SlideShare a Scribd company logo

Bugs Bounty Research Report

ā€¢Download as DOCX, PDFā€¢
ā€¢
Jay Nagar
Jay Nagar

Study on Vulnerability reward program (VRP), BUGS-BOUNTY, POC

Education
1 of 13
www.jaynagarblog.wordpress.com Call: 9601957620 CYBER CELL INTERNSHIP GURUGRAM June-July 2017 A RESEARCH REPORT ON ā€œBUGS BOUNTY ā€“ A STUDYā€ Under the supervision of Cyber Cell Gurugram, Haryana Police & Submitted By Er.Jay Nagar
www.jaynagarblog.wordpress.com Call: 9601957620 Table of Contents About the Guide .............................................................................................................................. 3 ABSTRACT .................................................................................................................................... 1 1.INTRODUCTION ....................................................................................................................... 1 1.1 What is Bugs-Bounty? .......................................................................................................... 2 2. HOW DOES A ā€˜BUGS-BOUNTYā€™ PROGRAM WORK?........................................................ 3 2.1 The process of launching and implementing a bugs-bounty program. ................................. 3 2.2. The process of reporting a bug from a researcherā€™s insight. ................................................ 4 A report or a ā€˜POCā€™ looks similar to this picture-: ..................................................................... 5 3. SCOPE OF BUGS-BOUNTY PROGRAMS IN INDIA. ....................................................... 5 3.0 Indian Firms -:....................................................................................................................... 5 3.1 In Govt. sector -: .................................................................................................................. 6 3.1.1 Programs launched by the U.S.A govt. to secure the govt. domain............................... 7 3.1.2 About ā€˜HACK THE PENTAGONā€™. .............................................................................. 7 3.1.3 What Indian Government can do? ................................................................................. 8 3.1.4 INDIAN RESEARCHERS ............................................................................................ 8 FINDINGS -:............................................................................................................................... 8 4.CONCLUSION ............................................................................................................................ 9 5.REFERENCES.............................................................................................................................
www.jaynagarblog.wordpress.com Call: 9601957620 ABSTRACT The Vulnerability reward program(VRP) or what we formerly know it as ā€˜Bugs-Bountyā€™ is a new kind of platform introduced to the Info Sec & tech startup communities, Bugs-Bounty (VRP) is popular amongst the tech world as of its unique working process by providing an open platform for both the researchers and companies to explore the vulnerabilities and have a sense of responsibility towards each other by disclosing it and providing rewards and recognition, The platform has been widely used by the tech giants and top researchers. The present research report examines the concepts of ā€œBugs-Bountyā€ in Indian scenario and a basic introduction of the concept, followed by the formal description of ā€˜Bug-Bountyā€™ and then explaining the application of ā€˜Bugs-Bountyā€™ in the context of Indian startups and researchers. The report will follow with explaining the working process of the program and its crucial points such as ā€˜POCā€™ (proof of concept) and duplicate findings. The report will ā€˜concludeā€™ whether the Bugs-Bounty program is relevant in the Indian scenario or not. KEYWORDS: VRP, BUGS-BOUNTY, POC. 1.INTRODUCTION The growth in the Tech-startups has increased the use of web applications. However, earlier only a few people were able to understand the technicality of the web-apps but the scenario has changed totally today. The mass reach of internet has made it easy for todayā€™s tech-savvy generation to understand the codes and technicality of the apps, and thus resulting in more exploitation of the web- apps. As the need and functionality of the apps grew over the time so was the exploitation. Bugs were not reported but were exploited and sold on the dark net. Companies never provided rewards and recognition to the researchers. Then the term ā€˜Bugs-Bountyā€™ was introduced and few platforms came up to the rescue, one of the oldest among them being ā€˜hacker oneā€™ a California based startup. The ideology contained of as a platform for companies to enroll in the program by signing a basic agreement and for researchers to follow few rules and policies described by the company. The program got a boom in the industry as the tech giants such as google and Facebook were among the initial enrollers to it. However, companies also feared the outbreaks such as ā€˜black hatsā€™ attacking them from within the crowd and noise and stealing their sensitive data on the name of Bugs-Bounty. Thus, companies like apple enrolled too late in these kind of programs. But itā€™s clear that the need of such a platform raised from the booming of internet. These platforms mark the reputation of Researchers based on their findings and give them frequent rewards and thus the program was also able to gain popularity within the conferences such as ā€˜Black-hatā€™ conferences 1 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 and ā€˜Defconā€™ etc. The community supported it well but slowly the view is changing because of the manipulation or monopoly practiced by the companies. 1.1 What is Bugs-Bounty? A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy. The original "Bugs Bounty" program was the creation of Jarrett Ridlinghafer while working at Netscape Communications Corporationas a technical support Engineer. Netscape encouraged its employees to push themselves and do whatever it takes to get the job done and, in late 1995, Jarrett Ridlinghafer was inspired with the idea for, and coined the phrase, 'Bugs Bounty'. The term ā€˜Bugs-Bounty in itself is really attractive as to the words and slang. The logo mainly used in these programs are identical to the under shown image -: Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. The tech leaders in this business model are as follows -: ā€¢ Hackerone.com ā€¢ Bugcrowd.com ā€¢ Cobalt.io ā€¢ Synack.com ā€¢ Bountyfactory.com ā€¢ Zerocopter.com Not all of these platforms are identical with their models. But ideology behind each of them is the same related to vulnerability reporting and patching. 2 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 2. HOW DOES A ā€˜BUGS-BOUNTYā€™ PROGRAM WORK? 2.1 The process of launching and implementing a bugs-bounty program. A bug-bounty program needs a lot of work to be done from the inside of an organization. The organization needs to implement a strategic plan to execute a successful bug-bounty program. The company needs to thoroughly study, implement and execute the following steps for a successful program -: Establishing program goals and company objectives. Setting the scope of your program clearly and thoughtfully. Set the reward range of your program. Implement internal processes and align expectations between departments. Launch the program. Receive bugs from researchers. Scan bug reports for duplicate vulnerabilities and valid vulnerabilities. Reward the researchers on the basis of their findings. Patch the vulnerability with the help of the development team. Kind of rewards and replies a company gives after receiving the bugs -: 3 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 2.2. The process ofreporting a bug from a researcherā€™s insight. A researcher is the most crucial part of a ā€˜bug-bountyā€™ program. Researcherā€™s prime role consists of scanning and pen testing the applications within the guidelines provided by the company and seeing that in any case they donā€™t bypass the guidelines. The researcher should report the vulnerability to the concerned authority under given guidelines with a proper ā€˜POCā€™ (proof of concept) as to which the company or the client is able to reproduce the vulnerability with the help of the ā€˜POCā€™ and be able to patch it. A researcher holds certain duty while participating in such a program as an external tester. The duties a researcher should follow are -: He/she should perform attacks within the scope of the clientā€™s guidelines. The report submitted should be in a formal manner. The ā€˜POCā€™ submitted should be able to regenerate the vulnerability. He/she should not disclose the bug publicly until the firm allows to do so. The researcher should not try and perform attacks such as ā€˜Ddosā€™ etc. The researchers and companies fall in everlasting disputes on a point so well known to a person related to the program known as ā€˜Duplicateā€™ bug. This everlasting war is always contradictory as the researchers always argue about the legitimacy of the ā€˜Duplicateā€™ findings they are told to. The main question lies as to why after their report only the company is able to patch the bug the same or the next day. For instance, researchers even create memes. 4 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 A report or a ā€˜POCā€™ looks similar to this picture-: 3. SCOPE OF BUGS-BOUNTY PROGRAMS IN INDIA. 3.0 Indian Firms -: Bug-Bounty is getting popular in India day by day as to increasing number of researchers are getting the monetary benefit of the program. On the other hand, Indian Firms are still not able to recognize this as an important aspect but still the top tech startups in India such as-: Paytm Ola Freecharge Mobivik Etc. have launched their own bug bounty programs. There is still no platform available to Indian tech startups to fully trust on as the platforms like hackerone and bugcrowd are all foreign based companies and cannot be trusted fully, also there is no such awareness campaigns and initiatives taken in India to teach the ā€˜SMEā€™ the importance of cyber security and thus , the small startups donā€™t think of a need to enroll in the programs for bug-bounty and launch their own initiatives thus making our country lack in security in cyber space and thus, resulting in daily attacks . A pic depicting the Paytmā€™s bug bounty program page -: 5 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 . 3.1 In Govt. sector -: In the present case scenario in India not much of the govt. institutions have accepted or implemented the program of bug-bounty not even that the govt. sites are highly vulnerable. However, ā€˜CERTā€™ has taken an initiative to make the system more reliable and to gain a researcherā€™s trust by providing a vulnerability reporting platform on itā€™s official site i.e. cert- in.org.in where after reporting a vulnerability a researcher would be given a letter of appreciation with official stamps and emblems. Earlier the researchers feared to disclose any vulnerabilities on the govt. site as they might be charged with a liability for doing so. A screen shot showing certā€™s site for reporting the vulnerability -: 6 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 3.1.1 Programs launched by the U.S.A govt. to secure the govt. domain. The govt. of u.s.a has always been updated on the tech world. Providing top level tech and internet is not what is all essential, but also a secured database and system is what leaves them invulnerable. The American servers and sites are found to be very secured and despite it the hackers were able to bypass them and successfully leaked many of the confidential info. on dark net and public forums. It was a pain for the American govt. until they launched the bug-bounty program officially. Many govt. servers and sites were kept at stake for this program. The Air force joined this initiative, the army also joined this program and the most commendable of all of them was ā€˜hack the pentagonā€™ where the pentagon was pen tested and patched with live testing and patching and also cash rewards were given to the young researchers. The program not only raised the security level it also encouraged a feeling of belongingness towards the govt. as the govt. trusted itā€™s citizens and gave them a platform to legally showcase their skills for saving their own country from future attacks. 3.1.2 About ā€˜HACK THE PENTAGONā€™. The U.S. governmentā€™s department of defense (DoD) launched this program with one of its own countryā€™s platform known as ā€˜hackeroneā€™. The program was a huge success after which the DoD further released ā€˜hack the armyā€™ program on 20th oct, 2016.The US Department of Defenseā€™s Defense Digital Service (DDS) team pioneered the Hack the Pentagon bug bounty pilot program with strong support from Secretary of Defense Ash Carter. The pilot ran from April 18, 2016 until May 12, 2016 and exceeded all expectations. Hack the Pentagon was the first bug bounty program in the history of the federal government. The Department of Defense selected HackerOne as its partner to advise, operate, and execute Hack the Pentagon. On March 31, 2016, interested participants began registration to compete in the "Hack the Pentagonā€ pilot challenge. The pilot program was designed to identify and resolve security vulnerabilities within Defense Department public facing websites through crowdsourcing security. 7 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 Some amazing points about the program -: ā€¢ First vulnerability report was reported within 13 minutes of launching the program. ā€¢ 200 reports were received within 6 hours of launch. ā€¢ 1410 researchers registered themselves to participate in the program. ā€¢ A total of $75,000 were given to researchers as bounties. It is pertinent to mention that the program gained a huge level of popularity and was a success shot by the DoD of U.S.A, although there was huge risk involved in doing so the government was able to execute it successfully with few safety measures and policies. 3.1.3 What Indian Government can do? The decision of implementing and executing such a program will be really hard for the govt. to take, without proper assistance and platforms to trust on the govt. will not be able to do so as it will be like a self-harm. However, the government can take guidance from the well-known cyber experts of our country to plan out such a program for the Indian govt. The govt. should focus on the cyber researchers budding out in our country and giving their expertise to the foreign firm as they recognize their talent and pay more. Few steps towards such an initiative will attract the researchers towards the program and will result in a well-protected cyber space in our country. 3.1.4 INDIAN RESEARCHERS As we studied above in the research where most of the time India lacked out in its approach to the bug-bounty program. The scenario is totally different for the researchers of India; they top the programs for bug-bounties. Tech giants like Facebook has accepted the fact that Indian researchers top their payout lists on bug bounty programs ā€œSo far in 2016, over 9,000 bug related incidents have been reported to Facebook. And a total of 149 researchers were paid the sum of $611,741, with India receiving the highest payout followed by USA and Mexico.ā€ Meanwhile, the world or the foreign countries are appreciating and using our researcherā€™s talent our own country is not able to recognize their real worth. Countries like U.S.A are paying Indian researchers with great amounts to work with them, uber took six names from India to their top 50 list of researchers. An Indian Researcher named ā€˜Anand prakashā€™ earned around rs.2.2 crores from such programs and now got a job offer from google, Facebook and other tech giants but he allegedly refused as to he wanted to open up his own startup. FINDINGS -: India has an adequate amount of talent but lacks with platforms. Indian startups are not serious and aware about the cyber security issue. Indian government is not proactive regarding the cyber security. Bug-bounty programs should be introduced more often by the Indian sites. There is a lack of awareness about such programs in India. 8 | P a g e
www.jaynagarblog.wordpress.com Call: 9601957620 4.CONCLUSION The research has concluded that the bug-bounty program is not only relevant but is a need of an hour in the current Indian scenario. As, the number of startups in Indian economy is increasing they are acquiring more cyber space, thus leaving Indian cyber space more vulnerable to the cyber attackers. The campaign of ā€˜Digital-Indiaā€™ shifted the major workforce of government bodies online. These official sites needs to be tested and supported by such programs. There is ample amount of talent in our country which needs a platform to showcase their skills and government and tech startups should take step forward to provide them with adequate recognition and rewards. Even the most secured countries like U.S.A and Netherlands have their private programs for bug-bounty. Thus, concluding that the program is relevant in itself and needs just some policy and frameworks to be mentioned for the researchers. The research marked the relevancy of the program from the point of view of three main factors of this program. 5.REFERENCES ā€¢ http://whatis.techtarget.com/definition/bug-bounty-program ā€¢ http://www.datacenterjournal.com/bugbounty-programs-hassle/ ā€¢ https://www.veracode.com/blog/2016/08/when-bug-bounties-are-counter-productive ā€¢ https://www.htbridge.com/blog/are-bug-bounty-programs-really-working.html ā€¢ https://www.scmagazineuk.com/can-bug-bounties-replace-traditional-web- security/article/532232/ ā€¢ http://www.huffingtonpost.in/2017/03/07/interview-this-indian-hacker- ā€¢ http://www.cert-in.org.in/ ā€¢ http://www.huffingtonpost.in/2017/03/28/six-indian-hackers-ubers-top-50-bug- hunters-list-rewarded-almos_a_22014718/ ā€¢ https://www.hackerone.com/resources/hack-the-pentagon
www.jaynagarblog.wordpress.com Call: 9601957620 6.Certificate
www.jaynagarblog.wordpress.com Call: 9601957620 9 | P a g e

Recommended

U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
Ā 
Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormandaachi
Ā 
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...joshcorman
Ā 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
Ā 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
Ā 
Simplex Software helps major dating app to increas 158% its market value
Simplex Software helps major dating app to increas 158% its market valueSimplex Software helps major dating app to increas 158% its market value
Simplex Software helps major dating app to increas 158% its market valueAnabella Losada
Ā 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalƔzs TatƔr
Ā 
Crowd Documentation - How Programmer Social Communities are Flipping Software...
Crowd Documentation - How Programmer Social Communities are Flipping Software...Crowd Documentation - How Programmer Social Communities are Flipping Software...
Crowd Documentation - How Programmer Social Communities are Flipping Software...Chris Parnin
Ā 

Recommended

U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
Ā 
Continuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormanContinuous acceleration devopsdaysdc2015_corman
Continuous acceleration devopsdaysdc2015_cormandaachi
Ā 
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...joshcorman
Ā 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
Ā 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
Ā 
Simplex Software helps major dating app to increas 158% its market value
Simplex Software helps major dating app to increas 158% its market valueSimplex Software helps major dating app to increas 158% its market value
Simplex Software helps major dating app to increas 158% its market valueAnabella Losada
Ā 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalƔzs TatƔr
Ā 
Crowd Documentation - How Programmer Social Communities are Flipping Software...
Crowd Documentation - How Programmer Social Communities are Flipping Software...Crowd Documentation - How Programmer Social Communities are Flipping Software...
Crowd Documentation - How Programmer Social Communities are Flipping Software...Chris Parnin
Ā 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
Ā 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Ā 
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesAcceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesJosiah Renaudin
Ā 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
Ā 
Career Choice for Graduates
Career Choice for GraduatesCareer Choice for Graduates
Career Choice for GraduatesCleanSoft Academy
Ā 
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGA DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGIRJET Journal
Ā 
Building an app from scratch
Building an app from scratchBuilding an app from scratch
Building an app from scratchNetset Software Solutions
Ā 
Mobile apps - Breaking away from the clutter
Mobile apps - Breaking away from the clutterMobile apps - Breaking away from the clutter
Mobile apps - Breaking away from the clutterAbhirup Lahiri
Ā 
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docxRunning head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docxtodd581
Ā 
About Ebizon and Portfolio
About Ebizon and PortfolioAbout Ebizon and Portfolio
About Ebizon and PortfolioEbizon
Ā 
Technical Debt for Product Managers by Square Sr PM
Technical Debt for Product Managers by Square Sr PMTechnical Debt for Product Managers by Square Sr PM
Technical Debt for Product Managers by Square Sr PMProduct School
Ā 
Looksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft
Ā 
Looksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft
Ā 
User centred design (UCD) and the connected home
User centred design (UCD) and the connected homeUser centred design (UCD) and the connected home
User centred design (UCD) and the connected homeCyber-Duck
Ā 
Steps For Building A Successful App For Your Business.pptx
Steps For Building A Successful App For Your Business.pptxSteps For Building A Successful App For Your Business.pptx
Steps For Building A Successful App For Your Business.pptxConcetto Labs
Ā 
Intranet 2.0 Webinar Oct 2008
Intranet 2.0 Webinar Oct 2008Intranet 2.0 Webinar Oct 2008
Intranet 2.0 Webinar Oct 2008Prescient Digital Media
Ā 
How To Start A Reflective Essay 8 Tips For Writing A
How To Start A Reflective Essay 8 Tips For Writing AHow To Start A Reflective Essay 8 Tips For Writing A
How To Start A Reflective Essay 8 Tips For Writing ALisa Martinez
Ā 
SAP Development Object Testing
SAP Development Object TestingSAP Development Object Testing
SAP Development Object TestingShivani Thakur
Ā 
mobile app development tool-converted.pdf
mobile app development tool-converted.pdfmobile app development tool-converted.pdf
mobile app development tool-converted.pdfKatieLeslove1
Ā 
Whitepaper the application network
Whitepaper the application networkWhitepaper the application network
Whitepaper the application networkBeatEggli
Ā 
11 best tips to grow your influence youtube
11 best tips to grow your influence youtube11 best tips to grow your influence youtube
11 best tips to grow your influence youtubeJay Nagar
Ā 
Impact of micro vs macro influencers in 2022
Impact of micro vs macro influencers in 2022Impact of micro vs macro influencers in 2022
Impact of micro vs macro influencers in 2022Jay Nagar
Ā 

More Related Content

Similar to Bugs Bounty Research Report

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
Ā 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Ā 
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesAcceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesJosiah Renaudin
Ā 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
Ā 
Career Choice for Graduates
Career Choice for GraduatesCareer Choice for Graduates
Career Choice for GraduatesCleanSoft Academy
Ā 
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGA DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGIRJET Journal
Ā 
Mobile apps - Breaking away from the clutter
Mobile apps - Breaking away from the clutterMobile apps - Breaking away from the clutter
Mobile apps - Breaking away from the clutterAbhirup Lahiri
Ā 
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docxRunning head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docxtodd581
Ā 
About Ebizon and Portfolio
About Ebizon and PortfolioAbout Ebizon and Portfolio
About Ebizon and PortfolioEbizon
Ā 
Technical Debt for Product Managers by Square Sr PM
Technical Debt for Product Managers by Square Sr PMTechnical Debt for Product Managers by Square Sr PM
Technical Debt for Product Managers by Square Sr PMProduct School
Ā 
Looksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft
Ā 
Looksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft
Ā 
User centred design (UCD) and the connected home
User centred design (UCD) and the connected homeUser centred design (UCD) and the connected home
User centred design (UCD) and the connected homeCyber-Duck
Ā 
Steps For Building A Successful App For Your Business.pptx
Steps For Building A Successful App For Your Business.pptxSteps For Building A Successful App For Your Business.pptx
Steps For Building A Successful App For Your Business.pptxConcetto Labs
Ā 
How To Start A Reflective Essay 8 Tips For Writing A
How To Start A Reflective Essay 8 Tips For Writing AHow To Start A Reflective Essay 8 Tips For Writing A
How To Start A Reflective Essay 8 Tips For Writing ALisa Martinez
Ā 
SAP Development Object Testing
SAP Development Object TestingSAP Development Object Testing
SAP Development Object TestingShivani Thakur
Ā 
mobile app development tool-converted.pdf
mobile app development tool-converted.pdfmobile app development tool-converted.pdf
mobile app development tool-converted.pdfKatieLeslove1
Ā 
Whitepaper the application network
Whitepaper the application networkWhitepaper the application network
Whitepaper the application networkBeatEggli
Ā 

Similar to Bugs Bounty Research Report (20)

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
Ā 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
Ā 
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesAcceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Ā 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Ā 
Career Choice for Graduates
Career Choice for GraduatesCareer Choice for Graduates
Career Choice for Graduates
Ā 
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGA DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
Ā 
Building an app from scratch
Building an app from scratchBuilding an app from scratch
Building an app from scratch
Ā 
Mobile apps - Breaking away from the clutter
Mobile apps - Breaking away from the clutterMobile apps - Breaking away from the clutter
Mobile apps - Breaking away from the clutter
Ā 
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docxRunning head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Running head PROJECT PROPOSAL 1 PROJECT PROPOSAL 2.docx
Ā 
About Ebizon and Portfolio
About Ebizon and PortfolioAbout Ebizon and Portfolio
About Ebizon and Portfolio
Ā 
Technical Debt for Product Managers by Square Sr PM
Technical Debt for Product Managers by Square Sr PMTechnical Debt for Product Managers by Square Sr PM
Technical Debt for Product Managers by Square Sr PM
Ā 
Looksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft Mobile Transformation
Looksoft Mobile Transformation
Ā 
Looksoft Mobile Transformation
Looksoft Mobile TransformationLooksoft Mobile Transformation
Looksoft Mobile Transformation
Ā 
User centred design (UCD) and the connected home
User centred design (UCD) and the connected homeUser centred design (UCD) and the connected home
User centred design (UCD) and the connected home
Ā 
Steps For Building A Successful App For Your Business.pptx
Steps For Building A Successful App For Your Business.pptxSteps For Building A Successful App For Your Business.pptx
Steps For Building A Successful App For Your Business.pptx
Ā 
Intranet 2.0 Webinar Oct 2008
Intranet 2.0 Webinar Oct 2008Intranet 2.0 Webinar Oct 2008
Intranet 2.0 Webinar Oct 2008
Ā 
How To Start A Reflective Essay 8 Tips For Writing A
How To Start A Reflective Essay 8 Tips For Writing AHow To Start A Reflective Essay 8 Tips For Writing A
How To Start A Reflective Essay 8 Tips For Writing A
Ā 
SAP Development Object Testing
SAP Development Object TestingSAP Development Object Testing
SAP Development Object Testing
Ā 
mobile app development tool-converted.pdf
mobile app development tool-converted.pdfmobile app development tool-converted.pdf
mobile app development tool-converted.pdf
Ā 
Whitepaper the application network
Whitepaper the application networkWhitepaper the application network
Whitepaper the application network
Ā 

More from Jay Nagar

11 best tips to grow your influence youtube
11 best tips to grow your influence youtube11 best tips to grow your influence youtube
11 best tips to grow your influence youtubeJay Nagar
Ā 
Impact of micro vs macro influencers in 2022
Impact of micro vs macro influencers in 2022Impact of micro vs macro influencers in 2022
Impact of micro vs macro influencers in 2022Jay Nagar
Ā 
What is Signature marketing
What is Signature marketingWhat is Signature marketing
What is Signature marketingJay Nagar
Ā 
100+ Guest blogging sites list
100+ Guest blogging sites list100+ Guest blogging sites list
100+ Guest blogging sites listJay Nagar
Ā 
Ethical Hacking and Defense Penetration
Ethical Hacking and Defense PenetrationEthical Hacking and Defense Penetration
Ethical Hacking and Defense PenetrationJay Nagar
Ā 
Cyber Security and Cyber Awareness Tips manual 2020
Cyber Security and Cyber Awareness Tips manual 2020Cyber Security and Cyber Awareness Tips manual 2020
Cyber Security and Cyber Awareness Tips manual 2020Jay Nagar
Ā 
On-Page SEO Techniques By Digitech Jay
On-Page SEO Techniques By Digitech JayOn-Page SEO Techniques By Digitech Jay
On-Page SEO Techniques By Digitech JayJay Nagar
Ā 
Artificial Intelligence
Artificial IntelligenceArtificial Intelligence
Artificial IntelligenceJay Nagar
Ā 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
Ā 
Cyber security and Privacy Awareness manual
Cyber security and Privacy Awareness manual Cyber security and Privacy Awareness manual
Cyber security and Privacy Awareness manual Jay Nagar
Ā 
Dynamic programming
Dynamic programmingDynamic programming
Dynamic programmingJay Nagar
Ā 
Bluethooth Protocol stack/layers
Bluethooth Protocol stack/layersBluethooth Protocol stack/layers
Bluethooth Protocol stack/layersJay Nagar
Ā 
GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)Jay Nagar
Ā 
Communication and Networking
Communication and NetworkingCommunication and Networking
Communication and NetworkingJay Nagar
Ā 
MOBILE COMPUTING and WIRELESS COMMUNICATION
MOBILE COMPUTING and WIRELESS COMMUNICATION MOBILE COMPUTING and WIRELESS COMMUNICATION
MOBILE COMPUTING and WIRELESS COMMUNICATION Jay Nagar
Ā 
Global system for mobile communication(GSM)
Global system for mobile communication(GSM)Global system for mobile communication(GSM)
Global system for mobile communication(GSM)Jay Nagar
Ā 
Python for beginners
Python for beginnersPython for beginners
Python for beginnersJay Nagar
Ā 
Code smell & refactoring
Code smell & refactoringCode smell & refactoring
Code smell & refactoringJay Nagar
Ā 
The Diffie-Hellman Algorithm
The Diffie-Hellman AlgorithmThe Diffie-Hellman Algorithm
The Diffie-Hellman AlgorithmJay Nagar
Ā 
Confidentiality using Symmetric Encryption
Confidentiality using Symmetric EncryptionConfidentiality using Symmetric Encryption
Confidentiality using Symmetric EncryptionJay Nagar
Ā 

More from Jay Nagar (20)

11 best tips to grow your influence youtube
11 best tips to grow your influence youtube11 best tips to grow your influence youtube
11 best tips to grow your influence youtube
Ā 
Impact of micro vs macro influencers in 2022
Impact of micro vs macro influencers in 2022Impact of micro vs macro influencers in 2022
Impact of micro vs macro influencers in 2022
Ā 
What is Signature marketing
What is Signature marketingWhat is Signature marketing
What is Signature marketing
Ā 
100+ Guest blogging sites list
100+ Guest blogging sites list100+ Guest blogging sites list
100+ Guest blogging sites list
Ā 
Ethical Hacking and Defense Penetration
Ethical Hacking and Defense PenetrationEthical Hacking and Defense Penetration
Ethical Hacking and Defense Penetration
Ā 
Cyber Security and Cyber Awareness Tips manual 2020
Cyber Security and Cyber Awareness Tips manual 2020Cyber Security and Cyber Awareness Tips manual 2020
Cyber Security and Cyber Awareness Tips manual 2020
Ā 
On-Page SEO Techniques By Digitech Jay
On-Page SEO Techniques By Digitech JayOn-Page SEO Techniques By Digitech Jay
On-Page SEO Techniques By Digitech Jay
Ā 
Artificial Intelligence
Artificial IntelligenceArtificial Intelligence
Artificial Intelligence
Ā 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness
Ā 
Cyber security and Privacy Awareness manual
Cyber security and Privacy Awareness manual Cyber security and Privacy Awareness manual
Cyber security and Privacy Awareness manual
Ā 
Dynamic programming
Dynamic programmingDynamic programming
Dynamic programming
Ā 
Bluethooth Protocol stack/layers
Bluethooth Protocol stack/layersBluethooth Protocol stack/layers
Bluethooth Protocol stack/layers
Ā 
GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)
Ā 
Communication and Networking
Communication and NetworkingCommunication and Networking
Communication and Networking
Ā 
MOBILE COMPUTING and WIRELESS COMMUNICATION
MOBILE COMPUTING and WIRELESS COMMUNICATION MOBILE COMPUTING and WIRELESS COMMUNICATION
MOBILE COMPUTING and WIRELESS COMMUNICATION
Ā 
Global system for mobile communication(GSM)
Global system for mobile communication(GSM)Global system for mobile communication(GSM)
Global system for mobile communication(GSM)
Ā 
Python for beginners
Python for beginnersPython for beginners
Python for beginners
Ā 
Code smell & refactoring
Code smell & refactoringCode smell & refactoring
Code smell & refactoring
Ā 
The Diffie-Hellman Algorithm
The Diffie-Hellman AlgorithmThe Diffie-Hellman Algorithm
The Diffie-Hellman Algorithm
Ā 
Confidentiality using Symmetric Encryption
Confidentiality using Symmetric EncryptionConfidentiality using Symmetric Encryption
Confidentiality using Symmetric Encryption
Ā 

Recently uploaded

Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
Ā 
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø9953056974 Low Rate Call Girls In Saket, Delhi NCR
Ā 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
Ā 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
Ā 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
Ā 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
Ā 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
Ā 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
Ā 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
Ā 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
Ā 
18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdfssuser54595a
Ā 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)Dr. Mazin Mohamed alkathiri
Ā 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
Ā 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
Ā 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
Ā 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
Ā 

Recently uploaded (20)

Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
Ā 
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
Ā 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
Ā 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
Ā 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
Ā 
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Ā 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
Ā 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Ā 
Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”
Ā 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
Ā 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
Ā 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
Ā 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
Ā 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Ā 
18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAŠ”Y_INDEX-DM_23-1-final-eng.pdf
Ā 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
Ā 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
Ā 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
Ā 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
Ā 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
Ā 

Bugs Bounty Research Report

  • 1. www.jaynagarblog.wordpress.com Call: 9601957620 CYBER CELL INTERNSHIP GURUGRAM June-July 2017 A RESEARCH REPORT ON ā€œBUGS BOUNTY ā€“ A STUDYā€ Under the supervision of Cyber Cell Gurugram, Haryana Police & Submitted By Er.Jay Nagar
  • 2. www.jaynagarblog.wordpress.com Call: 9601957620 Table of Contents About the Guide .............................................................................................................................. 3 ABSTRACT .................................................................................................................................... 1 1.INTRODUCTION ....................................................................................................................... 1 1.1 What is Bugs-Bounty? .......................................................................................................... 2 2. HOW DOES A ā€˜BUGS-BOUNTYā€™ PROGRAM WORK?........................................................ 3 2.1 The process of launching and implementing a bugs-bounty program. ................................. 3 2.2. The process of reporting a bug from a researcherā€™s insight. ................................................ 4 A report or a ā€˜POCā€™ looks similar to this picture-: ..................................................................... 5 3. SCOPE OF BUGS-BOUNTY PROGRAMS IN INDIA. ....................................................... 5 3.0 Indian Firms -:....................................................................................................................... 5 3.1 In Govt. sector -: .................................................................................................................. 6 3.1.1 Programs launched by the U.S.A govt. to secure the govt. domain............................... 7 3.1.2 About ā€˜HACK THE PENTAGONā€™. .............................................................................. 7 3.1.3 What Indian Government can do? ................................................................................. 8 3.1.4 INDIAN RESEARCHERS ............................................................................................ 8 FINDINGS -:............................................................................................................................... 8 4.CONCLUSION ............................................................................................................................ 9 5.REFERENCES.............................................................................................................................
  • 3. www.jaynagarblog.wordpress.com Call: 9601957620 ABSTRACT The Vulnerability reward program(VRP) or what we formerly know it as ā€˜Bugs-Bountyā€™ is a new kind of platform introduced to the Info Sec & tech startup communities, Bugs-Bounty (VRP) is popular amongst the tech world as of its unique working process by providing an open platform for both the researchers and companies to explore the vulnerabilities and have a sense of responsibility towards each other by disclosing it and providing rewards and recognition, The platform has been widely used by the tech giants and top researchers. The present research report examines the concepts of ā€œBugs-Bountyā€ in Indian scenario and a basic introduction of the concept, followed by the formal description of ā€˜Bug-Bountyā€™ and then explaining the application of ā€˜Bugs-Bountyā€™ in the context of Indian startups and researchers. The report will follow with explaining the working process of the program and its crucial points such as ā€˜POCā€™ (proof of concept) and duplicate findings. The report will ā€˜concludeā€™ whether the Bugs-Bounty program is relevant in the Indian scenario or not. KEYWORDS: VRP, BUGS-BOUNTY, POC. 1.INTRODUCTION The growth in the Tech-startups has increased the use of web applications. However, earlier only a few people were able to understand the technicality of the web-apps but the scenario has changed totally today. The mass reach of internet has made it easy for todayā€™s tech-savvy generation to understand the codes and technicality of the apps, and thus resulting in more exploitation of the web- apps. As the need and functionality of the apps grew over the time so was the exploitation. Bugs were not reported but were exploited and sold on the dark net. Companies never provided rewards and recognition to the researchers. Then the term ā€˜Bugs-Bountyā€™ was introduced and few platforms came up to the rescue, one of the oldest among them being ā€˜hacker oneā€™ a California based startup. The ideology contained of as a platform for companies to enroll in the program by signing a basic agreement and for researchers to follow few rules and policies described by the company. The program got a boom in the industry as the tech giants such as google and Facebook were among the initial enrollers to it. However, companies also feared the outbreaks such as ā€˜black hatsā€™ attacking them from within the crowd and noise and stealing their sensitive data on the name of Bugs-Bounty. Thus, companies like apple enrolled too late in these kind of programs. But itā€™s clear that the need of such a platform raised from the booming of internet. These platforms mark the reputation of Researchers based on their findings and give them frequent rewards and thus the program was also able to gain popularity within the conferences such as ā€˜Black-hatā€™ conferences 1 | P a g e
  • 4. www.jaynagarblog.wordpress.com Call: 9601957620 and ā€˜Defconā€™ etc. The community supported it well but slowly the view is changing because of the manipulation or monopoly practiced by the companies. 1.1 What is Bugs-Bounty? A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy. The original "Bugs Bounty" program was the creation of Jarrett Ridlinghafer while working at Netscape Communications Corporationas a technical support Engineer. Netscape encouraged its employees to push themselves and do whatever it takes to get the job done and, in late 1995, Jarrett Ridlinghafer was inspired with the idea for, and coined the phrase, 'Bugs Bounty'. The term ā€˜Bugs-Bounty in itself is really attractive as to the words and slang. The logo mainly used in these programs are identical to the under shown image -: Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. The tech leaders in this business model are as follows -: ā€¢ Hackerone.com ā€¢ Bugcrowd.com ā€¢ Cobalt.io ā€¢ Synack.com ā€¢ Bountyfactory.com ā€¢ Zerocopter.com Not all of these platforms are identical with their models. But ideology behind each of them is the same related to vulnerability reporting and patching. 2 | P a g e
  • 5. www.jaynagarblog.wordpress.com Call: 9601957620 2. HOW DOES A ā€˜BUGS-BOUNTYā€™ PROGRAM WORK? 2.1 The process of launching and implementing a bugs-bounty program. A bug-bounty program needs a lot of work to be done from the inside of an organization. The organization needs to implement a strategic plan to execute a successful bug-bounty program. The company needs to thoroughly study, implement and execute the following steps for a successful program -: Establishing program goals and company objectives. Setting the scope of your program clearly and thoughtfully. Set the reward range of your program. Implement internal processes and align expectations between departments. Launch the program. Receive bugs from researchers. Scan bug reports for duplicate vulnerabilities and valid vulnerabilities. Reward the researchers on the basis of their findings. Patch the vulnerability with the help of the development team. Kind of rewards and replies a company gives after receiving the bugs -: 3 | P a g e
  • 6. www.jaynagarblog.wordpress.com Call: 9601957620 2.2. The process ofreporting a bug from a researcherā€™s insight. A researcher is the most crucial part of a ā€˜bug-bountyā€™ program. Researcherā€™s prime role consists of scanning and pen testing the applications within the guidelines provided by the company and seeing that in any case they donā€™t bypass the guidelines. The researcher should report the vulnerability to the concerned authority under given guidelines with a proper ā€˜POCā€™ (proof of concept) as to which the company or the client is able to reproduce the vulnerability with the help of the ā€˜POCā€™ and be able to patch it. A researcher holds certain duty while participating in such a program as an external tester. The duties a researcher should follow are -: He/she should perform attacks within the scope of the clientā€™s guidelines. The report submitted should be in a formal manner. The ā€˜POCā€™ submitted should be able to regenerate the vulnerability. He/she should not disclose the bug publicly until the firm allows to do so. The researcher should not try and perform attacks such as ā€˜Ddosā€™ etc. The researchers and companies fall in everlasting disputes on a point so well known to a person related to the program known as ā€˜Duplicateā€™ bug. This everlasting war is always contradictory as the researchers always argue about the legitimacy of the ā€˜Duplicateā€™ findings they are told to. The main question lies as to why after their report only the company is able to patch the bug the same or the next day. For instance, researchers even create memes. 4 | P a g e
  • 7. www.jaynagarblog.wordpress.com Call: 9601957620 A report or a ā€˜POCā€™ looks similar to this picture-: 3. SCOPE OF BUGS-BOUNTY PROGRAMS IN INDIA. 3.0 Indian Firms -: Bug-Bounty is getting popular in India day by day as to increasing number of researchers are getting the monetary benefit of the program. On the other hand, Indian Firms are still not able to recognize this as an important aspect but still the top tech startups in India such as-: Paytm Ola Freecharge Mobivik Etc. have launched their own bug bounty programs. There is still no platform available to Indian tech startups to fully trust on as the platforms like hackerone and bugcrowd are all foreign based companies and cannot be trusted fully, also there is no such awareness campaigns and initiatives taken in India to teach the ā€˜SMEā€™ the importance of cyber security and thus , the small startups donā€™t think of a need to enroll in the programs for bug-bounty and launch their own initiatives thus making our country lack in security in cyber space and thus, resulting in daily attacks . A pic depicting the Paytmā€™s bug bounty program page -: 5 | P a g e
  • 8. www.jaynagarblog.wordpress.com Call: 9601957620 . 3.1 In Govt. sector -: In the present case scenario in India not much of the govt. institutions have accepted or implemented the program of bug-bounty not even that the govt. sites are highly vulnerable. However, ā€˜CERTā€™ has taken an initiative to make the system more reliable and to gain a researcherā€™s trust by providing a vulnerability reporting platform on itā€™s official site i.e. cert- in.org.in where after reporting a vulnerability a researcher would be given a letter of appreciation with official stamps and emblems. Earlier the researchers feared to disclose any vulnerabilities on the govt. site as they might be charged with a liability for doing so. A screen shot showing certā€™s site for reporting the vulnerability -: 6 | P a g e
  • 9. www.jaynagarblog.wordpress.com Call: 9601957620 3.1.1 Programs launched by the U.S.A govt. to secure the govt. domain. The govt. of u.s.a has always been updated on the tech world. Providing top level tech and internet is not what is all essential, but also a secured database and system is what leaves them invulnerable. The American servers and sites are found to be very secured and despite it the hackers were able to bypass them and successfully leaked many of the confidential info. on dark net and public forums. It was a pain for the American govt. until they launched the bug-bounty program officially. Many govt. servers and sites were kept at stake for this program. The Air force joined this initiative, the army also joined this program and the most commendable of all of them was ā€˜hack the pentagonā€™ where the pentagon was pen tested and patched with live testing and patching and also cash rewards were given to the young researchers. The program not only raised the security level it also encouraged a feeling of belongingness towards the govt. as the govt. trusted itā€™s citizens and gave them a platform to legally showcase their skills for saving their own country from future attacks. 3.1.2 About ā€˜HACK THE PENTAGONā€™. The U.S. governmentā€™s department of defense (DoD) launched this program with one of its own countryā€™s platform known as ā€˜hackeroneā€™. The program was a huge success after which the DoD further released ā€˜hack the armyā€™ program on 20th oct, 2016.The US Department of Defenseā€™s Defense Digital Service (DDS) team pioneered the Hack the Pentagon bug bounty pilot program with strong support from Secretary of Defense Ash Carter. The pilot ran from April 18, 2016 until May 12, 2016 and exceeded all expectations. Hack the Pentagon was the first bug bounty program in the history of the federal government. The Department of Defense selected HackerOne as its partner to advise, operate, and execute Hack the Pentagon. On March 31, 2016, interested participants began registration to compete in the "Hack the Pentagonā€ pilot challenge. The pilot program was designed to identify and resolve security vulnerabilities within Defense Department public facing websites through crowdsourcing security. 7 | P a g e
  • 10. www.jaynagarblog.wordpress.com Call: 9601957620 Some amazing points about the program -: ā€¢ First vulnerability report was reported within 13 minutes of launching the program. ā€¢ 200 reports were received within 6 hours of launch. ā€¢ 1410 researchers registered themselves to participate in the program. ā€¢ A total of $75,000 were given to researchers as bounties. It is pertinent to mention that the program gained a huge level of popularity and was a success shot by the DoD of U.S.A, although there was huge risk involved in doing so the government was able to execute it successfully with few safety measures and policies. 3.1.3 What Indian Government can do? The decision of implementing and executing such a program will be really hard for the govt. to take, without proper assistance and platforms to trust on the govt. will not be able to do so as it will be like a self-harm. However, the government can take guidance from the well-known cyber experts of our country to plan out such a program for the Indian govt. The govt. should focus on the cyber researchers budding out in our country and giving their expertise to the foreign firm as they recognize their talent and pay more. Few steps towards such an initiative will attract the researchers towards the program and will result in a well-protected cyber space in our country. 3.1.4 INDIAN RESEARCHERS As we studied above in the research where most of the time India lacked out in its approach to the bug-bounty program. The scenario is totally different for the researchers of India; they top the programs for bug-bounties. Tech giants like Facebook has accepted the fact that Indian researchers top their payout lists on bug bounty programs ā€œSo far in 2016, over 9,000 bug related incidents have been reported to Facebook. And a total of 149 researchers were paid the sum of $611,741, with India receiving the highest payout followed by USA and Mexico.ā€ Meanwhile, the world or the foreign countries are appreciating and using our researcherā€™s talent our own country is not able to recognize their real worth. Countries like U.S.A are paying Indian researchers with great amounts to work with them, uber took six names from India to their top 50 list of researchers. An Indian Researcher named ā€˜Anand prakashā€™ earned around rs.2.2 crores from such programs and now got a job offer from google, Facebook and other tech giants but he allegedly refused as to he wanted to open up his own startup. FINDINGS -: India has an adequate amount of talent but lacks with platforms. Indian startups are not serious and aware about the cyber security issue. Indian government is not proactive regarding the cyber security. Bug-bounty programs should be introduced more often by the Indian sites. There is a lack of awareness about such programs in India. 8 | P a g e
  • 11. www.jaynagarblog.wordpress.com Call: 9601957620 4.CONCLUSION The research has concluded that the bug-bounty program is not only relevant but is a need of an hour in the current Indian scenario. As, the number of startups in Indian economy is increasing they are acquiring more cyber space, thus leaving Indian cyber space more vulnerable to the cyber attackers. The campaign of ā€˜Digital-Indiaā€™ shifted the major workforce of government bodies online. These official sites needs to be tested and supported by such programs. There is ample amount of talent in our country which needs a platform to showcase their skills and government and tech startups should take step forward to provide them with adequate recognition and rewards. Even the most secured countries like U.S.A and Netherlands have their private programs for bug-bounty. Thus, concluding that the program is relevant in itself and needs just some policy and frameworks to be mentioned for the researchers. The research marked the relevancy of the program from the point of view of three main factors of this program. 5.REFERENCES ā€¢ http://whatis.techtarget.com/definition/bug-bounty-program ā€¢ http://www.datacenterjournal.com/bugbounty-programs-hassle/ ā€¢ https://www.veracode.com/blog/2016/08/when-bug-bounties-are-counter-productive ā€¢ https://www.htbridge.com/blog/are-bug-bounty-programs-really-working.html ā€¢ https://www.scmagazineuk.com/can-bug-bounties-replace-traditional-web- security/article/532232/ ā€¢ http://www.huffingtonpost.in/2017/03/07/interview-this-indian-hacker- ā€¢ http://www.cert-in.org.in/ ā€¢ http://www.huffingtonpost.in/2017/03/28/six-indian-hackers-ubers-top-50-bug- hunters-list-rewarded-almos_a_22014718/ ā€¢ https://www.hackerone.com/resources/hack-the-pentagon