SlideShare ist ein Scribd-Unternehmen logo

Hacker Herding with Sky Betting & Gaming's Dan Adams

HackerOne
HackerOne

Bug bounty programs (offering cash to individuals in return for reporting security vulnerabilities) are nothing new, having been around since 1995. Dan Adams, Web Application Security Specialist at Sky Betting & Gaming based in the UK, goes through his 10 tips on taking your first steps towards operating your own successful bug bounty program.

Technologie
1 von 24
Downloaden Sie, um offline zu lesen
TEN LESSONS LEARNED FROM LAUNCHING A BUG BOUNTY PROGRAMME HACKER HERDING BY: DAN ADAMS, WEB APPLICATION SECURITY SPECIALIST
TIP #1: CLARITY OF VISION
TIP #1: CLARITY OF VISION People want to get involved in bug bounty programmes, but they need very clear guidance on the programme’s scope, reward structure, eligibility requirements, and agreed disclosure process. It is essential to clearly define these in order to prevent any expectation gaps from forming.
TIP #2: TIMEBOX TRIAGE
TIP #2: TIME BOX TRIAGE It is unlikely that managing a bug bounty programme is going to be your sole responsibility in an organisation. It’s essential therefore in order to keep to pre-agreed SLAs (and deliver on those hacker expectations) to clearly delineate and set aside time dedicated to triaging and progressing vulnerability reports.
TIP #3: TAXONOMY FOR FUN AND PROFIT
TIP #3: TAXONOMY FOR FUN AND PROFIT Very soon you are going to be wanting to provide reports to management on how the bounty programme is progressing. Scrabbling to piece this information together manually is going to rob you of time and become a real ongoing burden. Its much better to spend the time up-front, carefully logging and recording each and every vulnerability and its attributes - what’s its CVSS score? What’s its CVE/CWE category? What system does it impact? Who is the system owner? When was it reported and when was it triaged and closed? Record absolutely everything, and then providing any custom report you want is a breeze. You’ll thank me later. START YOUR FREE BUG BOUNTY PROGRAM ON HACKERONE ANALYTICS AND CUSTOM REPORTS ARE BUILT IN TO THE HACKERONE PLATFORM. CHECK IT OUT FOR YOURSELF
TIP #4: KNOW YOUR BOTTLENECKS
TIP #4: KNOW YOUR BOTTLENECKS Running a bug bounty programme isn’t just about getting people to report bugs. In fact that’s not even a very significant part of a bug bounty programme. The vast majority of your time is going to be spent verifying, triaging and onward-reporting bugs for remediation, and answering queries from current and prospective hackers. The vast majority of a bug report’s lifecycle is going to be spent with it (from the hacker’s perspective) not progressing, and a hacker sat drumming his fingers waiting for a response and resolution. Hours can feel like days to the reporting hacker if he’s waiting on confirmation that his bug has been received or fixed. You’re going to need a slick bug triaging system agreed and in place, and a good downstream workflow and commitment from tech teams to fix vulnerabilities fast. Find out where your organisation’s bottlenecks are and try and get focus on these areas. (Fixing bugs fast also prevents dupe reports and hacker frustration).
FIND OUT WHERE YOUR ORGANISATION’S BOTTLENECKS ARE AND TRY AND GET FOCUS ON THESE AREAS. (FIXING BUGS FAST ALSO PREVENTS DUPE REPORTS AND HACKER FRUSTRATION). DAN ADAMS
TIP #5: START SMALL, START SLICK
TIP #5: START SMALL, START SLICK Its easy to get tempted into starting a large public bounty programme, but I would strongly advise you to start small and scale slow - try testing the waters with an internal/private bug bounty programme, or a fixed PoC/pilot with a set bounty pot and a small number of hand-picked hackers. It’s also vital to have a dedicated budget agreed and put aside, with the ability to quickly clear funds. Since no pot of money is infinite, it’s important also to limit your exposure somehow and maintain control over likely expenditure. It may be a good idea, at least initially, to run for a defined trial period, or structure your programme around bursts, sprints or “seasons” so that you have an on-season and an off-season for bug hunting, giving you time in between to clear down vulnerability backlogs and get ready for the next onslaught. READ OUR FREE REPORT ON HOW TO SUCCEED WITH YOUR BUG BOUNTY PROGRAM
TIP #6: KEEP YOUR HACKERS HAPPY
TIP #6: KEEP YOUR HACKERS HAPPY Your hackers are an amazing resource. And they’re all people, each of whom have slightly different motivations, methods of engagement, bug reporting style and expectations. If you run a bug bounty programme, you’re going to swiftly recognise that its not about bug management, its about people management. The launch of a bug bounty is an amazing way of engaging with other teams throughout your organisation on a positive basis and building a security-focused community. No longer are you a cost centre or the team that likes to say “no”, suddenly you’re the source of bountiful rewards! This can be a real boon that you can build upon.
TIP #7: ONE TOUCH
TIP #7: ONE TOUCH Templates. Just templates. You’re going to need to manage large volumes of tickets and find yourself making the same statements over and over. Save your sanity and as soon as the trends become clear write a few, high quality boilerplate responses for different scenarios. Run them past your teammates, hone them, and use them.
TIP #8: MANAGEMENT LIVES MATTER TOO
TIP #8: MANAGEMENT LIVES MATTER TOO Its easy to get swept up in the enthusiasm of operating a bug bounty programme but there may be a long list of people that you need to get support from for buy-in both at launch and on an ongoing basis. Are senior management happy at the increased risk profile of operating a bug bounty programme? What about your external comms team? Legal teams? How about your product owners? Do your network team know why they’re seeing a sudden uplift in XSS probes on the web application firewall? Have you made your compliance teams aware? You’re going to want to engage various teams early as possible, and feed back with the wonderful metrics you’re gathering (see Tip 3) regularly.
TIP #9: PARTNER UP
TIP #9: PARTNER UP Stick to what you’re good at and don’t try and do everything yourself. Dedicated bug bounty management platforms such as HackerOne (www.hackerone.com) can prove invaluable. They’re not free but they offer solid tooling as well as guidance on programme operation and services such as mediation of any challenges or disagreements with hackers.
DEDICATED BUG BOUNTY MANAGEMENT PLATFORMS SUCH AS HACKERONE CAN PROVE INVALUABLE. DAN ADAMS
TIP #10: ROOT CAUSE ANALYSIS
TIP #10: ROOT CAUSE ANALYSIS Once you’ve been running your bug programme for a while and gathered lots of lovely data (see Tip 3) you’ll get definite bonus points for going to the next step and instead of just fixing vulnerabilities starting to ask why do we have these vulnerabilities? Analysis of a single ticket in isolation isn’t particularly meaningful but analysis across your entire data set may well show up common causes or vulnerability types, which you can examine for root causes - behaviours of processes in your organisation that are leading to the creation of vulnerabilities. Sort these and you can prevent vulnerabilities being introduced in the first place, which is surely the ultimate goal. Even if it means your top hackers may not get the last few hundred dollars they need for that new boat they’ve had their eye on.
TOGETHER WE HIT HARDER See the original article at: http://engineering.skybettingandgaming.com/ 2016/11/18/herding-hackers/ Thanks to Dan Adams and Sky Betting & Gaming for allowing us to share this great content!

Empfohlen

ZeroCater Presents: Proficiency in the Workplace
ZeroCater Presents: Proficiency in the Workplace ZeroCater Presents: Proficiency in the Workplace
ZeroCater Presents: Proficiency in the Workplace Felicia Myers
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF n|u - The Open Security Community
 
Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsHackerOne
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideHackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...HackerOne
 

Empfohlen

ZeroCater Presents: Proficiency in the Workplace
ZeroCater Presents: Proficiency in the Workplace ZeroCater Presents: Proficiency in the Workplace
ZeroCater Presents: Proficiency in the Workplace Felicia Myers
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF n|u - The Open Security Community
 
Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsHackerOne
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideHackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...HackerOne
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty ProgramsHackerOne
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyHackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty BasicsHackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...HackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityHackerOne
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsHackerOne
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 

Weitere ähnliche Inhalte

Mehr von HackerOne

OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty ProgramsHackerOne
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyHackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty BasicsHackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...HackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityHackerOne
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsHackerOne
 

Mehr von HackerOne (13)

OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
 

Kürzlich hochgeladen

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Kürzlich hochgeladen (20)

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Hacker Herding with Sky Betting & Gaming's Dan Adams

  • 1. TEN LESSONS LEARNED FROM LAUNCHING A BUG BOUNTY PROGRAMME HACKER HERDING BY: DAN ADAMS, WEB APPLICATION SECURITY SPECIALIST
  • 3. TIP #1: CLARITY OF VISION People want to get involved in bug bounty programmes, but they need very clear guidance on the programme’s scope, reward structure, eligibility requirements, and agreed disclosure process. It is essential to clearly define these in order to prevent any expectation gaps from forming.
  • 5. TIP #2: TIME BOX TRIAGE It is unlikely that managing a bug bounty programme is going to be your sole responsibility in an organisation. It’s essential therefore in order to keep to pre-agreed SLAs (and deliver on those hacker expectations) to clearly delineate and set aside time dedicated to triaging and progressing vulnerability reports.
  • 6. TIP #3: TAXONOMY FOR FUN AND PROFIT
  • 7. TIP #3: TAXONOMY FOR FUN AND PROFIT Very soon you are going to be wanting to provide reports to management on how the bounty programme is progressing. Scrabbling to piece this information together manually is going to rob you of time and become a real ongoing burden. Its much better to spend the time up-front, carefully logging and recording each and every vulnerability and its attributes - what’s its CVSS score? What’s its CVE/CWE category? What system does it impact? Who is the system owner? When was it reported and when was it triaged and closed? Record absolutely everything, and then providing any custom report you want is a breeze. You’ll thank me later. START YOUR FREE BUG BOUNTY PROGRAM ON HACKERONE ANALYTICS AND CUSTOM REPORTS ARE BUILT IN TO THE HACKERONE PLATFORM. CHECK IT OUT FOR YOURSELF
  • 8. TIP #4: KNOW YOUR BOTTLENECKS
  • 9. TIP #4: KNOW YOUR BOTTLENECKS Running a bug bounty programme isn’t just about getting people to report bugs. In fact that’s not even a very significant part of a bug bounty programme. The vast majority of your time is going to be spent verifying, triaging and onward-reporting bugs for remediation, and answering queries from current and prospective hackers. The vast majority of a bug report’s lifecycle is going to be spent with it (from the hacker’s perspective) not progressing, and a hacker sat drumming his fingers waiting for a response and resolution. Hours can feel like days to the reporting hacker if he’s waiting on confirmation that his bug has been received or fixed. You’re going to need a slick bug triaging system agreed and in place, and a good downstream workflow and commitment from tech teams to fix vulnerabilities fast. Find out where your organisation’s bottlenecks are and try and get focus on these areas. (Fixing bugs fast also prevents dupe reports and hacker frustration).
  • 10. FIND OUT WHERE YOUR ORGANISATION’S BOTTLENECKS ARE AND TRY AND GET FOCUS ON THESE AREAS. (FIXING BUGS FAST ALSO PREVENTS DUPE REPORTS AND HACKER FRUSTRATION). DAN ADAMS
  • 11. TIP #5: START SMALL, START SLICK
  • 12. TIP #5: START SMALL, START SLICK Its easy to get tempted into starting a large public bounty programme, but I would strongly advise you to start small and scale slow - try testing the waters with an internal/private bug bounty programme, or a fixed PoC/pilot with a set bounty pot and a small number of hand-picked hackers. It’s also vital to have a dedicated budget agreed and put aside, with the ability to quickly clear funds. Since no pot of money is infinite, it’s important also to limit your exposure somehow and maintain control over likely expenditure. It may be a good idea, at least initially, to run for a defined trial period, or structure your programme around bursts, sprints or “seasons” so that you have an on-season and an off-season for bug hunting, giving you time in between to clear down vulnerability backlogs and get ready for the next onslaught. READ OUR FREE REPORT ON HOW TO SUCCEED WITH YOUR BUG BOUNTY PROGRAM
  • 13. TIP #6: KEEP YOUR HACKERS HAPPY
  • 14. TIP #6: KEEP YOUR HACKERS HAPPY Your hackers are an amazing resource. And they’re all people, each of whom have slightly different motivations, methods of engagement, bug reporting style and expectations. If you run a bug bounty programme, you’re going to swiftly recognise that its not about bug management, its about people management. The launch of a bug bounty is an amazing way of engaging with other teams throughout your organisation on a positive basis and building a security-focused community. No longer are you a cost centre or the team that likes to say “no”, suddenly you’re the source of bountiful rewards! This can be a real boon that you can build upon.
  • 16. TIP #7: ONE TOUCH Templates. Just templates. You’re going to need to manage large volumes of tickets and find yourself making the same statements over and over. Save your sanity and as soon as the trends become clear write a few, high quality boilerplate responses for different scenarios. Run them past your teammates, hone them, and use them.
  • 18. TIP #8: MANAGEMENT LIVES MATTER TOO Its easy to get swept up in the enthusiasm of operating a bug bounty programme but there may be a long list of people that you need to get support from for buy-in both at launch and on an ongoing basis. Are senior management happy at the increased risk profile of operating a bug bounty programme? What about your external comms team? Legal teams? How about your product owners? Do your network team know why they’re seeing a sudden uplift in XSS probes on the web application firewall? Have you made your compliance teams aware? You’re going to want to engage various teams early as possible, and feed back with the wonderful metrics you’re gathering (see Tip 3) regularly.
  • 20. TIP #9: PARTNER UP Stick to what you’re good at and don’t try and do everything yourself. Dedicated bug bounty management platforms such as HackerOne (www.hackerone.com) can prove invaluable. They’re not free but they offer solid tooling as well as guidance on programme operation and services such as mediation of any challenges or disagreements with hackers.
  • 21. DEDICATED BUG BOUNTY MANAGEMENT PLATFORMS SUCH AS HACKERONE CAN PROVE INVALUABLE. DAN ADAMS
  • 23. TIP #10: ROOT CAUSE ANALYSIS Once you’ve been running your bug programme for a while and gathered lots of lovely data (see Tip 3) you’ll get definite bonus points for going to the next step and instead of just fixing vulnerabilities starting to ask why do we have these vulnerabilities? Analysis of a single ticket in isolation isn’t particularly meaningful but analysis across your entire data set may well show up common causes or vulnerability types, which you can examine for root causes - behaviours of processes in your organisation that are leading to the creation of vulnerabilities. Sort these and you can prevent vulnerabilities being introduced in the first place, which is surely the ultimate goal. Even if it means your top hackers may not get the last few hundred dollars they need for that new boat they’ve had their eye on.
  • 24. TOGETHER WE HIT HARDER See the original article at: http://engineering.skybettingandgaming.com/ 2016/11/18/herding-hackers/ Thanks to Dan Adams and Sky Betting & Gaming for allowing us to share this great content!