HackerOne, profile picture
Uploaded byHackerOne
PDF, PPTX4,765 views

Bug Bounty Basics

The document discusses the HackerOne bug bounty program, which invites ethical hackers to identify and report security vulnerabilities in exchange for monetary rewards, typically between $100 and $10,000. It outlines the process of creating a bug bounty program, the types of vulnerabilities considered in-scope, and suggests management practices for optimizing the program's success and engaging the hacker community. Additionally, it highlights HackerOne's effectiveness in helping organizations secure their systems, supported by analytics tools and a large global community of registered hackers.

Embed presentation

Download as PDF, PPTX
BUG BOUNTY BASICS
hack er /’ha–kər/ noun one who enjoys the intellectual challenge of creatively overcoming limitations. HACKERONE
Bug Bounty Program /’bƏg ˈbau̇ n-tē ˈprō-ˌgram / A program where ethical hackers are invited to report security vulnerabilities to organizations, in exchange for monetary rewards for useful submissions. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products. HACKERONE
HACKERONE STEP ONE: DEFINE YOUR SCOPE Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne’s template, ask for help if you want it, modify as needed.
BOUNTY PROGRAM SCOPE We are interested in any vulnerability that could negatively affect the security of our users. OUR BOUNTIES $100 Minimum Bounty $500 Average Bounty $10,000 Max Bounty IN-SCOPE VULNERABILITIES • Cross-Site Scripting • Cross-Site Request Forgery • Server-Side Request Forgery • SQL Injection • SS Remote Code Execution • XML External Entity Attacks IN-SCOPE PROPERTIES • api.CompanyA.com • bonjour.CompanyA.com • business.CompanyA.com • cn-cfe1.CompanyA.com • cn-dc1.CompanyA.com • cn-dc2.CompanyA.com COMPANY A https://hackerone.com/yourprogram $ 500 AVERAGE
HACKERONE HOW DO I DECIDE HOW MUCH TO OFFER HACKERS? Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500 and the current record is $50,000. To get attention from the world’s best hackers, pay more than the platform average. See our full list of programs here to see how customers have defined their bounty programs:
HACKERONE $ 50,000 CURRENT RECORD BOUNTY $ 500AVERAGE BOUNTY $ 100 MINIMUM BOUNTY
HACKERONE WHO ARE THE HACKERS? Hackers hail from around the world. The reason they hack is varied, but most hack because they love the challenge, want to do good in the world, and of course, to make money. More than 80,000 hackers from 70+ countries are registered to hack on HackerOne and this number grows daily. For your program, you can invite hackers based upon reputation score, identify certain signal requirements, and even search by vetted skills (such as expertise in native applications, mobile applications, hardware/iOT, and web applications).
WHY DO THEY HACK? HACKERS ARE FROM 70+COUNTRIES YEARS HACKING 71.5 % TO MAKE MONEY 65.9 % TO BE CHALLENGED 70.5 % TO HAVE FUN 64.3 % TO BUILD MY RESUME 50.8 % TO DO GOOD IN THE WORLD 15.8% 14.3% 17% 11.3% 12% 1 2 3 4 5
HACKERONE HOW SOON DO I GET BUGS REPORTED? In the first day, expect 4 serious, non-duplicate vulnerability reports. The average customer targets 10 to find in the first 2 weeks – you can target more if you like. Ask about HackerOne’s Fully-Managed Program if you need help with triaging inbound reports.
HACKERONE VALID REPORTS DAY 01 10 8 6 4 2 DAY 14 GET RESULTS FAST
HACKERONE HOW DO HACKERS GET PAID FOR VALID REPORTS? For valid bugs, HackerOne handles the paperwork and payment to a hacker anywhere in the world. Forget about international financial compliance, tax obligations, and other payment headaches – just leave it to us. We’ve paid hackers from 40 U.S. states and more than 80 countries.
HACKERONE
HACKERONE HOW DO WE KNOW THE BUG BOUNTY PROGRAM HAS BEEN SUCCESSFUL? When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. You can use this information and the analytics provided by the HackerOne platform to identify and improve areas in your software development life cycle that seem to be causing the most vulnerabilities. HACKERONE
HACKERONE Over time, your software becomes more secure and the number of valid submissions will slowly decline. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again. Stored XSS in subdomain Read files lead to RCE Private email server compromised at your.site.com
HACKERONE ALWAYS BE IN THE KNOW WITH HACKERONE PLATFORM ANALYTICS HackerOne offers all accounts access to a Standard Dashboard to monitor team stats in real-time and stay on top of response time, stale issues, pending disclosures and more. Other, more advanced tools customers love include:
HACKERONE API Reports Sync your data with your internal data analysis tools. HackerOne Success Index Compare your security posture against other organizations of comparable size on key benchmark metrics. Advanced Analytics Query more advanced reports to track metrics measuring your program’s ROI. Custom Analytics Work with our data science experts to fulfill your custom reporting requirements.
HACKERONE HackerOne is the no.1 hacker-powered security provider, connecting organizations with the world’s largest community of trusted hackers. More than 800 organizations, including The U.S. Department of Defense, General Motors, Intel, Uber, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Square, Starbucks, and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved more than 50,000 vulnerabilities and awarded more than $18M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, Seattle, Los Angeles and the Netherlands. For the most exhaustive list of live bug bounty programs, visit https://hackerone.com/bug-bounty-programs
HACKERONE MAKE THE INTERNET SAFER W W W. H A C K E R O N E . C O M / S A L E S @ H A C K E R O N E . C O M / +1 ( 41 5) 8 9 1- 0 7 7 7 © 2 0 16 H A C K E R O N E
W W W. H A C K E R O N E . C O M / S A L E S @ H A C K E R O N E . C O M / +1 ( 4 1 5) 8 9 1- 0 7 7 7

More Related Content

PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PPTX
Bug bounty
byn|u - The Open Security Community
 
PDF
Recon for Bug Bounty by Agnibha Dutta.pdf
bynull - The Open Security Community
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PPTX
Server-side template injection- Slides
byAmit Dubey
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
Bug Bounty 101
byShahee Mirza
 
Bug bounty
byn|u - The Open Security Community
 
Recon for Bug Bounty by Agnibha Dutta.pdf
bynull - The Open Security Community
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Waf bypassing Techniques
byAvinash Thapa
 
Server-side template injection- Slides
byAmit Dubey
 

What's hot

PPTX
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
byHackerOne
 
PPTX
Bug Bounty - Play For Money
byShubham Gupta
 
PDF
Bug Bounty Secrets
byn|u - The Open Security Community
 
PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PDF
Bug bounty null_owasp_2k17
bySagar M Parmar
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PPTX
Saying Hello to Bug Bounty
byNull Bhubaneswar
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PDF
Bug Bounty - Hackers Job
byArbin Godar
 
PDF
6 Security Tips for Using Public WiFi
byQuick Heal Technologies Ltd.
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPTX
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PDF
Penetration testing
byAmmar WK
 
PPTX
Burp suite
bySOURABH DESHMUKH
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
Recon and Bug Bounties - What a great love story!
byAbhijeth D
 
PPT
Introduction to Malware
byamiable_indian
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
byHackerOne
 
Bug Bounty - Play For Money
byShubham Gupta
 
Bug Bounty Secrets
byn|u - The Open Security Community
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Bug bounty null_owasp_2k17
bySagar M Parmar
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Saying Hello to Bug Bounty
byNull Bhubaneswar
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Bug Bounty - Hackers Job
byArbin Godar
 
6 Security Tips for Using Public WiFi
byQuick Heal Technologies Ltd.
 
OWASP API Security Top 10 - API World
by42Crunch
 
Application Security - Your Success Depends on it
byWSO2
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
Penetration testing
byAmmar WK
 
Burp suite
bySOURABH DESHMUKH
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Recon and Bug Bounties - What a great love story!
byAbhijeth D
 
Introduction to Malware
byamiable_indian
 

Similar to Bug Bounty Basics

PDF
Meet the hackers powering the world's best bug bounty programs
byHackerOne
 
PPTX
HackerOne X IoT Lab Bug Bounty 101 with Encryptsaan & IoT Lab at KIIT Univers...
bykumarpriyanshu81
 
PDF
HACKER-POWERED SECURITY REPORT
byE.S.G. JR. Consulting, Inc.
 
PDF
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
byHackerOne
 
PPTX
LKNOG3 - Bug Bounty
byLKNOG
 
PPTX
Crypto Night at CSUS - Bug Bounties
byBehrouz Sadeghipour
 
PPTX
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
PPTX
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
PPTX
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
PDF
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
byHackerOne
 
PDF
The Hackerpowered Security Report 2019 Coll
byjanukakibok
 
PPTX
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
PDF
Mise en place d'un programme de Bug Bounty
byBastien Libersa
 
PDF
Bug Bounty for Blockchain Projects by Evgenia Broshevan, Project Lead at Hack...
byHackenProof
 
PDF
Bug Bounty Hunter's Manifesto V1.0
byDinesh O Bareja
 
PPTX
Bug Bounty
byHariprasad KA
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
PDF
Owasp LA
byleifdreizler
 
PPTX
Bug bounty programs
byYassine Aboukir
 
PDF
Top 20 Public Bug Bounty Programs
byHackerOne
 
Meet the hackers powering the world's best bug bounty programs
byHackerOne
 
HackerOne X IoT Lab Bug Bounty 101 with Encryptsaan & IoT Lab at KIIT Univers...
bykumarpriyanshu81
 
HACKER-POWERED SECURITY REPORT
byE.S.G. JR. Consulting, Inc.
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
byHackerOne
 
LKNOG3 - Bug Bounty
byLKNOG
 
Crypto Night at CSUS - Bug Bounties
byBehrouz Sadeghipour
 
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
byHackerOne
 
The Hackerpowered Security Report 2019 Coll
byjanukakibok
 
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
Mise en place d'un programme de Bug Bounty
byBastien Libersa
 
Bug Bounty for Blockchain Projects by Evgenia Broshevan, Project Lead at Hack...
byHackenProof
 
Bug Bounty Hunter's Manifesto V1.0
byDinesh O Bareja
 
Bug Bounty
byHariprasad KA
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
Owasp LA
byleifdreizler
 
Bug bounty programs
byYassine Aboukir
 
Top 20 Public Bug Bounty Programs
byHackerOne
 

More from HackerOne

PDF
Federal Trade Commission's Start With Security Guide
byHackerOne
 
PDF
Understanding Information Security Assessment Types
byHackerOne
 
PDF
Everything you Need to Know about The Data Protection Officer Role
byHackerOne
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PDF
9 Top Bug Bounty Programs
byHackerOne
 
PDF
Voices of Vulnerability Disclosure Policy
byHackerOne
 
PDF
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
byHackerOne
 
PDF
Why Executives Underinvest In Cybersecurity
byHackerOne
 
PDF
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
PDF
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
byHackerOne
 
PDF
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
PDF
HackerOne Presents in China - COO Ning Wang
byHackerOne
 
PPTX
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
byHackerOne
 
Federal Trade Commission's Start With Security Guide
byHackerOne
 
Understanding Information Security Assessment Types
byHackerOne
 
Everything you Need to Know about The Data Protection Officer Role
byHackerOne
 
OWASP Top 10 - 2017
byHackerOne
 
9 Top Bug Bounty Programs
byHackerOne
 
Voices of Vulnerability Disclosure Policy
byHackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
byHackerOne
 
Why Executives Underinvest In Cybersecurity
byHackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
byHackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
HackerOne Presents in China - COO Ning Wang
byHackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
byHackerOne
 

Bug Bounty Basics

  • 1.
  • 2.
    hack er /’ha–kər/ noun one whoenjoys the intellectual challenge of creatively overcoming limitations. HACKERONE
  • 3.
    Bug Bounty Program /’bƏgˈbau̇ n-tē ˈprō-ˌgram / A program where ethical hackers are invited to report security vulnerabilities to organizations, in exchange for monetary rewards for useful submissions. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products. HACKERONE
  • 4.
    HACKERONE STEP ONE: DEFINEYOUR SCOPE Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne’s template, ask for help if you want it, modify as needed.
  • 5.
    BOUNTY PROGRAM SCOPE Weare interested in any vulnerability that could negatively affect the security of our users. OUR BOUNTIES $100 Minimum Bounty $500 Average Bounty $10,000 Max Bounty IN-SCOPE VULNERABILITIES • Cross-Site Scripting • Cross-Site Request Forgery • Server-Side Request Forgery • SQL Injection • SS Remote Code Execution • XML External Entity Attacks IN-SCOPE PROPERTIES • api.CompanyA.com • bonjour.CompanyA.com • business.CompanyA.com • cn-cfe1.CompanyA.com • cn-dc1.CompanyA.com • cn-dc2.CompanyA.com COMPANY A https://hackerone.com/yourprogram $ 500 AVERAGE
  • 6.
    HACKERONE HOW DO IDECIDE HOW MUCH TO OFFER HACKERS? Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500 and the current record is $50,000. To get attention from the world’s best hackers, pay more than the platform average. See our full list of programs here to see how customers have defined their bounty programs:
  • 7.
  • 8.
    HACKERONE WHO ARE THEHACKERS? Hackers hail from around the world. The reason they hack is varied, but most hack because they love the challenge, want to do good in the world, and of course, to make money. More than 80,000 hackers from 70+ countries are registered to hack on HackerOne and this number grows daily. For your program, you can invite hackers based upon reputation score, identify certain signal requirements, and even search by vetted skills (such as expertise in native applications, mobile applications, hardware/iOT, and web applications).
  • 9.
    WHY DO THEYHACK? HACKERS ARE FROM 70+COUNTRIES YEARS HACKING 71.5 % TO MAKE MONEY 65.9 % TO BE CHALLENGED 70.5 % TO HAVE FUN 64.3 % TO BUILD MY RESUME 50.8 % TO DO GOOD IN THE WORLD 15.8% 14.3% 17% 11.3% 12% 1 2 3 4 5
  • 10.
    HACKERONE HOW SOON DOI GET BUGS REPORTED? In the first day, expect 4 serious, non-duplicate vulnerability reports. The average customer targets 10 to find in the first 2 weeks – you can target more if you like. Ask about HackerOne’s Fully-Managed Program if you need help with triaging inbound reports.
  • 11.
  • 12.
    HACKERONE HOW DO HACKERSGET PAID FOR VALID REPORTS? For valid bugs, HackerOne handles the paperwork and payment to a hacker anywhere in the world. Forget about international financial compliance, tax obligations, and other payment headaches – just leave it to us. We’ve paid hackers from 40 U.S. states and more than 80 countries.
  • 13.
  • 14.
    HACKERONE HOW DO WEKNOW THE BUG BOUNTY PROGRAM HAS BEEN SUCCESSFUL? When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. You can use this information and the analytics provided by the HackerOne platform to identify and improve areas in your software development life cycle that seem to be causing the most vulnerabilities. HACKERONE
  • 15.
    HACKERONE Over time, yoursoftware becomes more secure and the number of valid submissions will slowly decline. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again. Stored XSS in subdomain Read files lead to RCE Private email server compromised at your.site.com
  • 16.
    HACKERONE ALWAYS BE INTHE KNOW WITH HACKERONE PLATFORM ANALYTICS HackerOne offers all accounts access to a Standard Dashboard to monitor team stats in real-time and stay on top of response time, stale issues, pending disclosures and more. Other, more advanced tools customers love include:
  • 17.
    HACKERONE API Reports Syncyour data with your internal data analysis tools. HackerOne Success Index Compare your security posture against other organizations of comparable size on key benchmark metrics. Advanced Analytics Query more advanced reports to track metrics measuring your program’s ROI. Custom Analytics Work with our data science experts to fulfill your custom reporting requirements.
  • 18.
    HACKERONE HackerOne is theno.1 hacker-powered security provider, connecting organizations with the world’s largest community of trusted hackers. More than 800 organizations, including The U.S. Department of Defense, General Motors, Intel, Uber, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Square, Starbucks, and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved more than 50,000 vulnerabilities and awarded more than $18M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, Seattle, Los Angeles and the Netherlands. For the most exhaustive list of live bug bounty programs, visit https://hackerone.com/bug-bounty-programs
  • 19.
    HACKERONE MAKE THE INTERNET SAFER WW W. H A C K E R O N E . C O M / S A L E S @ H A C K E R O N E . C O M / +1 ( 41 5) 8 9 1- 0 7 7 7 © 2 0 16 H A C K E R O N E
  • 20.
    W W W.H A C K E R O N E . C O M / S A L E S @ H A C K E R O N E . C O M / +1 ( 4 1 5) 8 9 1- 0 7 7 7