The document discusses the importance and management of bug bounty programs, emphasizing their role in improving company security amidst rising cybercrime and complex infrastructure. It outlines best practices for implementing such programs, including budget planning, setting criteria for payments, and ensuring responsible disclosure. The document also highlights the collaborative relationship between companies and hackers in enhancing cybersecurity.

1. BUGBOUNTY
PROGRAMS
Omar Benbouazza
Madrid | November 30 - December 1, 2018

3. • InfoSecurity Leader at IKEA
• More than 15 years experience.
• Technology, Hacking, Bug Bounties, Investigation, Threats…
• Organizer of RootedCON Security Conference (~2000 hackers)
• Former EY, Nokia and Microsoft

6. 6

7. 7

10. • Cybercrime is raising, increasing the financial impact
• Cost for defending companies is huge
• Infrastructure complexity is growing
• Some talent issues, you don’t have the best!
MANAGE

11. MANAGE

12. • PENTESTING Activities
• Compliance / Standards
• Internal/External Audits
• Secure Coding (SecDevOps)
• HACKING COMMUNITY!!
(Responsible Disclosure / Bug Bounty)

13. • Result guarantee: it is "paid" only for real vulnerabilities
• AGILE and FLEXIBLE: Switch ON/OFF
• Talented and Skilled people, don’t matter what technology

14. • Responsible Disclosure Program
• BugBounty Program
• Pentesting != BugBounty

15. ✓ Plan the Budget $$$
✓ Choose the Platform
✓ Integrations: Slack, JIRA…
✓ Think about the Scope / Targeted solutions
✓ Team / Teams supporting
✓ TEST Security before…
✓ Stablish criteria for payments beforehand
✓ Define SLA’s
✓ Write a policy for your program, what is not allowed!
✓ Monthly Committee

16. REPORT
REJECT
ACCEPTED
ORIGINAL BUG?
(Not duplicated)
IN SCOPE?
WEB
MOBILE APPS
YES
NO
VALID REPORT?
(Reproducible)
INFORM
hackerTEST
REQUEST INFO to
hacker
FW TO TEAM
+ INFO NEEDED?
WON’T FIXFIX
THANKS
to hacker
ELEGIBLE?
$$$
THANKS
to hacker
CHECK
THANKS
to hacker
INFORM
hacker
BB
IT
SEC
INFORM
hacker
WORKING ON REPORT

20. * The 2018 H1 Report

21. * The 2018 H1 Report

22. * The 2018 H1 Report

24. Limit Information Disclosure

28. • Technical Description:
✓ We want to know what you can do, and how you can use it
✓ We want to know an exploitation vector
✓ CVSS (Common Vulnerability Scoring System)
✓ We want steps to reproduce the issue
• Script code
• URL (SQLi – with getting RDBMS version, XSS – with alert)
• Packet sample (pcap)
• Screenshots
• Etc.

30. • NO THANKS:
✓ Attachments: PDF, DOC, EXE…
✓ Acunetix Reports (Automated scanners)
✓ Non exploitable bugs /* self XSS */
✓ Bugs without evidences
✓ Bugs based on blog articles of someone…

32. • Create a DB, make easy to find stuff
• Check before you process
• Avoid duplicates… later will be complicated
• Evaluate the risk
• If some information is missing, contact the researcher!

34. 1200 REPORTS
in the first month
INCIDENT RESPONSE TEAM

35. • #NOMOREFREEBUGS
• Best way to improve security in a company
• Hackers are our Friends :)

36. • Web Services
✓ All Nokia sites are in scope
✓ Marketing Sites
• Nokia/HERE Apps (Lumia/Asha)
• OS Vulnerabilities (Lumia/Asha)
• Firmware
• Client Software

37. • Dealers / Online Shops
• Enterprise-Corporate Systems
• Non-Nokia Services

38. • PROBLEMS:
✓ Really good acceptance ☺
✓ Hundreds of emails
✓ Huge number of legacy sites
✓ People asks for Rewards
• SOLUTIONS:
✓ Internal Ticketing System
✓ Nokia Intranet is really helpful (DB)
✓ Explain our policy to researchers
✓ Tons of patience

39. CASE STUDIES

43. THANKS!