DOCSLIB.ORG

Bounty Credit

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Security Program Manager in the MSRC - Bug Bounty - Outreach to the Security Research and Partner Community - Security Conference Sponsorship - Security Vulnerability Management aka Case Management In the past a Microsoft Developer Consultant working with our hardware and software partners I graduated from Georgia Institute of Technology with a bachelors in Electrical Engineering In my spare time, I enjoy playing basketball and watching anime Bounty Programs Microsoft Bounty Programs A bug bounty is a program set up to identify criteria around what someone will pay for reporting bugs • Microsoft is focused on security vulnerabilities Various parties offer bounties for software and services bugs • Those who write the code (Microsoft, Google, Facebook, Yahoo! etc…) • Agents of those who write the code BugCrowd, HackerOne, SynAck, etc…) • Concerned parties who use the code Internet Bug Bounty Github, etc…) • Vulnerability resellers (Zerodium, Zeronomicon Microsoft Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active .NET Core and ASP.NET Core $15,000 Sustained Active Online Services (O365 and Azure) $15,000 Sustained Active Mitigation Bypass $100,000 Sustained Active Bounty for Defense $100,000 Sustained Active .NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed Nano Server TP5 $15,000 Ended 29 July Closed ASP.NET and CoreCLR (part 1) $15,000 2015 Closed Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed BlueHat Prize $100,000 2013 Closed New Microsoft Bounty Programs • Microsoft Edge Web Platform Bug Bounty • Microsoft .NET Core and ASP.NET Core Bug Bounty https://blogs.technet.microsoft.com/msrc/ Microsoft Edge Beta Web Platform Bounty (Part 2) W3C standards • The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build Payout Range Vulnerability Type (USD) * • Program runs Aug 4, 2016 to May 15, 2017 Remote Code Execution in Microsoft Edge on Up to $15,000 • Microsoft will pay up to recent builds of WIP slow $1,500 USD for the Violations of W3C standards that compromise first report received on an privacy or integrity of important user data. internally known issue This includes: Violation of SoP, i.e. UXSS Up to $6,000 Referrer spoofs This does not include: XSS, CSRF: report these to the web site owner XSS filter bypass For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx Edge Attack Surface Reduction With the Edge browser, we also seized the opportunity to drastically reduce the attack surface exposed to the web • No legacy document modes • No legacy script engines (VBScript, JScript) • No Vector Markup Language (VML) • No Toolbars Edge 22 34 • No Browser Helper Objects (BHOs) • No ActiveX controls Internet Explorer 81 47 0 50 100 150 H1 (Aug 2015 - Jan 2016) H2 (Feb 2016 - Jul 2016) .NET Core and ASP.NET Core Bug Bounty • Vulnerabilities in the latest available .NET builds • Program began September 1, 2016 (continuous) • All bugs have to reproduce in the latest beta or release candidates to qualify • Pays up to $15,000 USD Vulnerability type Payout range (USD) Remote Code Execution $15,000 to $1,500 Security Design Flaw $10,000 to $1,500 Elevation of Privilege $10,000 to $5,000 Remote DoS $5,000 to $2,500 Tampering / Spoofing $5,000 to $500 Information Leaks $2,500 to $750 Template CSRF or XSS $2,000 to $500 For additional information about this program: https://technet.microsoft.com/en-us/mt764065 Online Services Bug Bounty Program O365 + Azure $500 to $15,000 USD For additional information about this program: https://technet.microsoft.com/en-us/dn800983 Hyper-V Hyper-V escapes that will receive a bounty Up to $100,000 USD For additional information about this program: https://technet.microsoft.com/en-us/dn425049 Mitigation Bypass and Bounty for Defense novel mitigation bypass defense idea that would block an exploitation Up to $200,000 (Mit. Bypass + Bounty for Defense) For additional information about this program: https://technet.microsoft.com/en-us/dn425049 Eliminating classes of vulnerabilities We move beyond the “hand-to-hand combat” of finding and fixing individual issues by identifying ways to eliminate entire classes of vulnerabilities Goal: Increase attacker cost of finding exploitable vulnerabilities We Closely Study Vulnerability Root Cause Trends 100% 1 1 62 1 1 4 6 6 13 3 34 11 5 3 1 5 17 90% 8 10 2 13 2 4 3 3 29 13 30 2 1 20 80% 10 18 3 18 2 4 11 1 19 18 11 0 1 9 18 23 70% 12 60% 9 12 15 45 31 50% 24 13 40% 21 30 13 13 102 181 30% 19 28 133 20% 31 27 10% 8 12 11 18 26 0% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Use After Free Heap Corruption Other Type Confusion Heap OOB Read Uninitialized Use Stack Corruption Analysis: High-level Vulnerability & Exploit Trends # of Microsoft RCE/EOP CVEs by patch year % of Microsoft RCE & EOP CVEs exploited 450 within 30 days of patch 100% 400 414 95% 90% 350 85% 80% 300 75% 300 70% 287 65% 157 250 97 156 60% 93 130 116 55% 114 266 282 396 200 218 50% 199 # of CVEs of # 45% 40% 150 155 35% 141 133 30% 121 100 111 25% 20% 15% 50 61 10% 24 43 18 19 25 25 5% 21 18 0 0% 18 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Patch Year Patch Year Total Linear (Total) Exploited within 30 days of patch Not known to be exploited Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments Measuring The Impact Of Our Strategy So Far • The number of Microsoft vulnerabilities exploited within 30 days of a patch has continued to decline year over year despite increases in the number of vulnerabilities being addressed each year • In the last two years, no zero day exploits for Microsoft RCE vulnerabilities have been found in-the-wild that work against Internet Explorer 11 on Windows 8.1+ • Since releasing Edge one year ago, there have been no zero day exploits found in-the- wild targeting Edge Success Story: Internet Explorer Zero Day RCE Year CVE 7/5/2015 0day exploit in Internet Explorer Type Protector Shipped New Internet Explorer Security Feature 11/7/2014 CFG Windows 8.1 Shipped (Optional Update) 2/11/2015 2013 CFG for Windows 8.1 Shipped (Default) 8 6/8/2014 4/23/2014 - 5/1/2014 Use-After-Free hardening v1 8/3/2014 10/1/2015 CVE-2014-1776 Out-of-Date Java Blocking MemGC IE 11 5/1/2014 - 5/13/2014 8/18/2015 2/12/2014 - 3/11/2014 CVE-2014-1815 2014 CVE-2015-2502 CVE-2014-03222/19/2014 - 3/11/2014 7/6/2014 4 CVE-2014-0324 Use-After-Free hardening v2 2015 1 4/1/2014 7/1/2014 10/1/2014 1/1/2015 4/1/2015 7/1/2015 10/1/2015 1/1/2014 1/1/2016 • A focus on mitigations for disruption of invariant techniques used in exploits (ROP, Heap Spraying, UAF) • In 2015 only 6 days with a known zero day Internet Explorer RCE exploit in-the-wild (previously 135 days, then 45 days) • Vulnerability volume has increased but number of zero day exploits has decreased Software Bug Bounty Program Security Vulnerability Impacts and Payouts Bypassing existing mitigations in the $100,000 OS or Browser Hyper-V escapes $100,000 We pay the highest bounties for: Remote Code Execution $15,000 1) High quality reports Elevation of Privileges $10,000 • POC Security Design Flaws $10,000 • Detailed write up Tampering/Spoofing $5,000 2) High impact bugs Remote DoS $5,000 Information Disclosure $2,500 Payout range is: $500 to $100,000 USD Online Services Bug Bounty Program Security Vulnerability Types XSS CSRF The highest bounties can be earned Authentication vulnerabilities on: Privilege escalation Injection Vulnerabilities 1. Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs Insecure direct object reference 2. Privilege Escalations Unauthorized cross tenant access or tampering 3. XSS and CSRF (on high traffic, Server-side code execution high impact sites) Significant security misconfiguration Payout range is: $500 to $15,000 USD (with 2x bounties up to $30,000) Bounties Paid To Date • Mitigation Bypass, Bounty for Defense and BlueHat Prize > $600,000 USD • Online Services Bug Bounty > $400,000 USD • Software Bounties > $200,000 USD Finder Appreciation and Retention (FAR) Unique Bounty Rewards Credit Opportunities Bounties are offered At conferences we BlueHat invitations and Credit to finders in the across a number of award top finders with speaking opportunities form of CVE number Microsoft products MSDN licenses, attribution, and a customized Surface formal thanks in the KB Pro laptops, Surface Private Microsoft party articles This will continue to Books and other invites at various grow hardware conferences This will continue Bountycraft invitations For more information: This will continue to • https://technet.microsoft.com/ grow en-us/security/mt767986 • https://technet.microsoft.com/ Get hired by Microsoft en-us/security/dn469163 • https://technet.microsoft.com/ en-us/security/dn469163 Top 100 Finders for 2016 1. ZDI - Disclosures 14. Yu Yang 26. Ben Hawkes 38. Taylor Woll 2. Richard Shupak 15. Moritz Jodeit 27. Zhoujp 39. Hui Gao 3. Mateusz Jurczyk 16. Jack Tang 28. Mgchoi 40. Wenxiang Qian 4. I - Defense 17. Henry Li 29. Atte Kettunen 41. Jaanus Kaap 5. Steven Vittitoe 18. Linan Hao 30. Lucas Leong 42.
Recommended publications
  • Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts Lorenz Breidenbach, Cornell Tech, IC3, ETH Zurich; Philip Daian, Cornell Tech, IC3; Florian Tramer, Stanford; Ari Juels, Cornell Tech, IC3, Jacobs Institute https://www.usenix.org/conference/usenixsecurity18/presentation/breindenbach This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts∗ Lorenz Breidenbach Philip Daian Florian Tramer` Ari Juels [email protected] [email protected] [email protected] [email protected] Cornell Tech, IC3,† Cornell Tech, IC3† Stanford Cornell Tech, IC3,† ETH Zurich¨ Jacobs Institute Abstract ble security problem. Vulnerability reward programs— bug bounties Bug bounties are a popular tool to help prevent soft- a.k.a. —have become instrumental in orga- ware exploits. Yet, they lack rigorous principles for set- nizations’ security assurance strategies. These programs ting bounty amounts and require high payments to attract offer rewards as incentives for hackers to disclose soft- economically rational hackers. Rather than claim boun- ware bugs. Unfortunately, hackers often prefer to exploit ties for serious bugs, hackers often sell or exploit them. critical vulnerabilities or sell them in gray markets. We present the Hydra Framework, the first general, The chief reason for this choice is that the bugs eli- principled approach to modeling and administering bug gible for large bounties are generally weaponizable vul- bounties that incentivize bug disclosure.
  • Exploring Coordinated Disclosure SHEDDING LIGHT on PERCEPTIONS and EXPERIENCES in HOW SOFTWARE VULNERABILITIES ARE REPORTED

    Exploring Coordinated Disclosure SHEDDING LIGHT on PERCEPTIONS and EXPERIENCES in HOW SOFTWARE VULNERABILITIES ARE REPORTED

    Exploring Coordinated Disclosure SHEDDING LIGHT ON PERCEPTIONS AND EXPERIENCES IN HOW SOFTWARE VULNERABILITIES ARE REPORTED COMMISSIONED BY SEPTEMBER 2019 ©COPYRIGHT 2019 451 RESEARCH. ALL RIGHTS RESERVED. About this paper A Black & White paper is a study based on primary research survey data that assesses the market dynamics of a key enterprise technology segment through the lens of the “on the ground” experience and opinions of real practitioners — what they are doing, and why they are doing it. ABOUT THE AUTHOR DAN KENNEDY RESEARCH DIRECTOR, VOICE OF THE ENTERPRISE: INFORMATION SECURITY Daniel Kennedy is the Research Director for Information Security for 451 Research’s Voice of the Enterprise (VoTE) quantitative research product, where he is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference. COMMISSIONED BY VERACODE 2 Table of Contents Executive Summary 4 Key Findings 4 Methodology 5 Brief History of Vulnerability Disclosure 5 Today’s Perceptions of Disclosure 8 Figure 1: Vulnerability disclosure preferences � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 Vulnerability Disclosure as a Public Good 8 Solicited Versus Unsolicited Testing 9 Disclosure
  • Penetration Testing of Web Applications in a Bug Bounty Program

    Penetration Testing of Web Applications in a Bug Bounty Program

    Penetration Testing of Web Applications in a Bug Bounty Program Pascal Schulz Faculty of Health, Science and Technology Computer Science 15hp Leonardo Martucci Donald F. Ross 140604 Penetration Testing of Web Applications in a Bug Bounty Program PASCAL SCHULZ Department of Mathematics and Computer Science Abstract Web applications provide the basis for the use of the "World-Wide-Web", as people know it nowadays. These software solutions are programmed by a numerous amount of devel- opers all over the world. For all this software, it is not possible to guarantee a 100 percent security. Therefore, it is desirable that every application should be evaluated using penetra- tion tests. A new form of security testing platforms is provided by bug bounty programs, which encourage the community to help searching for security breaches. This work intro- duces the currently leading portal for bug bounties, called Bugcrowd Inc. In addition, web applications, which were part of the program, were tested in order to evaluate their security level. A comparison is made with statistics provided by leading penetration testing compa- nies, showing the average web application security level. The submission process, to send information about vulnerabilities, has been evaluated. The average time it takes, to receive an answer regarding a submission has been reviewed. In the end, the findings are retested, to evaluate, if the bug bounty program is a useful opportunity to increase security and if website operators take submissions serious by patching the software flaws. Keywords: Penetration Testing, Bug-Bounty Program, Web Application Analysis. iii This thesis is submitted in partial fulfillment of the requirements for the Bachelor’s degree in Computer Science.
  • Byos Bug Bounty Program: Las Vegas 2019

    Byos Bug Bounty Program: Las Vegas 2019

    Byos Bug Bounty Program: Las Vegas 2019 White Paper Document version: 1.0 August 21st, 2019 Byos Bug Bounty Program - Las Vegas 2019 White Paper - © 2019 Mkit North America Inc. All rights reserved - ​byos.io Page 1 of 14 1.0 - Introduction 3 2.0 - Findings 5 2.1 - Critical Vulnerabilities 5 2.1.1 - Timing ARP Spoof attack 5 2.2 - High Vulnerabilities 6 2.2.1 - SQL Injection 6 2.2.2 - Authentication bypass (JWT) 7 2.2.3 - Authentication Bypass (Remember Me) 8 2.3 - Medium Vulnerabilities 9 2.3.1 - Persistent XSS 9 2.4 - Low Vulnerabilities 10 2.4.1 - Unicode in SSID 10 2.4.2 - CSRF 11 2.4.3 - Outdated libraries 12 3.0 - Conclusion 12 4.0 - Footnotes 14 Byos Bug Bounty Program - Las Vegas 2019 White Paper - © 2019 Mkit North America Inc. All rights reserved - ​byos.io Page 2 of 14 1.0 - Introduction 1.1 - Summary Over the course of 3 days, more than 20 security researchers from North America, South America, and Europe participated in our company’s first bug bounty event. The event was by invitation only. 1.2 - Objective The overall objective of the bug bounty program is to validate the security claims of the Byos Portable Secure Gateway and to discover any existing vulnerabilities in the product and its features. Additional benefits include: ● Practising the company’s internal vulnerability handling process ● Increasing our security team’s awareness of how attackers approach the security mechanisms of the product ● Learning and validating security development best practices by having active feedback from researchers ● Gathering external expert opinions on the product’s feature-set, benefits and use-cases 1.3 - Time and Location The Bug Bounty took place during August 8-9-10, 2019, in Las Vegas, NV (USA).
  • Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

    Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

    Software bug bounties and legal risks to security researchers Robin Hamper (Student #: 3191917) A thesis in fulfilment of the requirements for the degree of Masters of Law by Research Page 2 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. COPYRIGHT STATEMENT ‘I hereby grant the University of New South Wales or its agents a non-exclusive licence to archive and to make available (including to members of the public) my thesis or dissertation in whole or part in the University libraries in all forms of media, now or here after known. I acknowledge that I retain all intellectual property rights which subsist in my thesis or dissertation, such as copyright and patent rights, subject to applicable law. I also retain the right to use all or part of my thesis or dissertation in future works (such as articles or books).’ ‘For any substantial portions of copyright material used in this thesis, written permission for use has been obtained, or the copyright material is removed from the final public version of the thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. AUTHENTICITY STATEMENT ‘I certify that the Library deposit digital copy is a direct equivalent of the final officially approved version of my thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. Thesis/Dissertation Sheet Surname/Family Name : Hamper Given Name/s : Robin Abbreviation for degree as give in the University calendar : Masters of Laws by Research Faculty : Law School : Thesis Title : Software bug bounties and the legal risks to security researchers Abstract 350 words maximum: (PLEASE TYPE) This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators.
  • Web Cache Entanglement: Novel Pathways to Poisoning

    Web Cache Entanglement: Novel Pathways to Poisoning

    Web Cache Entanglement: Novel Pathways to Poisoning James Kettle - [email protected] - @albinowax Caches are woven into websites throughout the net, discreetly juggling data between users, and yet they are rarely scrutinized in any depth. In this paper, I'll show you how to remotely probe through the inner workings of caches to find subtle inconsistencies, and combine these with gadgets to build majestic exploit chains. These flaws pervade all layers of caching - from sprawling CDNs, through caching web servers and frameworks, all the way down to fragment-level internal template caches. Building on my prior cache poisoning research, I'll demonstrate how misguided transformations, naive normalization, and optimistic assumptions let me perform numerous attacks, including persistently poisoning every page on an online newspaper, compromising the administration interface on an internal DoD intelligence website, and disabling Firefox updates globally. Outline Introduction Methodology Unkeyed Query Detection Exploitation - XSS Exploitation - Redirect Cache Parameter Cloaking Akamai Ruby on Rails Unkeyed Method Fat GET Gadgets Key Normalization Key Magic Tricks Encoded XSS Cache Key Injection Relative Path Overwrite Internal Cache Poisoning Tooling Defence Conclusion Introduction Caches save copies of responses to reduce load on the backend system. When a cache receives a HTTP request, it calculates the request's cache key and uses that to identify whether it has the appropriate response already saved, or whether it needs to forward the request on to the back-end. A cache key typically consists of the request method, path, query string, and Host header, plus maybe one or two other headers. In the following request, the values not included in the cache key have been coloured orange.
  • Bug Bounty Hunting Essentials

    Bug Bounty Hunting Essentials

    Bug Bounty Hunting Essentials Quick-paced guide to help white-hat hackers get through bug bounty programs Carlos A. Lozano Shahmeer Amir BIRMINGHAM - MUMBAI Bug Bounty Hunting Essentials Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Gebin George Acquisition Editor: Shrilekha Inani Content Development Editor: Abhishek Jadhav Technical Editor: Mohd Riyan Khan Copy Editor: Safis Editing Project Coordinator: Jagdish Prabhu Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Graphics: Tom Scaria Production Coordinator: Shantanu Zagade First published: November 2018 Production reference: 1301118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78862-689-7 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career.
  • Om D-Uppsatser Layout

    Om D-Uppsatser Layout

    Don’t let my Heart bleed! An event study methodology in Heartbleed vulnerability case. Ioannis Lioupras Eleni Manthou External supervisor: Ross Tsagalidis, Swedish Armed Forces Department of informatics IT Managment Master thesis 1-year level, 15 credits SPM 2014.16 Don’t let my Heart bleed! -An event study methodology in Heartbleed vulnerability case. Abstract Due to the rapid evolution of technology, IT software has become incredibly complex. However the human factor still has a very important role on the application of it, since people are responsible to create software. Consequently, software vulnerabilities represent inevitable drawbacks, found to cost extremely large amounts of money to the companies. “Heartbleed” is a recently discovered vulnerability with no prior investigation that answers questions about the impact it has to the companies affected. This paper focuses on the impact of it on the market value of the companies who participated in the vulnerability disclosure process with the help of an event study methodology. Furthermore our analysis investigates if there is a different affection to the value of the company based on the roles those companies had in the process. Our results suggest that the market did not punish the companies about the existence of vulnerability. However the general negative reaction of the market to the incident reflects the importance of a strategic vulnerability disclosure plan for such cases. Keywords: software vulnerability, IT risk management, disclosure policies, event study methodology 1. Introduction Vulnerabilities nowadays are a widely existing and challenging topic. The number of vulnerability disclosure incidents rising continuously the last years. Only in 2013, 6.787 1 vulnerabilities were disclosed which is the highest number of all the previous years according to Internet security threat report (2014).
  • Productivity and Patterns of Activity in Bug Bounty Programs: Analysis of Hackerone and Google Vulnerability Research

    Productivity and Patterns of Activity in Bug Bounty Programs: Analysis of Hackerone and Google Vulnerability Research

    See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/335092518 Productivity and Patterns of Activity in Bug Bounty Programs: Analysis of HackerOne and Google Vulnerability Research Conference Paper · August 2019 DOI: 10.1145/3339252.3341495 CITATIONS READS 3 966 3 authors, including: Luca Allodi Marco Cremonini Università degli Studi di Trento University of Milan 42 PUBLICATIONS 439 CITATIONS 88 PUBLICATIONS 1,563 CITATIONS SEE PROFILE SEE PROFILE Some of the authors of this publication are also working on these related projects: Simulating and analysis of the spreading dynamic of COVID19 View project Epidemic spreading View project All content following this page was uploaded by Marco Cremonini on 05 March 2020. The user has requested enhancement of the downloaded file. Productivity and Patterns of Activity in Bug Bounty Programs: Analysis of HackerOne and Google Vulnerability Research Donatello Luna Luca Allodi Marco Cremonini Tribunale di Busto Arsizio Eindhoven University of Technology University of Milan Busto Arsizio, Varese, Italy Eindhoven, Netherlands Milan, Italy donatello@luna:it l:allodi@tue:nl marco:cremonini@unimi:it ABSTRACT August 26–29, 2019, Canterbury, United Kingdom. ACM, New York, NY, USA, In this work, we considered two well-known bug bounty programs 10 pages. https://doi:org/10:1145/3339252:3341495 - HackerOne and Google Vulnerability Research - with the goal of investigating patterns of activity and comparing productivity of 1 INTRODUCTION security researchers. HackerOne and Google’s programs differ in Bug bounty programs have become a popular initiative in cyber- many ways. HackerOne is one of the largest and most successful security, not just limited to tech companies willing to have a con- bug bounty programs, with heterogeneous membership of security trolled vulnerability discovery program for their software prod- researchers and software producers.
  • How to Get Started Into Bug Bounty Complete Beginner Guide ( Part 1 Web Pentesting )

    How to Get Started Into Bug Bounty Complete Beginner Guide ( Part 1 Web Pentesting )

    How to Get Started into Bug Bounty Complete Beginner Guide ( Part 1 Web Pentesting ) Hello guys, after a lot of requests and questions on topics related to Bug Bounty like how to start. I researched a lot for collecting best resources for you Bug bounty. I am starting from basic as prerequisites to tips and labs along with report writing skills. I have also included some of my personally recommend tips. Let’s get started Linkedin ID – Sandeep Kumar www.hackittech.com Hacking is now an accepted profession in which He/She can earn an honest and decent living. Not only are there many pen testing jobs within organizations, providing these “startup” hackers with a place to legitimately fine-tune those skills and abilities , but we also have a new breed of testing –Bug Bounties. 1) What is Bug Bounty ? Let me explain you in a very simple way .. A reward or money offred to a person who finds the bugs (error) or vulnerability in a website or computer program and report it to the company in a responsible way. 2) What you need to know before starting a bug bounty program Scope - *.example.com Focus - payment processing Exclusions - 3rd party sites Organization-wide awareness Environment - prod vs staging Access - shared credentials or self-signup Decide - Private or Public? Learn - Internet, HTTP, TCP/IP , Networking ,Command-line, Linkedin ID – Sandeep Kumar www.hackittech.com Linux , Web technologies, java-script, PHP, java , At least 1 programming language 3) Skills required to be a bug bounty hunter Some of the key areas to focus that are part of OWASP Top 10 which are: o Information gathering o SQL Injection o Cross-Site Scripting (XSS) o Server Side Request Forgery (SSRF) o Local & Remote file inclusion o Information Disclosure o Remote Code execution (RCE) After understanding these vulnerabilities you can begin reading others reports ,POCs on the bug bounty platforms like Hackerone to figure out the common testing techniques.
  • An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, and David Wagner, University of California, Berkeley

    An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, and David Wagner, University of California, Berkeley

    An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, and David Wagner, University of California, Berkeley This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, and David Wagner University of California, Berkeley finifter, devdatta, daw @cs.berkeley.edu \{ \} Abstract costly zero-day disclosures. Monetary rewards provide an We perform an empirical study to better understand two incentive for security researchers not to sell their research well-known vulnerability rewards programs, or VRPs, results to malicious actors in the underground economy which software vendors use to encourage community or the gray world of vulnerability markets. Third, VRPs participation in finding and responsibly disclosing soft- may make it more difficult for black hats to find vulnera- ware vulnerabilities. The Chrome VRP has cost approx- bilities to exploit. Patching vulnerabilities found through imately $580,000 over 3 years and has resulted in 501 a VRP increases the difficulty and therefore cost for mali- bounties paid for the identification of security vulnerabili- cious actors to find zero-days because the pool of latent ties. The Firefox VRP has cost approximately $570,000 vulnerabilities has been diminished. Additionally, expe- over the last 3 years and has yielded 190 bounties. 28% rience gained from VRPs (and exploit bounties [23,28]) of Chrome’s patched vulnerabilities appearing in secu- can yield improvements to mitigation techniques and help rity advisories over this period, and 24% of Firefox’s, identify other related vulnerabilities and sources of bugs.
  • Scaling a Bug Bounty Program

    Scaling a Bug Bounty Program

    SCALING A BUG BOUNTY PROGRAM Catalin Curelaru Who am I? var p = new Person(); p.Name = "Catalin Curelaru"; p.Developer = false; // sys eng & networking background p.Tasks = new List<String>() { "Product Security Operations Stuff @ Visma", "CTI, Bug Bounty, DAST, IM/IR", @CatalinCurelaru "340+ Dev teams", "4900+ Devs, 37 Countries", "20-30 Acquisitions/year", "Chapter Leader @ OWASP Timisoara" }; p.Passions = new List<String>() { "cycling", “reading”, “breaking stuff on BB” }; Once upon a time... In a galaxy far far away.. Just kidding! Bug Bounty, what is it? & Bug Bounty - What? ␥ Hackers from around the world ␥ Hackers with specialized skills (Eg. Expert Java hacker) ␥ Continuous Testing the security of the applications for $$$ ␥ Legal Permission to hack ○ (respect policies, rules and do not do harm) ␥ Pay only for vulnerabilities found ○ depending on criticality ␥ Public AND/OR Private Programs ␥ Managed OR NOT Why? ␥ Great and proven way of battle testing security ␥ The strength lies within the number of eyes and expertise ␥ More researchers = More findings = Better security Keep calm and expect us ␥ Tests performed continuously, not only once a year We live in a crowdsourced security era #changehappens The world is changing.. Private vs Public BB Private Public ❖ Invite-only program; ❖ Hundreds of thousands of ❖ A pool of hackers invited hackers ❖ Very good quality of the ❖ Receive submissions from the entire community reports ❖ Self sign in ❖ Disclosure visible only for the invited hackers ❖ Disclosure publicly available ➔ Average