bugcrowd, profile picture
Uploaded bybugcrowd
PPTX, PDF1,220 views

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

The document discusses critical vulnerabilities and bug bounty programs led by Kymberlee Price from Bugcrowd, emphasizing the significance of such programs in enhancing application security. It highlights the growth in submissions and payouts from bug researchers, along with the identification of high-priority vulnerabilities in various organizations worldwide. The presentation also outlines best practices for managing bug bounty programs, including documentation, engagement, and rewarding researchers effectively.

Embed presentation

Downloaded 28 times
HI THIS IS URGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Operations Bugcrowd @Kym_Possible
• Senior Director of a Red Team • PSIRT Case Manager • Data Analyst • Internet Crime Investigator • Behavioral Psychologist @kym_possible whoami?
• Intro • Red • Blue • tl;dr • Questions Agenda
• Determining if a bug bounty program is appropriate for your company • Selling you a bug bounty program • Recruiting you to be a bounty hunter What this talk isn’t
C:intro
VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts PayoutsBugs found per active researcher
VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
2014 Submissions: • 17,011 submissions – 16% increase YoY • 61 high severity bugs – 49% increase YoY • Minimum reward: $500 Geography: • 65 countries received rewards – 12% increase YoY • 123 countries reporting bugs https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than- ever/1026610350686524
2014 Payouts: • $1.3 million to 321 researchers • Average reward: $1,788. Top 5 Countries: • India – 196 valid bugs • Egypt – 81 valid bugs • USA – 61 valid bugs • UK – 28 valid bugs • Philippines – 27 valid bugs $1,343 $1,220 $2,470 $2,768 $1,093 $263,228 $98,820 $150,670 $77,504 $29,511 $619,733 The top 5 researchers earned a total of $256,750
2014 • 73 vulnerabilities identified and fixed • 1,920 submissions • 33 researchers earned $50,100 for 57 bugs • Minimum reward: $200 • Doubled maximum bounty payout to celebrate https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
2014 https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
Online Services: O365 and Azure • 46 rewarded submissions since launch in late Sept 2014 • Reward amounts to each researcher not published • Program offers minimum $500 up to $15,000 Mitigation Bypass • Up to $100,000 for novel exploitation techniques against protections built into the OS Bounty for Defense • Up to $100,000 for defensive ideas accompanying a qualifying Mitigation Bypass submission https://technet.microsoft.com/en-us/security/dn469163.aspx
Software Bounties Online Services
Middle East 8% Europe 25% Latin America 3% North America 8% Asia (excluding India) 15% India 41% RESEARCHERS – ONLINE SERVICES Oceania 3% Europe 21% Africa 5% Asia (excluding India) 29% India 8% North America 31% Latin America 3% RESEARCHERS - SOFTWARE
https://technet.microsoft.com/en-us/security/dn469163.aspx
• 166 Customer programs • 37,227 submissions – 7,958 non-duplicate, valid vulnerabilities – Rewarded 3,621 submissions • $724,839 paid out – Average reward $200.81, top reward of $10,000 2013-present http://bgcd.co/bcsbb2015
Big Bugs: • 4.39 high- or critical-priority vulnerabilities per program • Total: 729 high-priority vulnerabilities – 175 rated “critical” by trained application security engineers 2013-present http://bgcd.co/bcsbb2015
• P1 – CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass • P2 – SEVERE Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact P1 and P2 Defined https://blog.bugcrowd.com/vulnerability-prioritization-at-bugcrowd/
• Professional Pen Testers and consultants • Former developers, QA engineers, and IT Admins that have shifted focus into application security • University students that have self taught security skills • Bugcrowd has over 18,000 researchers signed up in 147 countries worldwide Who finds these bugs? http://bgcd.co/bcsbb2015
C:red
• XXE in production exploited using Google Toolbar button gallery • Reported in April 2014 • Fredrik Almroth and Mathias Karlsson • Google responded to the report within 20 minutes
• XXE in production exploited using Google Toolbar button gallery • Reported in April 2014 • Fredrik Almroth and Mathias Karlsson • Google responded to the report within 20 minutes
• Reginaldo Silva reported an XML external entity vulnerability within a PHP page that would have allowed a hacker to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. • http://www.ubercomp.com/posts/2014-01- 16_facebook_remote_code_execution
• Laxman Muthiyah identified a way for a malicious user to delete any photo album owned by a user, page, or group on Facebook. He found this vulnerability when he tried to delete one of his own photo albums using the graph explorer access token. • http://www.7xter.com/2015/02/how-i-hacked-your-facebook- photos.html
• Cross-domain Information Disclosure
• Clifford’s first private bounty invitation • Launched at midnight in PH • Found an IDOR  elevation of privilege
• Bug in “import user” feature • no check whether the user who is requesting the import has the the right privilege
https://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
• IDOR  elevation of privilege 1) login to https://service.teslamotors.com/ 2) navigate to https://service.teslamotors.com/admin/bulletins 3) now you are admin, you can delete, modify and publish documents
http://nbsriharsha.blogspot.in/2015/07/a-style-of-bypassing-authentication.html
C:blue
• Submission framework & expectations • Eloquence of written communication • Clear in and out of scope documentation Rapid triage & prioritization (get to the P1’s faster)
• Guidance and training – Google: Bughunter University – Facebook: Bounty Hunter’s Guide – Bugcrowd: Bugcrowd Forum • Clear in and out of scope documentation • Direct Performance Feedback How to reduce noise
• Guidance and training – Google: Bughunter University – Facebook: Bounty Hunter’s Guide – Bugcrowd: Bugcrowd Forum • Clear in and out of scope documentation • Direct Performance Feedback How to reduce noise
• Clear the queue daily • Communicate your priorities • Dealing with Duplicates Rapid triage & prioritization
• Defined vulnerability taxonomy Rapid triage & prioritization
Is it worth the hassle? “In Mortal Combat terms, it is a ‘Fatality’” “If we get nothing else from the bounty, this vuln was worth the whole program alone. Due to the critical nature of the issue, we immediately patched the Prod servers this evening to close this exploit. We are also reviewing all logs since we don't delete them yet to identify any instance where this ever happened in the past.”
• Publish and stick to your program SLA • Stop rewarding bad behavior • Don’t create bad behavior – Reward consistently – Reward fairly – Fix quickly – Again with the documentation How to reduce noise
C:tl;dr
• Bug bounties successfully generate high severity vulnerability disclosures, delivering real value that improves application security for companies of all sizes. • Crowdsourcing engages skilled researchers around the world that you may not have heard of. conclusions
• Write strong scope documentation • Clear submission expectations • Provide feedback • Stay consistently engaged • Reward good behavior call to action
HI THIS IS URGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Operations Bugcrowd @Kym_Possible

More Related Content

PPTX
7 Bug Bounty Myths, BUSTED
bybugcrowd
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bybugcrowd
 
PDF
Revitalizing Product Securtiy at Zephyr Health
bybugcrowd
 
PPTX
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bybugcrowd
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bybugcrowd
 
PDF
4 Reasons to Crowdsource Your Pen Test
bybugcrowd
 
PPTX
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bybugcrowd
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
7 Bug Bounty Myths, BUSTED
bybugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
bybugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
bybugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bybugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bybugcrowd
 
4 Reasons to Crowdsource Your Pen Test
bybugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bybugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 

What's hot

PDF
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
5 Tips to Successfully Running a Bug Bounty Program
bybugcrowd
 
PDF
Feeding the Virtual Patch Pipeline
byDevOps.com
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PDF
Key Takeaways from Instructure's Successful Bug Bounty Program
bybugcrowd
 
PDF
PCI and Vulnerability Assessments - What’s Missing?
byBlack Duck by Synopsys
 
PDF
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
byJerika Phelps
 
PDF
Getting to Know Security and Devs: Keys to Successful DevSecOps
byFranklin Mosley
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PDF
Failure Of Antivirus
byamarnath
 
PPTX
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
bybeltface
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
PPTX
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
PDF
Building Security Controls around Attack Models
bySeniorStoryteller
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PDF
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
PDF
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
byDevSecCon
 
How GitLab and HackerOne help organizations innovate faster without compromis...
byHackerOne
 
The Journey to DevSecOps
bySeniorStoryteller
 
5 Tips to Successfully Running a Bug Bounty Program
bybugcrowd
 
Feeding the Virtual Patch Pipeline
byDevOps.com
 
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
Key Takeaways from Instructure's Successful Bug Bounty Program
bybugcrowd
 
PCI and Vulnerability Assessments - What’s Missing?
byBlack Duck by Synopsys
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
byJerika Phelps
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
byFranklin Mosley
 
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
Failure Of Antivirus
byamarnath
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
bybeltface
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 
Building Security Controls around Attack Models
bySeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
bySecureSoftwareDevOn SecureSoftwareDevOn
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
byDevSecCon
 

Similar to HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

PDF
Owasp LA
byleifdreizler
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
PDF
Yet another talk on bug bounty
byvinoth kumar
 
PPTX
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
PDF
Bug Bounty Career.pdf
byVishal318796
 
PPTX
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
PPTX
Bug Bounty - Play For Money
byShubham Gupta
 
PDF
Bug Bounty Tipping Point: Strength in Numbers
bybugcrowd
 
PPTX
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
byAvi Sharma
 
PDF
Bug Bounty Guide Tools and Resource.pdf
byhacktube5
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PPTX
Getting_Started_with_Bug_Bounty program.
byglcrushgaming
 
PPTX
Bug bounties - cén scéal?
byCiaran McNally
 
PPTX
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
PPTX
Crypto Night at CSUS - Bug Bounties
byBehrouz Sadeghipour
 
PPTX
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
PPTX
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
PDF
BSides LA/PDX
byleifdreizler
 
PDF
Webinar kym-casey-bug bounty tipping point webcast - po edits
byCasey Ellis
 
PPTX
A bug hunter’s guide to bounty universe
byZenodermus Javanicus
 
Owasp LA
byleifdreizler
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
Yet another talk on bug bounty
byvinoth kumar
 
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
Bug Bounty Career.pdf
byVishal318796
 
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
Bug Bounty - Play For Money
byShubham Gupta
 
Bug Bounty Tipping Point: Strength in Numbers
bybugcrowd
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
byAvi Sharma
 
Bug Bounty Guide Tools and Resource.pdf
byhacktube5
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Getting_Started_with_Bug_Bounty program.
byglcrushgaming
 
Bug bounties - cén scéal?
byCiaran McNally
 
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
Crypto Night at CSUS - Bug Bounties
byBehrouz Sadeghipour
 
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
Nbt con december-2014-slides
byBehrouz Sadeghipour
 
BSides LA/PDX
byleifdreizler
 
Webinar kym-casey-bug bounty tipping point webcast - po edits
byCasey Ellis
 
A bug hunter’s guide to bounty universe
byZenodermus Javanicus
 

More from bugcrowd

PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bybugcrowd
 
PDF
Writing vuln reports that maximize payouts - Nullcon 2016
bybugcrowd
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PPTX
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bybugcrowd
 
PDF
How to run a kick ass bug bounty program - Node Summit 2013
bybugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bybugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em
bybugcrowd
 
PPTX
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bybugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bybugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
bybugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bybugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
bybugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bybugcrowd
 
If You Can't Beat 'Em, Join 'Em
bybugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bybugcrowd
 

Recently uploaded

PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
PPTX
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PDF
classification of elements and periodicity.pdf
byaryanshreya2010
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PPTX
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
html-forms in web development-courseICT.
bymadz33
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
classification of elements and periodicity.pdf
byaryanshreya2010
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

  • 1.
    HI THIS ISURGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Operations Bugcrowd @Kym_Possible
  • 2.
    • Senior Directorof a Red Team • PSIRT Case Manager • Data Analyst • Internet Crime Investigator • Behavioral Psychologist @kym_possible whoami?
  • 3.
    • Intro • Red •Blue • tl;dr • Questions Agenda
  • 4.
    • Determining ifa bug bounty program is appropriate for your company • Selling you a bug bounty program • Recruiting you to be a bounty hunter What this talk isn’t
  • 5.
  • 7.
  • 8.
  • 9.
  • 10.
  • 12.
    2014 Submissions: • 17,011 submissions– 16% increase YoY • 61 high severity bugs – 49% increase YoY • Minimum reward: $500 Geography: • 65 countries received rewards – 12% increase YoY • 123 countries reporting bugs https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than- ever/1026610350686524
  • 13.
    2014 Payouts: • $1.3 millionto 321 researchers • Average reward: $1,788. Top 5 Countries: • India – 196 valid bugs • Egypt – 81 valid bugs • USA – 61 valid bugs • UK – 28 valid bugs • Philippines – 27 valid bugs $1,343 $1,220 $2,470 $2,768 $1,093 $263,228 $98,820 $150,670 $77,504 $29,511 $619,733 The top 5 researchers earned a total of $256,750
  • 15.
    2014 • 73 vulnerabilitiesidentified and fixed • 1,920 submissions • 33 researchers earned $50,100 for 57 bugs • Minimum reward: $200 • Doubled maximum bounty payout to celebrate https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
  • 16.
  • 18.
    Online Services: O365and Azure • 46 rewarded submissions since launch in late Sept 2014 • Reward amounts to each researcher not published • Program offers minimum $500 up to $15,000 Mitigation Bypass • Up to $100,000 for novel exploitation techniques against protections built into the OS Bounty for Defense • Up to $100,000 for defensive ideas accompanying a qualifying Mitigation Bypass submission https://technet.microsoft.com/en-us/security/dn469163.aspx
  • 19.
  • 20.
    Middle East 8% Europe 25% Latin America 3% North America 8% Asia (excluding India) 15% India 41% RESEARCHERS– ONLINE SERVICES Oceania 3% Europe 21% Africa 5% Asia (excluding India) 29% India 8% North America 31% Latin America 3% RESEARCHERS - SOFTWARE
  • 21.
  • 23.
    • 166 Customerprograms • 37,227 submissions – 7,958 non-duplicate, valid vulnerabilities – Rewarded 3,621 submissions • $724,839 paid out – Average reward $200.81, top reward of $10,000 2013-present http://bgcd.co/bcsbb2015
  • 24.
    Big Bugs: • 4.39high- or critical-priority vulnerabilities per program • Total: 729 high-priority vulnerabilities – 175 rated “critical” by trained application security engineers 2013-present http://bgcd.co/bcsbb2015
  • 25.
    • P1 –CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass • P2 – SEVERE Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact P1 and P2 Defined https://blog.bugcrowd.com/vulnerability-prioritization-at-bugcrowd/
  • 26.
    • Professional PenTesters and consultants • Former developers, QA engineers, and IT Admins that have shifted focus into application security • University students that have self taught security skills • Bugcrowd has over 18,000 researchers signed up in 147 countries worldwide Who finds these bugs? http://bgcd.co/bcsbb2015
  • 27.
  • 28.
    • XXE inproduction exploited using Google Toolbar button gallery • Reported in April 2014 • Fredrik Almroth and Mathias Karlsson • Google responded to the report within 20 minutes
  • 29.
    • XXE inproduction exploited using Google Toolbar button gallery • Reported in April 2014 • Fredrik Almroth and Mathias Karlsson • Google responded to the report within 20 minutes
  • 30.
    • Reginaldo Silvareported an XML external entity vulnerability within a PHP page that would have allowed a hacker to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. • http://www.ubercomp.com/posts/2014-01- 16_facebook_remote_code_execution
  • 31.
    • Laxman Muthiyahidentified a way for a malicious user to delete any photo album owned by a user, page, or group on Facebook. He found this vulnerability when he tried to delete one of his own photo albums using the graph explorer access token. • http://www.7xter.com/2015/02/how-i-hacked-your-facebook- photos.html
  • 32.
  • 34.
    • Clifford’s firstprivate bounty invitation • Launched at midnight in PH • Found an IDOR  elevation of privilege
  • 35.
    • Bug in“import user” feature • no check whether the user who is requesting the import has the the right privilege
  • 36.
  • 37.
    • IDOR elevation of privilege 1) login to https://service.teslamotors.com/ 2) navigate to https://service.teslamotors.com/admin/bulletins 3) now you are admin, you can delete, modify and publish documents
  • 38.
  • 39.
  • 40.
    • Submission framework& expectations • Eloquence of written communication • Clear in and out of scope documentation Rapid triage & prioritization (get to the P1’s faster)
  • 42.
    • Guidance andtraining – Google: Bughunter University – Facebook: Bounty Hunter’s Guide – Bugcrowd: Bugcrowd Forum • Clear in and out of scope documentation • Direct Performance Feedback How to reduce noise
  • 43.
    • Guidance andtraining – Google: Bughunter University – Facebook: Bounty Hunter’s Guide – Bugcrowd: Bugcrowd Forum • Clear in and out of scope documentation • Direct Performance Feedback How to reduce noise
  • 44.
    • Clear thequeue daily • Communicate your priorities • Dealing with Duplicates Rapid triage & prioritization
  • 45.
    • Defined vulnerabilitytaxonomy Rapid triage & prioritization
  • 46.
    Is it worththe hassle? “In Mortal Combat terms, it is a ‘Fatality’” “If we get nothing else from the bounty, this vuln was worth the whole program alone. Due to the critical nature of the issue, we immediately patched the Prod servers this evening to close this exploit. We are also reviewing all logs since we don't delete them yet to identify any instance where this ever happened in the past.”
  • 47.
    • Publish andstick to your program SLA • Stop rewarding bad behavior • Don’t create bad behavior – Reward consistently – Reward fairly – Fix quickly – Again with the documentation How to reduce noise
  • 48.
  • 49.
    • Bug bountiessuccessfully generate high severity vulnerability disclosures, delivering real value that improves application security for companies of all sizes. • Crowdsourcing engages skilled researchers around the world that you may not have heard of. conclusions
  • 50.
    • Write strongscope documentation • Clear submission expectations • Provide feedback • Stay consistently engaged • Reward good behavior call to action
  • 51.
    HI THIS ISURGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Operations Bugcrowd @Kym_Possible

Editor's Notes

  • #2 No More Free Bugs led to Bug Bounties, but some people believe that bug bounty hunters are low quality script kiddies and the most talented researchers aren't participating. The emergence of bug bounty programs is increasing the volume of vulnerability submissions, but how many of those can be found by running an automated scanning tool? Are any really critical bugs being found in the sea of clickjacking and weak password policy reports? How do you separate the signal from the noise, and more importantly, how do you shift the balance of bug reports to greater signal/less noise overall? In this presentation we will discuss several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.
  • #5 I am more than happy to talk to you about any or all of these things, but not during the next 50 minutes. We are hosting a AMA lounge at Defcon where I’ll gladly answer any questions you have on starting a bounty program.
  • #7 DOES NOT INCLUDE THE PATCH REWARD PROGRAM OR CHROME REWARD PROGRAM. ANDROID REWARD PROGRAM STARTED IN 2015. In scope: google.com, youtube.com, blogger.com. Also google-developed apps & extensions in the google play, iTunes, or Chrome web stores.
  • #8 Google is one of the companies with a public bug bounty program that publishes statistics on their program. There aren’t raw numbers of vulnerability reports, but I think it is fair to say from this heatmap that rewardable submissions were less than 20% of the total. That big green block is noise. But down there on the lower right are the submissions that make the VRP program worthwhile.
  • #9 The vast majority of reward money is sent to finders of high risk issues, delivering clear value to product security. These researchers clearly hit big money. 300000/5000=60 200000/3133.7=64
  • #10 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts Over time, the volume of valid bugs reported decreased. “Based on interviews, surveys and this graph, we conclude that finding bugs in Google products is becoming harder over time, forcing frequent researchers to search for more complex vulnerabilities.” SUCCESS
  • #11 This map shows countries where they send rewards, and size represents the average severity of the vulnerabilities. Europe is clearly submitting the most bugs, but what is interesting is that Asia and even Africa submit more valid reports than researchers based in America. Even with their significant payouts, US based researchers aren’t finding and submitting vulnerabilities on the scale that other regions are.
  • #12 https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/1026610350686524
  • #13 https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/1026610350686524
  • #14 The average reward may have been $1,788, but the top 5 researchers took home a quarter of a million dollars. So what are the top countries these bugs come from? If you are looking for volume, no country even comes close to beating India. Good job y’all, this is pretty impressive. This means that Facebook sent over a quarter of a million dollars to India in 2014, to pay researchers for helping to secure their product. But it isn’t all about volume, right? This whole talk is about impact. So lets look at average bug value. [click through average bug payouts and sum] Now we see that the UK comes out on top when it comes to average payout per bug. [click to show sum of top 5 countries] All told, submissions from these 5 countries account for 48% of Facebook’s total 2014 payout.
  • #15 https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
  • #16 https://github.com/blog/1951-github-security-bug-bounty-program-turns-one 3.8% of submissions fixed
  • #17 https://github.com/blog/1951-github-security-bug-bounty-program-turns-one Like Google, submissions are diminishing over time. While they didn’t publish statistics on payouts from 2014, they have announced increased rewards up to $10,000 in January 2015
  • #18 https://technet.microsoft.com/en-us/security/dn469163.aspx Microsoft hasn’t published data on the volume of submissions, just a hall of fame for valid paid bugs.
  • #19 https://technet.microsoft.com/en-us/security/dn469163.aspx Microsoft hasn’t published data on the volume of submissions, just a hall of fame for valid paid bugs. Online Services Bug Bounty Start Date: 23 September 2014 Microsoft Azure services additions: 22 April 2015 Timeframe: Ongoing The Online Services Bug Bounty program gives individuals across the globe the opportunity to submit vulnerability reports on eligible Online Services (O365 and Microsoft Azure) provided by Microsoft. Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure. Qualified submissions are eligible for payment from a minimum of $500 USD up to $15,000 USD.
  • #20 Different rewards for different behaviors – honor roll means the researcher received a cash reward in all cases Software: Acknowledgements are advisory credits for the disclosure. Online Services: Acknowledgement for disclosure of a valid issue that did not receive a bounty
  • #21 Where their researchers come from varies widely based on technology focus
  • #22 These researchers applied their technical and creative skills to think like an attacker, but act like a defender. Their contributions to Microsoft product security are nontrivial.
  • #23 Turns out I have a lot of data on a lot of customer bounty programs.
  • #24 STATE OF BUG BOUNTY REPORT DATA January 1 2013 to June 30 2015
  • #25 SOBB data
  • #26 So what do we mean by “high priority”? Over half the bug bounty programs we reviewed had one or more of these vulnerabilities reported
  • #29 Fredrik read through the API specifications, and crafted his own button containing fishy XML entities. The plan was to conduct an XXE attack as he noticed the title and description fields were printed out when searching for the buttons. The root cause of XXE vulnerabilities are naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms.
  • #30 Fredrik read through the API specifications, and crafted his own button containing fishy XML entities. The plan was to conduct an XXE attack as he noticed the title and description fields were printed out when searching for the buttons. The root cause of XXE vulnerabilities are naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms.
  • #31 Brazilian web security researcher Reginaldo Silva earned $33,500 for giving the social network a heads-up about an XML external entity vulnerability within a PHP page hosted on its servers that handled OpenID authentication. The flaw disclosed Facebook's etc/passwd. If the flaw were to be left unresolved, malicious crackers who came across the vulnerability could have abused it to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  • #32 Laxman Muthiyah found a way for a malicious user to delete any photo album on Facebook. He found this vulnerability when he tried to delete one of his own photo albums using the graph explorer access token. http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html
  • #33 Simple is an online bank
  • #34 Peter confirmed this affected several configurations, but not every possible supported configuration – enough to demonstrate the persistence of the issue and that it was not an edge case
  • #35 Smartsheet is an online collaboration and business productivity software application with web and mobile apps. They have 65,000 customers with 6 million users, including Google, Cisco, Uber, Toyota, and Facebook. Clifford found a way to take over any user account without any user interaction
  • #36 Four user roles: Licensed user, system admin, group admin, resource viewer. Follow user import process until you hit the import button – then fire up intercept proxy and change the value of parm1 to victim target account. Verification email is sent to the imported attacker controlled email.
  • #37 Clifford received permission to disclose this issue from Smartsheet and has written up how he found the vulnerability and its impact on his blog,
  • #39 Malicious user could redirect the purchases of customers in an online shopping portal http://nbsriharsha.blogspot.in/2015/07/a-style-of-bypassing-authentication.html
  • #41 Whether you have vulnerabilities submitted through a secure webform or encrypted email, collect the right information. Tell researchers in your program brief what information you require in a submission for maximum reward. If a researcher isn’t providing it automatically, give feedback. Maybe you want CVSS, maybe you want to know the STRIDE model and if authentication is required, whatever helps you sift through bugs, ask for it. How well is the vulnerability submission written? Did they spellcheck? Does it follow industry standards and APA format? Just kidding. You’re looking for a vulnerability to fix. Give researchers a secure way to provide you with video of their POC in case English is a second language. You want the vulnerability, not a dissertation. Scope documentation is going to help you keep researchers focused on the vulns you care most about, and give you a fast way to reject out of scope bugs as out of scope. What do you do with vulnerability reports that aren’t explicitly in scope, but aren’t explicitly out of scope either? If you’re going to implement a code change as a result of the report, we recommend validating and rewarding them, and updating your brief to either include or exclude them moving forward.
  • #42 Example of how Facebook sets expectations in submissions
  • #43 Example of Google scope documentation
  • #44 Example of Google scope documentation
  • #45 Don’t batch responses to your new submissions once a week – allowing yourself to get 5 days behind means that if you wake up sick on your triage day and don’t go to work, your program is now over 1 business week in response time, and you’re getting further behind in the vulnerability queue… which may have a P1 in it that you need to jump on. Keep your queue manageable by clearing it daily. Publicly define how you prioritize and minimum rewards for each priority – this will cut down on debate with the researcher later. Duplicates at the P1 and P2 level are uncommon, because these issues are fixed rapidly due to their severity. But I’m going to say this anyway: fix quickly. Don’t expect that because you’ve paid a reward for a bug, you’ve got all the time you want to eventually get around to patching it. Every time a duplicate is reported it costs your bounty program both in operational effort and researcher experience. At lower severity levels duplicates are common because fixes may not be prioritized as highly as other development work, and you’ll end up having to justify to the second (and maybe third and fourth) researcher that they weren’t first, and tell them when it was reported before… Also, if the same bug is being found by your crowd once a week, you know its easily found by the bad guys too. So fix as soon as is practical and save yourself the headache.
  • #46 Example of communicating priorities, this is LastPass
  • #47 These customers definitely think so. They weren’t really comfortable being attributed, but these are actual quotes.
  • #48 Example of bad behavior: awarding hall of fame because you’re tired of arguing