SlideShare a Scribd company logo

Hunting bugs - C0r0n4con

Anchises Moraes
Anchises Moraes

Hunting Bugs - Running a Bug Bounty Program Slide deck put together for https://c0r0n4con.com/ (April/2020) Abstract Security best practices can't guarantee that a system or app is 100% free of bugs, so we have to detect bugs and vulnerabilities before the bad guys were able to explore them. Join us to hear the experience (takeaways and challenges) running a Bug Bounty program in a financial institution, bringing together the hacker community, AppSec and CSIRT teams. Outline We have been heard a lot about Bug Bounty (BB) programs and how security researchers has been making a lot of money by reporting bugs. Too much has been said from the researchers’ perspective, and too little from the companies running a BB program. An evolution of the endless Responsible Disclosure discussions and Vulnerability Report Programs, Bug Bounty programs have become a new trend in the information security industry, providing a valid communication channel for external entities to report the existence of bugs and vulnerabilities in a company’s platform and services.  In this talk we will discuss the experience of a Brazilian Bank on implementing a bug bounty program as part of its application security strategy. From the point of view of an organization running a bug bounty program, we will present the challenges and benefits (expected and unexpected ones). BB program also brings the researcher community closer to the industry, representing a relevant initiative to strengthen relationship with the information security community. Running a BB program also demands strong commitment on having the issues fixed and also improves the information security visibility across the organization. Since a vulnerability can represent severe losses, detection and response are critical for the business. In order to have a proper response time for reported vulnerabilities , the CSIRT and AppSec teams play a key role in the BB program, by leading the remediation efforts whenever necessary.

Technology
1 of 29
Download to read offline
Hunting bugs ?! How to run a Bug Bounty Program and not being fired! Anchises Moraes | Cyber Evangelist @anchisesbr @C6Bank @GaroaHC @BSidesSP @CSAbr @LWomcy
AGENDA The value of a Bug Bounty program Challenges and Lessons learned @ C6 Bank
Hunting bugs ?!
It is not just about the money ! Hunting bugs ?!
WTF IS BUG BOUNTY ?
www Public Know Researchers Research Verification Triage Correction plan Bounty Renediation Validate report: scope, severity Test and validate the bug Review severity, correction effort Notification Portal Reports & researchers management (profile, reputarion) How works Hunting bugs ?!
Different approaches to help finding bugs Code Review Code Security Tests Vulnerability analysis Pentest Red Team Threat Hunting Vulnerability Disclosure BUG BOUNTY ProductionDEV, QA Hunting bugs ?!
Notification channel BENEFITS TO ORGNIZATIONS Source: www.justice.gov Hunting bugs ?!
Notification channel Diversity BENEFITS TO ORGNIZATIONS •  Study: “An Empirical Study of Vulnerability Rewards Programs” (Berkeley) •  An increase in the number of researchers looking for vulnerabilities yields an increase in the diversity of vulnerabilities discovered. Hunting bugs ?!
Notification channel Diversity Cost x Benefit BENEFITS TO ORGNIZATIONS •  Study: “An Empirical Study of Vulnerability Rewards Programs” (Berkeley) •  A Vulnerability Research Program (VRP) can be a cost-effective mechanism for finding security vulnerabilities. •  The cost of (…) VRPs is comparable to the cost of just one member of the browser security team. •  Each of these VRPs finds many more vulnerabilities than any one researcher is likely to be able to find. https://mfinifter.github.io/papers/vrps-usenix2013.pdf Hunting bugs ?!
CHALLENGES
“PEOPLE / CRIMINALS WILL TEST THE SECURITY OF OUR APPLICATION” THEY ALREADY DO THAT ! USUAL OBJECTIONS (Before BB) Hunting bugs ?!
“WHAT IF THEY FIND BUGS?” WE WILL HAVE TO FIX THEM (ASAP) BEFORE BAD GUYS ALSO FIND THEM. USUAL OBJECTIONS (Before BB) Hunting bugs ?!
USUAL OBJECTIONS (Before BB) “HOW TO PREDICT THE IMPACT (# BUGS) AND COST OF THE BB PROGRAM?” I DON’T KNOW L Hunting bugs ?!
Classificação:  Interna   SOME CHALLENGES (Running BB) Hunting bugs ?!
Classificação:  Interna   volatility Total reports Valid reports Hunting bugs ?!
Classificação:  Interna   false positives Total reports Valid reports Hunting bugs ?!
TO BUILD AND TO FOLLOW A RESPONSE PROCESS Manage response times (SLA) •  Response to researcher & reward •  Internal proccess for vulnerability fix Hunting bugs ?!
GEOGRAPHY CHALLENGE Local business X Global BB program Hunting bugs ?!
LESSONS LEARNED
https://medium.com/@C6bank/c6-bank-lan%C3%A7a-programa-de-bug-bounty-1f419ebec9f2 LESSONS LEARNED BB Program launched in May 2019 Private program (invite only) C6 Bank to launch “bug bounty” program Hunting bugs ?!
RED TEAM GOT UPSET BB program exposing bugs they couldn’t find before! Hunting bugs ?!
“Testing only proves the presence of bugs, not the absence of them.” Louis Cremen https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700 Hunting bugs ?!
NO ONE LIKES DUPLICATED REPORTS Too bad for researchers (frustration) and for the company (noise) •  Study: “Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs” (MIT) •  Sorting the few new valid issues from the deafening noise of submitted trivial bugs, non-issues, duplicates is time consuming and can drain resources. •  (…) invalid and duplicate submissions greatly out-number valid submissions for open programs. Hunting bugs ?!
INTERNAL METRICS TO MEASURE THE BUG IMPACT & COST   Bounty Table / Rewards (Best case) (US$)   Company   Crítical   High   Medium   Low   Robinhood   $ 50.000   many   many   $ 100   Coinbase   $ 50.000   $ 15.000   $ 2.000   $ 200   Paypal   $ 20.000   $ 10.000   $ 1.000   $ 100   Goldman Sachs   $ 15.000   many   many   $ 250   QIWI   $ 5.000   $ 5.000   $ 500   $ 200   Credit Karma   $ 5.000   $ 2.250   $ 700   $ 250   Savedroid   $ 2.500   $ 1.500   $ 500   $ 250   Plaid   $ 2.500   $ 1.000   $ 500   $ 250   RecargaPay   $ 2.000   $ 750   $ 300   $ 150   Omise   $ 800   $ 400   $ 200   $ 100   Liberapay   $ 500   $ 300   $ 50   $ -   Source:  Hackerone Hunting bugs ?!
MY FAVORITES <3 BB improves the capability to detect vulnerabilities Represents a strong security posture Help building a good relationship with infosec community FIXING A BUG IN PRODUCTION Hunting bugs ?!
THANK YOU, GRACIAS !
Anchises Moraes | Cyber Evangelist @anchisesbr @c6bank https://www.c6bank.com.br
Classificação:  Interna   REFERENCES AND SUGGESTED READING M. Finifter, D. Akhawe and D. Wagner, “An Empirical Study of Vulnerability Rewards Programs” (Berkeley), 2013, https://mfinifter.github.io/papers/vrps-usenix2013.pdf. K. Huang, M. Siegel, S. Madnick, X. LI and Z. Feng, “Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs” (MIT), Dec. 2016. R. Ellis, K. Huang, M. Siegel, K. Moussouris and J. Houghton, “Fixing a Hole: The Labor Market for Bugs” (MIT), 2017. Hunting bugs ?!

Recommended

Earn Money from bug bounty
Earn Money from bug bountyEarn Money from bug bounty
Earn Money from bug bounty
Jay Nagar
 
Newspaper Essay Template. Online assignment writing service.
Newspaper Essay Template. Online assignment writing service.Newspaper Essay Template. Online assignment writing service.
Newspaper Essay Template. Online assignment writing service.
Megan Sanchez
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Crowdsourcing à la sbv IMPROVER: the challenge of being your own client
Crowdsourcing à la sbv IMPROVER: the challenge of being your own clientCrowdsourcing à la sbv IMPROVER: the challenge of being your own client
Crowdsourcing à la sbv IMPROVER: the challenge of being your own client
Crowdsourcing Week
 
Failure Of Antivirus
Failure Of AntivirusFailure Of Antivirus
Failure Of Antivirusamarnath
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 

Recommended

Earn Money from bug bounty
Earn Money from bug bountyEarn Money from bug bounty
Earn Money from bug bounty
Jay Nagar
 
Newspaper Essay Template. Online assignment writing service.
Newspaper Essay Template. Online assignment writing service.Newspaper Essay Template. Online assignment writing service.
Newspaper Essay Template. Online assignment writing service.
Megan Sanchez
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Crowdsourcing à la sbv IMPROVER: the challenge of being your own client
Crowdsourcing à la sbv IMPROVER: the challenge of being your own clientCrowdsourcing à la sbv IMPROVER: the challenge of being your own client
Crowdsourcing à la sbv IMPROVER: the challenge of being your own client
Crowdsourcing Week
 
Failure Of Antivirus
Failure Of AntivirusFailure Of Antivirus
Failure Of Antivirusamarnath
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDX
leifdreizler
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
Yassine Aboukir
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
How to Correctly Use Experimentation in PM by Google PM
How to Correctly Use Experimentation in PM by Google PMHow to Correctly Use Experimentation in PM by Google PM
How to Correctly Use Experimentation in PM by Google PM
Product School
 
Implementing Crowdsourced Testing
Implementing Crowdsourced TestingImplementing Crowdsourced Testing
Implementing Crowdsourced Testing
TechWell
 
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
Distil Networks
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
FRSecure
 
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
rcatherwood
 
LKNOG3 - Bug Bounty
LKNOG3 - Bug BountyLKNOG3 - Bug Bounty
LKNOG3 - Bug Bounty
LKNOG
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
HighBlood deck
HighBlood deckHighBlood deck
HighBlood deck
Herbert Eng
 
Rainy Season Essay In Marathi Language. Online assignment writing service.
Rainy Season Essay In Marathi Language. Online assignment writing service.Rainy Season Essay In Marathi Language. Online assignment writing service.
Rainy Season Essay In Marathi Language. Online assignment writing service.
Nicole Olson
 
From Social to Networked
From Social to NetworkedFrom Social to Networked
From Social to NetworkedCameron Kruger
 
Using analytics to evaluate digital communications strategies
Using analytics to evaluate digital communications strategiesUsing analytics to evaluate digital communications strategies
Using analytics to evaluate digital communications strategies
Dana Chinn
 
Empower Connect11 Trend Flash
Empower Connect11 Trend FlashEmpower Connect11 Trend Flash
Empower Connect11 Trend Flash
Empower MediaMarketing
 
21st Century Email Marketing as presented at MARCOM Forum
21st Century Email Marketing as presented at MARCOM Forum21st Century Email Marketing as presented at MARCOM Forum
21st Century Email Marketing as presented at MARCOM ForumChristopher Penn
 
5 Tips To Maximize Customer Acquisition Via Growth Hacking
5 Tips To Maximize Customer Acquisition Via Growth Hacking5 Tips To Maximize Customer Acquisition Via Growth Hacking
5 Tips To Maximize Customer Acquisition Via Growth Hacking
ReferralCandy
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Mobile Growth Marketing: Strategy, Hacks and Tools
Mobile Growth Marketing: Strategy, Hacks and ToolsMobile Growth Marketing: Strategy, Hacks and Tools
Mobile Growth Marketing: Strategy, Hacks and Tools
Adrien Montcoudiol
 
Money for Mission Conference: Fundraising 2.0
Money for Mission Conference: Fundraising 2.0Money for Mission Conference: Fundraising 2.0
Money for Mission Conference: Fundraising 2.0Beth Kanter
 
Post pandemics threat scenario
Post pandemics threat scenarioPost pandemics threat scenario
Post pandemics threat scenario
Anchises Moraes
 
Como se proteger na internet
Como se proteger na internetComo se proteger na internet
Como se proteger na internet
Anchises Moraes
 

More Related Content

Similar to Hunting bugs - C0r0n4con

BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDX
leifdreizler
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
Yassine Aboukir
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
How to Correctly Use Experimentation in PM by Google PM
How to Correctly Use Experimentation in PM by Google PMHow to Correctly Use Experimentation in PM by Google PM
How to Correctly Use Experimentation in PM by Google PM
Product School
 
Implementing Crowdsourced Testing
Implementing Crowdsourced TestingImplementing Crowdsourced Testing
Implementing Crowdsourced Testing
TechWell
 
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
Distil Networks
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
FRSecure
 
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
rcatherwood
 
LKNOG3 - Bug Bounty
LKNOG3 - Bug BountyLKNOG3 - Bug Bounty
LKNOG3 - Bug Bounty
LKNOG
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
HighBlood deck
HighBlood deckHighBlood deck
HighBlood deck
Herbert Eng
 
Rainy Season Essay In Marathi Language. Online assignment writing service.
Rainy Season Essay In Marathi Language. Online assignment writing service.Rainy Season Essay In Marathi Language. Online assignment writing service.
Rainy Season Essay In Marathi Language. Online assignment writing service.
Nicole Olson
 
From Social to Networked
From Social to NetworkedFrom Social to Networked
From Social to NetworkedCameron Kruger
 
Using analytics to evaluate digital communications strategies
Using analytics to evaluate digital communications strategiesUsing analytics to evaluate digital communications strategies
Using analytics to evaluate digital communications strategies
Dana Chinn
 
Empower Connect11 Trend Flash
Empower Connect11 Trend FlashEmpower Connect11 Trend Flash
Empower Connect11 Trend Flash
Empower MediaMarketing
 
21st Century Email Marketing as presented at MARCOM Forum
21st Century Email Marketing as presented at MARCOM Forum21st Century Email Marketing as presented at MARCOM Forum
21st Century Email Marketing as presented at MARCOM ForumChristopher Penn
 
5 Tips To Maximize Customer Acquisition Via Growth Hacking
5 Tips To Maximize Customer Acquisition Via Growth Hacking5 Tips To Maximize Customer Acquisition Via Growth Hacking
5 Tips To Maximize Customer Acquisition Via Growth Hacking
ReferralCandy
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Mobile Growth Marketing: Strategy, Hacks and Tools
Mobile Growth Marketing: Strategy, Hacks and ToolsMobile Growth Marketing: Strategy, Hacks and Tools
Mobile Growth Marketing: Strategy, Hacks and Tools
Adrien Montcoudiol
 
Money for Mission Conference: Fundraising 2.0
Money for Mission Conference: Fundraising 2.0Money for Mission Conference: Fundraising 2.0
Money for Mission Conference: Fundraising 2.0Beth Kanter
 

Similar to Hunting bugs - C0r0n4con (20)

BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDX
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
How to Correctly Use Experimentation in PM by Google PM
How to Correctly Use Experimentation in PM by Google PMHow to Correctly Use Experimentation in PM by Google PM
How to Correctly Use Experimentation in PM by Google PM
 
Implementing Crowdsourced Testing
Implementing Crowdsourced TestingImplementing Crowdsourced Testing
Implementing Crowdsourced Testing
 
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
2016 Bad Bot Report: Quantifying the Risk and Economic Impact of Bad Bots
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3
 
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
Crowdsourcing: A Methodology for Measuring Digital Engagement and Increasing ...
 
LKNOG3 - Bug Bounty
LKNOG3 - Bug BountyLKNOG3 - Bug Bounty
LKNOG3 - Bug Bounty
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
 
HighBlood deck
HighBlood deckHighBlood deck
HighBlood deck
 
Rainy Season Essay In Marathi Language. Online assignment writing service.
Rainy Season Essay In Marathi Language. Online assignment writing service.Rainy Season Essay In Marathi Language. Online assignment writing service.
Rainy Season Essay In Marathi Language. Online assignment writing service.
 
From Social to Networked
From Social to NetworkedFrom Social to Networked
From Social to Networked
 
Using analytics to evaluate digital communications strategies
Using analytics to evaluate digital communications strategiesUsing analytics to evaluate digital communications strategies
Using analytics to evaluate digital communications strategies
 
Empower Connect11 Trend Flash
Empower Connect11 Trend FlashEmpower Connect11 Trend Flash
Empower Connect11 Trend Flash
 
21st Century Email Marketing as presented at MARCOM Forum
21st Century Email Marketing as presented at MARCOM Forum21st Century Email Marketing as presented at MARCOM Forum
21st Century Email Marketing as presented at MARCOM Forum
 
5 Tips To Maximize Customer Acquisition Via Growth Hacking
5 Tips To Maximize Customer Acquisition Via Growth Hacking5 Tips To Maximize Customer Acquisition Via Growth Hacking
5 Tips To Maximize Customer Acquisition Via Growth Hacking
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Mobile Growth Marketing: Strategy, Hacks and Tools
Mobile Growth Marketing: Strategy, Hacks and ToolsMobile Growth Marketing: Strategy, Hacks and Tools
Mobile Growth Marketing: Strategy, Hacks and Tools
 
Money for Mission Conference: Fundraising 2.0
Money for Mission Conference: Fundraising 2.0Money for Mission Conference: Fundraising 2.0
Money for Mission Conference: Fundraising 2.0
 

More from Anchises Moraes

Post pandemics threat scenario
Post pandemics threat scenarioPost pandemics threat scenario
Post pandemics threat scenario
Anchises Moraes
 
Como se proteger na internet
Como se proteger na internetComo se proteger na internet
Como se proteger na internet
Anchises Moraes
 
Fatos, mitos e palpites do cenário de segurança pós-pandemia
Fatos, mitos e palpites do cenário de segurança pós-pandemiaFatos, mitos e palpites do cenário de segurança pós-pandemia
Fatos, mitos e palpites do cenário de segurança pós-pandemia
Anchises Moraes
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Vamos caçar bugs!?
Vamos caçar bugs!?Vamos caçar bugs!?
Vamos caçar bugs!?
Anchises Moraes
 
Praticas de gestão de segurança
Praticas de gestão de segurançaPraticas de gestão de segurança
Praticas de gestão de segurança
Anchises Moraes
 
Ciber crime e desafios de segurança durante uma pandemia e home office
Ciber crime e desafios de segurança durante uma pandemia e home officeCiber crime e desafios de segurança durante uma pandemia e home office
Ciber crime e desafios de segurança durante uma pandemia e home office
Anchises Moraes
 
Cyber Cultura em tempos de Coronavírus
Cyber Cultura em tempos de CoronavírusCyber Cultura em tempos de Coronavírus
Cyber Cultura em tempos de Coronavírus
Anchises Moraes
 
Fintechs e os desafios de segurança
Fintechs e os desafios de segurançaFintechs e os desafios de segurança
Fintechs e os desafios de segurança
Anchises Moraes
 
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 20195 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
Anchises Moraes
 
Segurança além do Pentest
Segurança além do PentestSegurança além do Pentest
Segurança além do Pentest
Anchises Moraes
 
Só o Pentest não resolve!
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!
Anchises Moraes
 
Carreira em Segurança da Informação
Carreira em Segurança da InformaçãoCarreira em Segurança da Informação
Carreira em Segurança da Informação
Anchises Moraes
 
IoT Fofoqueiro
IoT FofoqueiroIoT Fofoqueiro
IoT Fofoqueiro
Anchises Moraes
 
Carta de oposição ao Sindpd 2018
Carta de oposição ao Sindpd 2018Carta de oposição ao Sindpd 2018
Carta de oposição ao Sindpd 2018
Anchises Moraes
 
Segurança na Internet
Segurança na InternetSegurança na Internet
Segurança na Internet
Anchises Moraes
 
Como se tornar um Jedi na área de Segurança
Como se tornar um Jedi na área de SegurançaComo se tornar um Jedi na área de Segurança
Como se tornar um Jedi na área de Segurança
Anchises Moraes
 
Deep Web e Ciber Crime
Deep Web e Ciber CrimeDeep Web e Ciber Crime
Deep Web e Ciber Crime
Anchises Moraes
 
É possível existir segurança para IoT?
É possível existir segurança para IoT?É possível existir segurança para IoT?
É possível existir segurança para IoT?
Anchises Moraes
 
Hacker Passport Brazil
Hacker Passport BrazilHacker Passport Brazil
Hacker Passport Brazil
Anchises Moraes
 

More from Anchises Moraes (20)

Post pandemics threat scenario
Post pandemics threat scenarioPost pandemics threat scenario
Post pandemics threat scenario
 
Como se proteger na internet
Como se proteger na internetComo se proteger na internet
Como se proteger na internet
 
Fatos, mitos e palpites do cenário de segurança pós-pandemia
Fatos, mitos e palpites do cenário de segurança pós-pandemiaFatos, mitos e palpites do cenário de segurança pós-pandemia
Fatos, mitos e palpites do cenário de segurança pós-pandemia
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Vamos caçar bugs!?
Vamos caçar bugs!?Vamos caçar bugs!?
Vamos caçar bugs!?
 
Praticas de gestão de segurança
Praticas de gestão de segurançaPraticas de gestão de segurança
Praticas de gestão de segurança
 
Ciber crime e desafios de segurança durante uma pandemia e home office
Ciber crime e desafios de segurança durante uma pandemia e home officeCiber crime e desafios de segurança durante uma pandemia e home office
Ciber crime e desafios de segurança durante uma pandemia e home office
 
Cyber Cultura em tempos de Coronavírus
Cyber Cultura em tempos de CoronavírusCyber Cultura em tempos de Coronavírus
Cyber Cultura em tempos de Coronavírus
 
Fintechs e os desafios de segurança
Fintechs e os desafios de segurançaFintechs e os desafios de segurança
Fintechs e os desafios de segurança
 
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 20195 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
 
Segurança além do Pentest
Segurança além do PentestSegurança além do Pentest
Segurança além do Pentest
 
Só o Pentest não resolve!
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!
 
Carreira em Segurança da Informação
Carreira em Segurança da InformaçãoCarreira em Segurança da Informação
Carreira em Segurança da Informação
 
IoT Fofoqueiro
IoT FofoqueiroIoT Fofoqueiro
IoT Fofoqueiro
 
Carta de oposição ao Sindpd 2018
Carta de oposição ao Sindpd 2018Carta de oposição ao Sindpd 2018
Carta de oposição ao Sindpd 2018
 
Segurança na Internet
Segurança na InternetSegurança na Internet
Segurança na Internet
 
Como se tornar um Jedi na área de Segurança
Como se tornar um Jedi na área de SegurançaComo se tornar um Jedi na área de Segurança
Como se tornar um Jedi na área de Segurança
 
Deep Web e Ciber Crime
Deep Web e Ciber CrimeDeep Web e Ciber Crime
Deep Web e Ciber Crime
 
É possível existir segurança para IoT?
É possível existir segurança para IoT?É possível existir segurança para IoT?
É possível existir segurança para IoT?
 
Hacker Passport Brazil
Hacker Passport BrazilHacker Passport Brazil
Hacker Passport Brazil
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

Hunting bugs - C0r0n4con

  • 1. Hunting bugs ?! How to run a Bug Bounty Program and not being fired! Anchises Moraes | Cyber Evangelist @anchisesbr @C6Bank @GaroaHC @BSidesSP @CSAbr @LWomcy
  • 2. AGENDA The value of a Bug Bounty program Challenges and Lessons learned @ C6 Bank
  • 4. It is not just about the money ! Hunting bugs ?!
  • 5. WTF IS BUG BOUNTY ?
  • 6. www Public Know Researchers Research Verification Triage Correction plan Bounty Renediation Validate report: scope, severity Test and validate the bug Review severity, correction effort Notification Portal Reports & researchers management (profile, reputarion) How works Hunting bugs ?!
  • 7. Different approaches to help finding bugs Code Review Code Security Tests Vulnerability analysis Pentest Red Team Threat Hunting Vulnerability Disclosure BUG BOUNTY ProductionDEV, QA Hunting bugs ?!
  • 9. Notification channel Diversity BENEFITS TO ORGNIZATIONS •  Study: “An Empirical Study of Vulnerability Rewards Programs” (Berkeley) •  An increase in the number of researchers looking for vulnerabilities yields an increase in the diversity of vulnerabilities discovered. Hunting bugs ?!
  • 10. Notification channel Diversity Cost x Benefit BENEFITS TO ORGNIZATIONS •  Study: “An Empirical Study of Vulnerability Rewards Programs” (Berkeley) •  A Vulnerability Research Program (VRP) can be a cost-effective mechanism for finding security vulnerabilities. •  The cost of (…) VRPs is comparable to the cost of just one member of the browser security team. •  Each of these VRPs finds many more vulnerabilities than any one researcher is likely to be able to find. https://mfinifter.github.io/papers/vrps-usenix2013.pdf Hunting bugs ?!
  • 12. “PEOPLE / CRIMINALS WILL TEST THE SECURITY OF OUR APPLICATION” THEY ALREADY DO THAT ! USUAL OBJECTIONS (Before BB) Hunting bugs ?!
  • 13. “WHAT IF THEY FIND BUGS?” WE WILL HAVE TO FIX THEM (ASAP) BEFORE BAD GUYS ALSO FIND THEM. USUAL OBJECTIONS (Before BB) Hunting bugs ?!
  • 14. USUAL OBJECTIONS (Before BB) “HOW TO PREDICT THE IMPACT (# BUGS) AND COST OF THE BB PROGRAM?” I DON’T KNOW L Hunting bugs ?!
  • 15. Classificação:  Interna   SOME CHALLENGES (Running BB) Hunting bugs ?!
  • 16. Classificação:  Interna   volatility Total reports Valid reports Hunting bugs ?!
  • 17. Classificação:  Interna   false positives Total reports Valid reports Hunting bugs ?!
  • 18. TO BUILD AND TO FOLLOW A RESPONSE PROCESS Manage response times (SLA) •  Response to researcher & reward •  Internal proccess for vulnerability fix Hunting bugs ?!
  • 21. https://medium.com/@C6bank/c6-bank-lan%C3%A7a-programa-de-bug-bounty-1f419ebec9f2 LESSONS LEARNED BB Program launched in May 2019 Private program (invite only) C6 Bank to launch “bug bounty” program Hunting bugs ?!
  • 22. RED TEAM GOT UPSET BB program exposing bugs they couldn’t find before! Hunting bugs ?!
  • 23. “Testing only proves the presence of bugs, not the absence of them.” Louis Cremen https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700 Hunting bugs ?!
  • 24. NO ONE LIKES DUPLICATED REPORTS Too bad for researchers (frustration) and for the company (noise) •  Study: “Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs” (MIT) •  Sorting the few new valid issues from the deafening noise of submitted trivial bugs, non-issues, duplicates is time consuming and can drain resources. •  (…) invalid and duplicate submissions greatly out-number valid submissions for open programs. Hunting bugs ?!
  • 25. INTERNAL METRICS TO MEASURE THE BUG IMPACT & COST   Bounty Table / Rewards (Best case) (US$)   Company   Crítical   High   Medium   Low   Robinhood   $ 50.000   many   many   $ 100   Coinbase   $ 50.000   $ 15.000   $ 2.000   $ 200   Paypal   $ 20.000   $ 10.000   $ 1.000   $ 100   Goldman Sachs   $ 15.000   many   many   $ 250   QIWI   $ 5.000   $ 5.000   $ 500   $ 200   Credit Karma   $ 5.000   $ 2.250   $ 700   $ 250   Savedroid   $ 2.500   $ 1.500   $ 500   $ 250   Plaid   $ 2.500   $ 1.000   $ 500   $ 250   RecargaPay   $ 2.000   $ 750   $ 300   $ 150   Omise   $ 800   $ 400   $ 200   $ 100   Liberapay   $ 500   $ 300   $ 50   $ -   Source:  Hackerone Hunting bugs ?!
  • 26. MY FAVORITES <3 BB improves the capability to detect vulnerabilities Represents a strong security posture Help building a good relationship with infosec community FIXING A BUG IN PRODUCTION Hunting bugs ?!
  • 28. Anchises Moraes | Cyber Evangelist @anchisesbr @c6bank https://www.c6bank.com.br
  • 29. Classificação:  Interna   REFERENCES AND SUGGESTED READING M. Finifter, D. Akhawe and D. Wagner, “An Empirical Study of Vulnerability Rewards Programs” (Berkeley), 2013, https://mfinifter.github.io/papers/vrps-usenix2013.pdf. K. Huang, M. Siegel, S. Madnick, X. LI and Z. Feng, “Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs” (MIT), Dec. 2016. R. Ellis, K. Huang, M. Siegel, K. Moussouris and J. Houghton, “Fixing a Hole: The Labor Market for Bugs” (MIT), 2017. Hunting bugs ?!