SlideShare a Scribd company logo

Bug Bounty Programs For The Web

Download as KEY, PDF
Michael Coates
Michael Coates

Presented at OWASP AppSecUSA 2011 It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good. This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market? In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.

TechnologyNews & Politics
1 of 35
Security Evolution - Bug Bounty Programs for Web Applications Michael Coates - Mozilla September, 2011 OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 2
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 3
History of Bounty Programs 1995 - Netscape 2010 2002 - iDefense Google Chromium 2004 - Mozilla Firefox Deutsche Post E-Postbrief Google Web 2005 - ZDI Mozilla Web 2007 - Pwn2Own Barracuda 2011 Hex Rays Facebook OWASP 4
Types of Programs Open to all - Reported Central “Clearing House” direct to software maker (2002) iDefense (1995) Netscape (2005) ZDI TippingPoint (2004) Mozilla Firefox (2010) Google Chromium Pre-Approved Teams / (2010) Google Web Competition (2010) Mozilla Web (2007) Pwn2Own (2010) Barracuda (2010) Deutsche Post E- (2011) Hex Rays Postbrief (2011) Facebook OWASP 5
Programs for the Web Mozilla Web Bounty General Policies $500 - $3000 Select web sites in Google Web Bounty scope $500 - $3137 Critical issues Facebook Security Bounty Paid for new issues Typically $500, paid up to (not dupes) $5000 OWASP 6
Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Work directly with researchers Consistent security at scale is hard Not competing with black market OWASP 7
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 8
Mozilla Web Bounty - Scope ‣ Goal: Protect Users ‣ Critical issues such as xss, csrf, code injection, authentication flaws Sites In Scope - bugzilla.mozilla.org - www.getfirefox.com - *.services.mozilla.com - addons.mozilla.org - getpersonas.com - services.addons.mozilla.org - aus*.mozilla.org - versioncheck.addons.mozilla.org - www.mozilla.com/org - pfs.mozilla.org - www.firefox.com - download.mozilla.org OWASP 9
Mozilla Web Bounty - Submission Timeline +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 10
Mozilla Web Bounty - Bugs Reported !"#$%&"'()*+,(-(."/(0,(1*#2345&"( %&#$ '()$*+,-$ !"#$ .+/01234(-$ OWASP 11
Mozilla Web Bounty - Types of Issues Reported !"#$%&'%()*+#,-'% (#$ &#$ )#$ '#$ *++$ %"#$ ,-./0$ 1+02$ !"#$ %&#$ 3456-$ +78349/1-$ :6-.$ -8+$ OWASP 12
Mozilla Web Bounty - The Reporters How Many Bugs Are People Submitting? Number of Bugs Submitted Percentage of Reporters 1 Bug 47% 2-5 Bugs 33% 6+ Bugs 20% Top 11% of bug finders contribute 56% of bugs OWASP 13
Mozilla Web Bounty - What is Submitted Failure in design patterns - ex: image uploads Procedural gaps / forgotten servers Smaller traditional bugs OWASP 14
Mozilla Web Bounty - The Bounties $104,000* Total Paid (since Dec, 2010) 175 Bugs Submitted 64 Qualifying bugs 24 Paid Contributors * Mozilla Web Bounty, not including Firefox Bounties OWASP 15
Mozilla Web Bounty - Bounty Payments !"#$%&'(&'"#$%(& %#" %#" %!" %!" $#" $$" $!" )" #" !" &#!!" &$'!!!" &$'#!!" &('!!!" OWASP 16
Mozilla Web Bounty - Bounty Payments -)*./'0.1)%*'2'()%"*'31'4%,5$6&+' !'$%"""# !'"%"""# (# !&$%"""# &&# !&"%"""# $# )# $# !$%"""# )# '# *# &# &# &# &# &# '# &# &# '# &# &# &# &# &# &# !"# !"#$%&'()"*+$,%*)+' OWASP 17
Mozilla Web Bounty - Benefits Engages community Produces many high value bugs Bounty is not purchasing silence Security at huge scope Identifies clever attacks & edge cases OWASP 18
Mozilla Web Bounty - Lessons Learned Initial spike of work load Prepare necessary teams Response time & communication is critical Researchers & directions - not always a perfect match +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 19
Mozilla Web Bounty - Worth It? YES! OWASP 20
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 21
Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Consistent security at scale is hard Not competing with black market OWASP 22
Launching Your Own Web Bounty Program Bug bounties are an enhancement, not a substitute for any portion of a secure SDLC OWASP 23
Bounty Programs - Preparation Gain developer & team lead support Check your code Define clear reporting process Define scope and types of issues Build team to respond to reports & establish response time goals Announce program Root cause analysis Learn & adjust OWASP 24
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 25
Bounty Concerns Common concerns with web bounty programs Encourages attackers Too expensive Veil of cover for attackers Bounty program duplicates internal security work Can’t compete with black market We’ll address why these concerns aren’t necessarily valid OWASP 26
Bounty Concerns - Encourages attackers Bad guys already attacking you Without bounty program good guys afraid to test or report Bounty program enables participants that will help you OWASP 27
Bounty Concerns - Too Expensive Very high value Compare bounty payout with equivalent 3rd party testing Provides continual testing Use individual bugs to identify root cause flaws What percentage of profit spent on security? OWASP 28
Bounty Concerns - Veil of cover for attackers Goal is to identify flaws, not identify bad guys One possible deployment: Full security controls & active blocking in prod Setup public stage for testing with dummy data Configure production to actively blocks attackers Stage area could be next revision of code for prod OWASP 29
Bounty Concerns - Duplicates Internal Security Work You don’t know what you don’t know Identifies process breakdowns Identifies areas for training in secure sdlc Another tactic to protect users & critical data OWASP 30
Bounty Concerns - Can’t Compete with Black Market Bounty programs and black market target different audiences Some people are bad, but many people are good Many don’t want hassle or questionable ethics/ legalities of black market OWASP 31
Bounty Concerns - Can’t Compete with Black Market Black market process Bug bounty process Identify critical issue Identify critical issue Weaponize exploit Report issue to Find buyer on underground reputable program market Negotiate price Receive bounty from Give bank account info for organization wire transfer? Arrange Feel happy you’ve meeting for large cash helped the world be exchange? safer File appropriate tax returns? OWASP 32
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 33
Conclusion Web Bounty Program works great for Mozilla Recommend exploring how this may work for you Leverage lessons learned & evaluate risk/benefit OWASP 34
Question? @_mwc michael-coates.blogspot.com OWASP 35

Recommended

Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 

Recommended

Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
Abhijeth D
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
ABCD of Bugbounty.pptx
ABCD of Bugbounty.pptxABCD of Bugbounty.pptx
ABCD of Bugbounty.pptx
Md Atikqur Rahman
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
Null Bhubaneswar
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
HackerOne
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Report of android hacking
Report of android hackingReport of android hacking
Report of android hacking
div2345
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 

More Related Content

What's hot

Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
Abhijeth D
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
ABCD of Bugbounty.pptx
ABCD of Bugbounty.pptxABCD of Bugbounty.pptx
ABCD of Bugbounty.pptx
Md Atikqur Rahman
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
Null Bhubaneswar
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
HackerOne
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 

What's hot (20)

Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
ABCD of Bugbounty.pptx
ABCD of Bugbounty.pptxABCD of Bugbounty.pptx
ABCD of Bugbounty.pptx
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 

Viewers also liked

Report of android hacking
Report of android hackingReport of android hacking
Report of android hacking
div2345
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethHow to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
Abhijeth D
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
Abhijeth D
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Hacking
HackingHacking
Hacking
Ranjan Som
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
SHERALI445
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Google loon ppt
Google loon pptGoogle loon ppt
Google loon ppt
BRIJESH SINGH
 
The Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The FutureThe Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The Future
Arturo Pelayo
 

Viewers also liked (14)

Report of android hacking
Report of android hackingReport of android hacking
Report of android hacking
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015
 
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethHow to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Hacking
HackingHacking
Hacking
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Google loon ppt
Google loon pptGoogle loon ppt
Google loon ppt
 
The Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The FutureThe Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The Future
 

Similar to Bug Bounty Programs For The Web

Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011
Angelo van der Sijpt
 
Device deployment
Device deploymentDevice deployment
Device deployment
Angelo van der Sijpt
 
All about Apache ACE
All about Apache ACEAll about Apache ACE
All about Apache ACE
OSGi User Group France
 
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Rick G. Garibay
 
FLEXIcontent & FLEXIaccess presentation
FLEXIcontent & FLEXIaccess presentationFLEXIcontent & FLEXIaccess presentation
FLEXIcontent & FLEXIaccess presentation
Emmanuel Danan
 
스마트폰의 춘추전국시대, 개발자의 선택은(1)
스마트폰의 춘추전국시대, 개발자의 선택은(1)스마트폰의 춘추전국시대, 개발자의 선택은(1)
스마트폰의 춘추전국시대, 개발자의 선택은(1)
mosaicnet
 
Web mapping with vector data. Is it the future ? 2012
Web mapping with vector data. Is it the future ? 2012Web mapping with vector data. Is it the future ? 2012
Web mapping with vector data. Is it the future ? 2012
Moullet
 
OSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle ManagerOSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle Manager
Skills Matter
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
Amazon Web Services
 
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...
MeasureWorks
 
Mobile Convention Amsterdam, Measure works - Jeroen Tjepkema
Mobile Convention Amsterdam, Measure works - Jeroen TjepkemaMobile Convention Amsterdam, Measure works - Jeroen Tjepkema
Mobile Convention Amsterdam, Measure works - Jeroen Tjepkema
MobileConventionAmsterdam
 
Hook Mobile Living Social Hackathon MoDevUX 2012
Hook Mobile Living Social Hackathon MoDevUX 2012Hook Mobile Living Social Hackathon MoDevUX 2012
Hook Mobile Living Social Hackathon MoDevUX 2012
Wayne Chen
 
Getting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CTGetting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CT
CauseShift
 
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Amazon Web Services
 
Cooper Union - SociaLite - Open 2011
Cooper Union - SociaLite - Open 2011Cooper Union - SociaLite - Open 2011
Cooper Union - SociaLite - Open 2011the nciia
 
OSGi Provisioning With Apache ACE
OSGi Provisioning With Apache ACEOSGi Provisioning With Apache ACE
OSGi Provisioning With Apache ACE
mfrancis
 
Taking Your Content Mobile
Taking Your Content MobileTaking Your Content Mobile
Taking Your Content Mobile
Jeremy Johnson
 

Similar to Bug Bounty Programs For The Web (20)

Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011
 
Device deployment
Device deploymentDevice deployment
Device deployment
 
All about Apache ACE
All about Apache ACEAll about Apache ACE
All about Apache ACE
 
InnoDB Magic
InnoDB MagicInnoDB Magic
InnoDB Magic
 
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
 
FLEXIcontent & FLEXIaccess presentation
FLEXIcontent & FLEXIaccess presentationFLEXIcontent & FLEXIaccess presentation
FLEXIcontent & FLEXIaccess presentation
 
스마트폰의 춘추전국시대, 개발자의 선택은(1)
스마트폰의 춘추전국시대, 개발자의 선택은(1)스마트폰의 춘추전국시대, 개발자의 선택은(1)
스마트폰의 춘추전국시대, 개발자의 선택은(1)
 
Web mapping with vector data. Is it the future ? 2012
Web mapping with vector data. Is it the future ? 2012Web mapping with vector data. Is it the future ? 2012
Web mapping with vector data. Is it the future ? 2012
 
9 16
9 169 16
9 16
 
OSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle ManagerOSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle Manager
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
 
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...
 
Mobile Convention Amsterdam, Measure works - Jeroen Tjepkema
Mobile Convention Amsterdam, Measure works - Jeroen TjepkemaMobile Convention Amsterdam, Measure works - Jeroen Tjepkema
Mobile Convention Amsterdam, Measure works - Jeroen Tjepkema
 
Hook Mobile Living Social Hackathon MoDevUX 2012
Hook Mobile Living Social Hackathon MoDevUX 2012Hook Mobile Living Social Hackathon MoDevUX 2012
Hook Mobile Living Social Hackathon MoDevUX 2012
 
Getting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CTGetting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CT
 
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
 
Cooper Union - SociaLite - Open 2011
Cooper Union - SociaLite - Open 2011Cooper Union - SociaLite - Open 2011
Cooper Union - SociaLite - Open 2011
 
OSGi Provisioning With Apache ACE
OSGi Provisioning With Apache ACEOSGi Provisioning With Apache ACE
OSGi Provisioning With Apache ACE
 
Taking Your Content Mobile
Taking Your Content MobileTaking Your Content Mobile
Taking Your Content Mobile
 
Pilot Interim Results
Pilot Interim ResultsPilot Interim Results
Pilot Interim Results
 

More from Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Michael Coates
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
Michael Coates
 

More from Michael Coates (10)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

Bug Bounty Programs For The Web

  • 1. Security Evolution - Bug Bounty Programs for Web Applications Michael Coates - Mozilla September, 2011 OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 2
  • 3. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 3
  • 4. History of Bounty Programs 1995 - Netscape 2010 2002 - iDefense Google Chromium 2004 - Mozilla Firefox Deutsche Post E-Postbrief Google Web 2005 - ZDI Mozilla Web 2007 - Pwn2Own Barracuda 2011 Hex Rays Facebook OWASP 4
  • 5. Types of Programs Open to all - Reported Central “Clearing House” direct to software maker (2002) iDefense (1995) Netscape (2005) ZDI TippingPoint (2004) Mozilla Firefox (2010) Google Chromium Pre-Approved Teams / (2010) Google Web Competition (2010) Mozilla Web (2007) Pwn2Own (2010) Barracuda (2010) Deutsche Post E- (2011) Hex Rays Postbrief (2011) Facebook OWASP 5
  • 6. Programs for the Web Mozilla Web Bounty General Policies $500 - $3000 Select web sites in Google Web Bounty scope $500 - $3137 Critical issues Facebook Security Bounty Paid for new issues Typically $500, paid up to (not dupes) $5000 OWASP 6
  • 7. Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Work directly with researchers Consistent security at scale is hard Not competing with black market OWASP 7
  • 8. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 8
  • 9. Mozilla Web Bounty - Scope ‣ Goal: Protect Users ‣ Critical issues such as xss, csrf, code injection, authentication flaws Sites In Scope - bugzilla.mozilla.org - www.getfirefox.com - *.services.mozilla.com - addons.mozilla.org - getpersonas.com - services.addons.mozilla.org - aus*.mozilla.org - versioncheck.addons.mozilla.org - www.mozilla.com/org - pfs.mozilla.org - www.firefox.com - download.mozilla.org OWASP 9
  • 10. Mozilla Web Bounty - Submission Timeline +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 10
  • 11. Mozilla Web Bounty - Bugs Reported !"#$%&"'()*+,(-(."/(0,(1*#2345&"( %&#$ '()$*+,-$ !"#$ .+/01234(-$ OWASP 11
  • 12. Mozilla Web Bounty - Types of Issues Reported !"#$%&'%()*+#,-'% (#$ &#$ )#$ '#$ *++$ %"#$ ,-./0$ 1+02$ !"#$ %&#$ 3456-$ +78349/1-$ :6-.$ -8+$ OWASP 12
  • 13. Mozilla Web Bounty - The Reporters How Many Bugs Are People Submitting? Number of Bugs Submitted Percentage of Reporters 1 Bug 47% 2-5 Bugs 33% 6+ Bugs 20% Top 11% of bug finders contribute 56% of bugs OWASP 13
  • 14. Mozilla Web Bounty - What is Submitted Failure in design patterns - ex: image uploads Procedural gaps / forgotten servers Smaller traditional bugs OWASP 14
  • 15. Mozilla Web Bounty - The Bounties $104,000* Total Paid (since Dec, 2010) 175 Bugs Submitted 64 Qualifying bugs 24 Paid Contributors * Mozilla Web Bounty, not including Firefox Bounties OWASP 15
  • 16. Mozilla Web Bounty - Bounty Payments !"#$%&'(&'"#$%(& %#" %#" %!" %!" $#" $$" $!" )" #" !" &#!!" &$'!!!" &$'#!!" &('!!!" OWASP 16
  • 17. Mozilla Web Bounty - Bounty Payments -)*./'0.1)%*'2'()%"*'31'4%,5$6&+' !'$%"""# !'"%"""# (# !&$%"""# &&# !&"%"""# $# )# $# !$%"""# )# '# *# &# &# &# &# &# '# &# &# '# &# &# &# &# &# &# !"# !"#$%&'()"*+$,%*)+' OWASP 17
  • 18. Mozilla Web Bounty - Benefits Engages community Produces many high value bugs Bounty is not purchasing silence Security at huge scope Identifies clever attacks & edge cases OWASP 18
  • 19. Mozilla Web Bounty - Lessons Learned Initial spike of work load Prepare necessary teams Response time & communication is critical Researchers & directions - not always a perfect match +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 19
  • 20. Mozilla Web Bounty - Worth It? YES! OWASP 20
  • 21. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 21
  • 22. Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Consistent security at scale is hard Not competing with black market OWASP 22
  • 23. Launching Your Own Web Bounty Program Bug bounties are an enhancement, not a substitute for any portion of a secure SDLC OWASP 23
  • 24. Bounty Programs - Preparation Gain developer & team lead support Check your code Define clear reporting process Define scope and types of issues Build team to respond to reports & establish response time goals Announce program Root cause analysis Learn & adjust OWASP 24
  • 25. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 25
  • 26. Bounty Concerns Common concerns with web bounty programs Encourages attackers Too expensive Veil of cover for attackers Bounty program duplicates internal security work Can’t compete with black market We’ll address why these concerns aren’t necessarily valid OWASP 26
  • 27. Bounty Concerns - Encourages attackers Bad guys already attacking you Without bounty program good guys afraid to test or report Bounty program enables participants that will help you OWASP 27
  • 28. Bounty Concerns - Too Expensive Very high value Compare bounty payout with equivalent 3rd party testing Provides continual testing Use individual bugs to identify root cause flaws What percentage of profit spent on security? OWASP 28
  • 29. Bounty Concerns - Veil of cover for attackers Goal is to identify flaws, not identify bad guys One possible deployment: Full security controls & active blocking in prod Setup public stage for testing with dummy data Configure production to actively blocks attackers Stage area could be next revision of code for prod OWASP 29
  • 30. Bounty Concerns - Duplicates Internal Security Work You don’t know what you don’t know Identifies process breakdowns Identifies areas for training in secure sdlc Another tactic to protect users & critical data OWASP 30
  • 31. Bounty Concerns - Can’t Compete with Black Market Bounty programs and black market target different audiences Some people are bad, but many people are good Many don’t want hassle or questionable ethics/ legalities of black market OWASP 31
  • 32. Bounty Concerns - Can’t Compete with Black Market Black market process Bug bounty process Identify critical issue Identify critical issue Weaponize exploit Report issue to Find buyer on underground reputable program market Negotiate price Receive bounty from Give bank account info for organization wire transfer? Arrange Feel happy you’ve meeting for large cash helped the world be exchange? safer File appropriate tax returns? OWASP 32
  • 33. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 33
  • 34. Conclusion Web Bounty Program works great for Mozilla Recommend exploring how this may work for you Leverage lessons learned & evaluate risk/benefit OWASP 34
  • 35. Question? @_mwc michael-coates.blogspot.com OWASP 35

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n