This document discusses bug bounty programs, which allow individuals to receive recognition and compensation for reporting software bugs and vulnerabilities to organizations. It provides examples of major companies that run public bug bounty programs, including Facebook, Google, and Microsoft. The history of bug bounty programs is traced back to 1995 when Netscape launched the first program. Guidelines are provided for researchers on getting started with bug bounty programs and the types of programs that exist.

1. Bug Bounty Program
• What is that
•You hack – they pay
Ramin Farajpour Cami

2. Whoami?
• Vulnerability researcher at RavinAcademy
• C Programmer
• Trainer Linux Exploit Development
• Hall Of Fame
• Google , Twitter, Apple, Blackberry, Ebay, Yahoo …
Twitter : @MF4rr3ll
Github : @raminfp

3. What is a bug bounty?
• A bug bounty program is a deal offered by many websites,
organizations and software developers by which individuals can
receive recognition and compensation for reporting bugs, especially
those pertaining to security exploits and vulnerabilities. [Wikipedia].
• These programs allow the developers to discover and resolve bugs
before the general public is aware of them

4. Who pays

5. A list of bug bounty plaforms
• Hackerone
• Bugcrowd
• Synack
• Zerocopter
• Cobalt
• Dvuln
• Intigriti

6. Bug bounty programs larg organizations
• Facebook
• Yahoo!
• Google
• Reddit
• Square
• Microsoft
• Internet bug bounty (IBB)

7. History!
• Jarrett Ridlinghafer, a technical support engineer at Netscape
Communications Corporation coined the phrase 'Bugs Bounty’.
• On October 10 1995, Netscape launched the first technology bug
bounty program for the Netscape Navigator 2.0 Beta browser.
• October 2013, Google announced a major change to its Vulnerability
Reward Program. (VRP)

8. Vulnerability Disclosure Policy
• In August 2013, a Palestinian computer science student reported a
vulnerability that allowed anyone to post a video on an arbitrary
Facebook account. According to the email communication between
the student and Facebook.
• he attempted to report the vulnerability using Facebook's bug bounty
program but the student was misunderstood by Facebook's
engineers. Later he exploited the vulnerability using the Facebook
profile of Mark Zuckerberg, resulting into Facebook denying to pay
him a bounty

9. The Internet Bug Bounty
• Microsoft and Facebook partnered in November 2013 to sponsor The
Internet Bug Bounty.
• IBB includes :
• Adobe Flash
• Python
• Ruby
• PHP
• Django
• Ruby on Rails
• Perl
• OpenSSL

10. The "Hack the Pentagon" program
• In March 2016, Peter Cook announced the US federal government's
first bug bounty program, the "Hack the Pentagon" program
• The program ran from April 18 to May 12 and over 1,400 people
submitted 138 unique valid reports through HackerOne. In total, the
US Department of Defense (DoD) paid out $71,200.

11. How to start ?
• Read the Web App Hacker’s HandBook
• Following interesting people on Twitter
• Working with Burp Suite
• Select a public program
• Read Other Reports (site:hackerone.com XSS)

12. • Demo Reports Of HackerOne

13. Pay attention!!!
• Read Policy Program [exmple: (Use account for test)]
• Read scope of the bug bounty program (scope : domains)
• Read Reward for each bugs

14. Type Program?
• Public (for all researchers)
• Private (invited top researchers)

15. Top countries researchers bug bounty
• United States
• India topped the Facebook Bug Bounty Program with the largest
number of valid bugs.
• Pakistan / China

16. Goal Program
• Reduce costs
• Pay for the correct report
• All the capacities of the researcher are used
• 24/7 analysis
• No need for a security team
• Developer program learning with reading PoC researchers

17. Goal Researcher!
• Learning
• Challenge
• Money
• Career

18. Iranian BugBounty Platform
• Ravro - https://www.ravro.ir/
• Bugdasht - https://bugdasht.ir/
• Kolahsefid - https://www.kolahsefid.org/

19. • The End
• Question?