incentives

15. Security Team
15
the people reading and responding to your bug reports, handling vulnerability
management, paying out bounties, etc.

16. Know Your Audience
16

17. 17
“I don't believe in elitism. I don't think the
audience is this dumb person lower than me.
I am the audience.”
Quentin Tarantino

18. Scope
18
What is it?

19. Scope
19
●In scope: List of websites, apps, IoT, etc.
that are okay to hack

20. Scope
20
●Out of scope: Stay away!

21. Scope
21
●Why are things out of scope?
○Infrastructure can’t handle scans
○Security team already knows it needs
work
○Security team is starting small and
working their way up
○Hosted by a third party; security team
doesn’t control it

22. Scope
22
What if I find a new scope?

23. Scope
23
Don’t be afraid to ask!
But keep expectations low - they might
not be ready for the new scope yet.

24. SLA - Service Level Agreement
24
“an official commitment that prevails between
a service provider and the customer.
Particular aspects of the service – quality,
availability, responsibilities – are agreed
between the service provider and the service
user.”

25. A Service For Hackers
25
That’s right - a vulnerability disclosure/bug
bounty program is a service, to you, the
hacker.

26. What should a security team provide?
26
How much time for...

27. What should a security team provide?
27
How much time for…
...first response

28. What should a security team provide?
28
How much time for…
...first response
...bounty decision

29. What should a security team provide?
29
How much time for…
...first response
...bounty decision
...remediation

30. What if the security team doesn’t have SLAs?
30

31. (didn’t we see this slide already?)
31
Don’t be afraid to ask!
“What’s your normal turnaround time
on X?”

32. What are typical SLAs?
32
First Response = 3 business days

33. What are typical SLAs?
33
First Response = 3 business days
Bounty Decision = 1 - 3 weeks after triage

34. What are typical SLAs?
34
First Response = 3 business days
Bounty Decision = 1 - 3 weeks after triage
Remediation depends on severity
Critical = 1-2 days
High = 1-2 weeks
Medium = 4-8 weeks
Low = 3 months

35. What NOT to do
35
1.Send report
2.Five minutes
later... update plz!
3.Ten minutes
later… bounty plz!

36. The Report
36

37. Reproduction Steps
37
Specific, detailed, step by step instructions
on how to reproduce the vulnerability.

38. Reproduction Steps - The Wrong Way
38
1. You got an XSS on the name… BOOM!!!
2. Where’s my bounty?

39. Reproduction Steps - The Right Way
39
1.While logged in, navigate to your profile at
<url>
2.Click the “Edit” button in the upper right
3.Change your first name to “><img src=x
onerror=prompt(document.cookie)>
4.Click “Save”
5.Navigate to your profile at <url>, the XSS
should fire

40. Exploitability
40
How would a real attack work? Think like an
attacker!

41. Exploitability
41
If an attack isn’t exploitable, how much does a
security team care about it?

42. Exploitability - The Wrong Way - Clickjacking
42
1.Navigate to <URL>
2.X-Frame-Options
header is missing
3.???
4.Profit?

43. Exploitability - The Right Way - Clickjacking
43
1.Navigate to <URL>
2.X-Frame-Options header
is missing
3.You can use clickjacking to
trick a user into deleting
their account. See
attached HTML file for a
PoC.

44. Exploitability - The Wrong Way - Server Info
44
1.Your server at <IP>
is showing banner
information and is
out of date.
2.???
3.Profit?

45. Exploitability - The Right Way - Server Info
45
1.Your server at <IP> is
running an outdated
version of <software>.
2.I’ve verified it’s vulnerable
to a known XSS which can
be used to steal <cookie ID>
and hijack users’ sessions.
Here are the repro steps.

46. Impact
46
We know how to repro…
We know exploitability / attack vector…
So now what?

47. Impact
47
What happens if this vulnerability gets
exploited?
What does the security team care about most?

48. 48
Put yourself in the organization’s shoes
Industry Compliance What they care about
Healthcare
Health Insurance Portability and
Accountability Act (HIPAA)
PII (Personally Identifiable
Information), e.g. patient data
eCommerce / Retail
Payment Card Industry Data
Security Standard (PCI-DSS)
User data, especially credit card info
Government (U.S.)
The Federal Information Security
Management Act (FISMA)
Employee info, classified info
Finance
Gramm-Leach-Bliley Act (GLBA),
PCI-DSS
Consumer and investor financial data
Education
Family Educational Rights and
Privacy Act (FERPA)
Student records
Technology It depends! It depends!

49. 49
Put yourself in the organization’s shoes
User information disclosure of first and last
name. Where is the impact bigger?
or...

50. 50
Put yourself in the organization’s shoes
User information disclosure of first and last
name. Where is the impact bigger?
or...

51. Impact - The Wrong Way
51
1.You have an XSS
2.<repro steps>
3.<exploitability info>
4.…
5.Profit?

52. Impact - The Right Way
52
1. Here’s a PoC to steal session
info via XSS
2. Exploiting this against a
regular user would allow
access to view and modify
their name, address,
birthdate, as well as transfer
all money out of their account.

53. Impact
53
What is CIA?
Confidentiality - Integrity - Availability

54. Confidentiality
54
“...information is not made available or
disclosed to unauthorized individuals, entities,
or processes.”

55. Integrity
55
“Ensuring data cannot be modified in an
unauthorized or undetected manner.”

56. Availability
56
“Information must be available when it is
needed.”

57. Impact - CIA
57
Think about how your vulnerability impacts
the Confidentiality, Integrity, and
Availability of the organization’s assets.

58. “The Bar”
58
What is it?

59. “The Bar”
59
🤔

60. “The Bar”
60
The minimum severity vulnerability that
qualifies for a program.

61. “The Bar”
61
Every organization cares about different
things.
It’s all about context.

62. “The Bar”
62
Ask yourself:
“If I were the security team, is this important
enough that I’d want to bother a developer to
fix it?”

63. “The Bar”
63
So you’ve found clickjacking on a page with
only static content?

64. “The Bar” - Open Redirects
64
Is Open Redirect technically a vulnerability?
Yes.
Does company XYZ care?
Probably not.
Why not?

65. “The Bar” - Logout XSRF
65
Is Logout XSRF technically a vulnerability?
Yes.
Does company XYZ care?
Probably not.
Why not?

66. “The Bar”
66
Vulns can be 100% accurate, but so what?

67. (this slide AGAIN!?)
67
Don’t be afraid to ask!
“Do you care about vulnerabilities like
X?”

68. Public Disclosure
68
What is it?
After the bug is fixed, the security team and
hacker agree to disclose the report as an
example for the bug bounty community.

69. The Good, The Bad,
The Ugly
69
Bug Bounty Reports IRL

70. Reports IRL - The Good, The Bad, The Ugly
70
Let’s take a look at some real life examples...

71. The Good - hackerone.com/reports/143717
71
Report: Changing any Uber user’s password
Bounty: $10,000 USD
Let’s check it out!

72. The Bad - hackerone.com/reports/156098
72
Report: XSS At "pages.et.uber.com"
Bounty: um...

73. The Bad - hackerone.com/reports/156098
73

74. The Bad - hackerone.com/reports/156098
74

75. The Bad - hackerone.com/reports/156098
75

76. The Ugly - hackerone.com/reports/137723
76
Report: “vulnerabilitie”
Bounty: we get to laugh at the report?
Let’s check it out!

77. Resources
77

78. Resources
78
●Web Application Hacker’s Handbook
●Web Hacking 101
●Google Bughunter University
●Google Gruyere
●Burp Suite
●Bug Bounty Reports - How Do They Work?

79. Hacktivity! https://hackerone.com/hacktivity
79

80. Recap
80

81. Quick Recap
81
Know your audience!
Think from the security team’s perspective
“I am the audience”
Repro + Exploitability + Impact
Ask questions, get clarity

82. Any questions?
82

83. Thank You
83
Adam Bacchus
adam@hackerone.com
@sushihack
linkedin.com/in/adambacchus/
facebook.com/sushihack

84. 84