SlideShare a Scribd company logo

Bug Bounty Secrets

n|u - The Open Security Community
n|u - The Open Security Community

Bug bounty programs involve paying security researchers rewards for finding vulnerabilities in companies' products. To participate, researchers need to understand the target company's products and domains, know which companies offer bounties, and find bugs that are in scope like XSS, SQL injection, or authentication bypasses. Rewards can range from $100 to $20,000. Major companies like Google, Facebook, and Mozilla run bounty programs and have collectively paid over $1 million to researchers. Examples are shown of real bugs found and reported through bounty programs. The conclusion encourages reporting bugs to companies rather than selling vulnerabilities.

EducationTechnologyBusiness
1 of 11
Download to read offline
Bug Bounty Secrets
HARI KRISHNAN. R Security Researcher and new to ppt :P
And get fame and cash  Select the target Gather Information Find bug and report Basic steps
Paying rewards to independent security researchers for finding vulnerabilities in their products. Major Players Google Mozilla Facebook Paypal And what we get ? Money and Fame. And what the company get ? They get their application secured and is very cost effective for them as they pay the independent researchers a minimal amount About Bug Bounty
What all you need to start hunting for bounty ? Know about the target, their products, acquired companies ( which you can find it by searching it in Google ) , sub domains, etc. Do have a good understanding of the application which you are testing. Know which all company is having bug bounty program and some of them are AT&T Barracuda Chromium Project Etsy Facebook Gallery Google Hex-Rays Kaneva LaunchKey ManageWP Mozilla PayPal Samsung Yandex
What kind of bugs are in scope ? XSS XSRF / CSRF SQL injection or equivalent Remote code execution Authentication bypass or information leak Rewards for qualifying bugs can range from 100 $ to 20,000$ or more. So far, Google have paid $828,000 to more than 250 individuals. Mozilla has paid $570,000+
Reference:Slides from Adam Mein at SANS AppSec 2011
Reference: Slides from Adam Mein at SANS AppSec 2011
Example 1 : Dom based Xss in Google Partners
Example 2: XSS vulnerabilities in Google's Gmail's mobile view by Nils juenemann
Conclusion: Report the bugs to the company rather than selling it in black market ;)

Recommended

Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 

Recommended

Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
Null Bhubaneswar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
Michael Coates
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
Vandana Verma
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slidesBehrouz Sadeghipour
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 

More Related Content

What's hot

Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
Null Bhubaneswar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
Michael Coates
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
Vandana Verma
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 

What's hot (20)

Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Burp suite
Burp suiteBurp suite
Burp suite
 

Similar to Bug Bounty Secrets

Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Blackhat Analytics 2 @ Superweek
Blackhat Analytics 2 @ SuperweekBlackhat Analytics 2 @ Superweek
Blackhat Analytics 2 @ Superweek
Phil Pearce
 
Silicon Valley 2.0 -- The Lean VC
Silicon Valley 2.0 -- The Lean VCSilicon Valley 2.0 -- The Lean VC
Silicon Valley 2.0 -- The Lean VC
Dave McClure
 
Silicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCSilicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VC
Dave McClure
 
Silicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCSilicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VC
Dave McClure
 
Hong Kong 2.0: The Lean VC
Hong Kong 2.0: The Lean VCHong Kong 2.0: The Lean VC
Hong Kong 2.0: The Lean VC
Dave McClure
 
Silicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCSilicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCDave McClure
 
The Lean VC (Sapporo, May 2011)
The Lean VC (Sapporo, May 2011)The Lean VC (Sapporo, May 2011)
The Lean VC (Sapporo, May 2011)
Dave McClure
 
Sba 20111003b - starting your own web startup
Sba 20111003b - starting your own web startupSba 20111003b - starting your own web startup
Sba 20111003b - starting your own web startupallanchao
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Estudio34 InAppEvent - How to Reach Your App Promotion KPIs with Google
Estudio34 InAppEvent - How to Reach Your App Promotion KPIs with GoogleEstudio34 InAppEvent - How to Reach Your App Promotion KPIs with Google
Estudio34 InAppEvent - How to Reach Your App Promotion KPIs with Google
William Renedo
 
Phil Pearce - Blackhat analytics
Phil Pearce - Blackhat analyticsPhil Pearce - Blackhat analytics
Phil Pearce - Blackhat analytics
Marketing Festival
 
0-60 Researchers - Jump starting a bug bounty
0-60 Researchers - Jump starting a bug bounty0-60 Researchers - Jump starting a bug bounty
0-60 Researchers - Jump starting a bug bounty
Ty Sbano
 
Malvertizing Like a Pro
Malvertizing Like a ProMalvertizing Like a Pro
Malvertizing Like a Pro
⭕Alexander Rymdeko-Harvey
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
Melbourne IT
 
Building Dinder - the real world
Building Dinder - the real worldBuilding Dinder - the real world
Building Dinder - the real world
Lev Perlman
 
Malvertizing Like a PRO
Malvertizing Like a PROMalvertizing Like a PRO
Malvertizing Like a PRO
Alexander Rymdeko-Harvey
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
Benedek Menesi
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Steven Meister
 

Similar to Bug Bounty Secrets (20)

Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Blackhat Analytics 2 @ Superweek
Blackhat Analytics 2 @ SuperweekBlackhat Analytics 2 @ Superweek
Blackhat Analytics 2 @ Superweek
 
Silicon Valley 2.0 -- The Lean VC
Silicon Valley 2.0 -- The Lean VCSilicon Valley 2.0 -- The Lean VC
Silicon Valley 2.0 -- The Lean VC
 
Silicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCSilicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VC
 
Silicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCSilicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VC
 
Hong Kong 2.0: The Lean VC
Hong Kong 2.0: The Lean VCHong Kong 2.0: The Lean VC
Hong Kong 2.0: The Lean VC
 
Silicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VCSilicon Valley 2.0: The Lean VC
Silicon Valley 2.0: The Lean VC
 
The Lean VC (Sapporo, May 2011)
The Lean VC (Sapporo, May 2011)The Lean VC (Sapporo, May 2011)
The Lean VC (Sapporo, May 2011)
 
Sba 20111003b - starting your own web startup
Sba 20111003b - starting your own web startupSba 20111003b - starting your own web startup
Sba 20111003b - starting your own web startup
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Estudio34 InAppEvent - How to Reach Your App Promotion KPIs with Google
Estudio34 InAppEvent - How to Reach Your App Promotion KPIs with GoogleEstudio34 InAppEvent - How to Reach Your App Promotion KPIs with Google
Estudio34 InAppEvent - How to Reach Your App Promotion KPIs with Google
 
Phil Pearce - Blackhat analytics
Phil Pearce - Blackhat analyticsPhil Pearce - Blackhat analytics
Phil Pearce - Blackhat analytics
 
0-60 Researchers - Jump starting a bug bounty
0-60 Researchers - Jump starting a bug bounty0-60 Researchers - Jump starting a bug bounty
0-60 Researchers - Jump starting a bug bounty
 
Malvertizing Like a Pro
Malvertizing Like a ProMalvertizing Like a Pro
Malvertizing Like a Pro
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
 
Building Dinder - the real world
Building Dinder - the real worldBuilding Dinder - the real world
Building Dinder - the real world
 
Malvertizing Like a PRO
Malvertizing Like a PROMalvertizing Like a PRO
Malvertizing Like a PRO
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
 

More from n|u - The Open Security Community

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security
n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
n|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
goswamiyash170123
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 

Recently uploaded (20)

Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 

Bug Bounty Secrets

  • 2. HARI KRISHNAN. R Security Researcher and new to ppt :P
  • 3. And get fame and cash  Select the target Gather Information Find bug and report Basic steps
  • 4. Paying rewards to independent security researchers for finding vulnerabilities in their products. Major Players Google Mozilla Facebook Paypal And what we get ? Money and Fame. And what the company get ? They get their application secured and is very cost effective for them as they pay the independent researchers a minimal amount About Bug Bounty
  • 5. What all you need to start hunting for bounty ? Know about the target, their products, acquired companies ( which you can find it by searching it in Google ) , sub domains, etc. Do have a good understanding of the application which you are testing. Know which all company is having bug bounty program and some of them are AT&T Barracuda Chromium Project Etsy Facebook Gallery Google Hex-Rays Kaneva LaunchKey ManageWP Mozilla PayPal Samsung Yandex
  • 6. What kind of bugs are in scope ? XSS XSRF / CSRF SQL injection or equivalent Remote code execution Authentication bypass or information leak Rewards for qualifying bugs can range from 100 $ to 20,000$ or more. So far, Google have paid $828,000 to more than 250 individuals. Mozilla has paid $570,000+
  • 7. Reference:Slides from Adam Mein at SANS AppSec 2011
  • 8. Reference: Slides from Adam Mein at SANS AppSec 2011
  • 9. Example 1 : Dom based Xss in Google Partners
  • 10. Example 2: XSS vulnerabilities in Google's Gmail's mobile view by Nils juenemann
  • 11. Conclusion: Report the bugs to the company rather than selling it in black market ;)