![History of Bug Bounty
At October 1995 by Netscape.
At August 2002 by iDefense [VCP].
At August 2004 by Mozilla.
2007 CanSecWest……ZDI…$10k..
March 24, 2010…pwn2own..big money.
Days before 2008 was Tough for Security
Researchers.
2009, the year of revolution.](https://image.slidesharecdn.com/owasp-bd-bug-bounty-101-150212130003-conversion-gate01/85/Bug-Bounty-101-4-320.jpg)
![Lesson 101 cont.
Please DO NOT:
Don’t be a Shit.
Don’t Lie.
Don’t cry for SWAG /Money /HOF if it’s out of rules.
Don’t disrespect other researchers.
Don’t Copy-Paste from other reports.
Please, Don’t share your payouts. [amounts]](https://image.slidesharecdn.com/owasp-bd-bug-bounty-101-150212130003-conversion-gate01/85/Bug-Bounty-101-28-320.jpg)
Uploaded byShahee Mirza
Bug Bounty 101
This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.
More Related Content
Bug Bounty 101
- 1.
- 2. About Me System SecurityEngineer at Tasawr Interactive Security Researcher OWASP contributor Bug Bounty Hunter FB: http://fb.me/shahee.mirza.5 Twitter: @shaheemirza WEB: http://www.shaheemirza.com
- 3. What is BugBounty? Bug bounties, also known as responsible disclosure programmes, are setup by companies to encourage people to report potential issues discovered on their sites. Some companies chose to reward a researcher with money, swag, or an entry in their hall-of-fame. If you’re interested in web application security then they’re a great way of honing your skills, with the potential of earning some money and/or credibility at the same time.
- 4. History of BugBounty At October 1995 by Netscape. At August 2002 by iDefense [VCP]. At August 2004 by Mozilla. 2007 CanSecWest……ZDI…$10k.. March 24, 2010…pwn2own..big money. Days before 2008 was Tough for Security Researchers. 2009, the year of revolution.
- 5.
- 6.
- 7.
- 8.
- 9. For us Values ofyour Resume. Increase Possibility of getting a job in the industry. Opportunity to make money on spare time. Glory and Fame. Knowledge. The proven one.
- 10. For Vendors Less Hacksand Breaches. Better and more secure apps or services. Faster security implementation. More researchers. More experience. More bugs.
- 11.
- 12. GOOGLE – Min $1337 –Acquisitions’ min: $100 – Max.: $20,000 URL: http://www.google.com.bd/about/appsecurity/reward-program/
- 13. FACEBOOK – Min.: $500 –Max. payout: ………… URL: https://www.facebook.com/whitehat
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20. Lesson 000 Patience –The Patience
- 21. Lesson 001 Avoid –OS Arguments. Avoid – Browser Arguments. Avoid – Language Arguments.
- 22. Lesson 010 Do notuse automated scanners: - Acunetix - Nikto - Etc Learn to Code - Python - PHP - Etc
- 23.
- 24. Lesson 011 cont. URL: BurpSuite - http://portswigger.net/burp/ ZAP - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Nmap - http://nmap.org/ DNS-Discovery - http://dns-discovery.googlecode.com Fierce - http://ha.ckers.org/fierce/
- 25. Lesson 100 Self Practiceground: URL: http://www.dvwa.co.uk/
- 26. Lesson 100 cont. SelfEducation: Attack: https://www.owasp.org/index.php/Category:Attack Code Snippet: https://www.owasp.org/index.php/Category:Code_Snippet Control: https://www.owasp.org/index.php/Category:Control Vulnerability: https://www.owasp.org/index.php/Category:Vulnerability
- 27. Lesson 101 The Baseand Basics: Read the Rules of programs. Read the Scope and Limits. Read the Payment scheme and Methods. Read, how to get a test account. Respect the Panel Decisions.
- 28. Lesson 101 cont. PleaseDO NOT: Don’t be a Shit. Don’t Lie. Don’t cry for SWAG /Money /HOF if it’s out of rules. Don’t disrespect other researchers. Don’t Copy-Paste from other reports. Please, Don’t share your payouts. [amounts]
- 29. Lesson 101 cont. Quality> Quantity Quality ==> Reputation ==> Opportunities
- 30. Lesson 101 cont. Bevery Sharp and Clear on Issue description. Steps to reproduce the issue Impact Attach screenshot(s) if needed. If you recorded any video: - Don’t use music. - Make it quick. - Use Mp4 or Flv format. How to write Report: Bad Report
- 31. Lesson 101 cont. GOOGLEfor us: URL: https://sites.google.com/site/bughunteruniversity/
- 32. Lesson 101 cont. Bugson Fire: URL: http://osvdb.org/
- 33. Lesson 101 cont. Justa demo: Rate limiting bypass
- 34. Lesson 101 cont. PublicDisclosure: Ask for permission. Hide sensitive information.
- 35. Future of BugBounties: More companies, More bounty. More money, More opportunities.
- 36. Bangladeshi Hackers onBug Bounty …………………………We are everywhere Google <> Facebook <> Twitter Microsoft <> PayPal <> GitHub
- 37. When I wasAlone I love to dance:
- 38. When rest ofall came I love to dance with them:
- 39. Thank you buddies: TarekSiddiki Faisal Ahmed Md. Ishrat Shahriyar Abdullah Shahriar …………..and rest of all
- 40.
- 41.
- 42.