SlideShare ist ein Scribd-Unternehmen logo

LKNOG3 - Bug Bounty

Als PPTX, PDF herunterladen
LKNOG
LKNOG

A document discusses bug bounty programs and security research. It defines bug bounty programs as initiatives that reward individuals for discovering and ethically reporting software flaws. It discusses the history of bug bounties dating back to the 1980s. It also outlines why bug bounty programs are important for finding vulnerabilities before malicious hackers, and describes common vulnerabilities, critical vulnerabilities, and how to start a bug bounty program.

Internet
1 von 38
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
ILLUSIVE MINDS ARE AT WORK Your home, business and Organizations are at risk PROTECT YOUR SELF TODAY |Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa Lets get Friendly First I am not a hacker I am a Bug Bounty Hunter I break security not Heart 💘 PASAN RAWANA LAMAHEWA  Civil Aviation Pilot Trainee  Undergrad in Cyber Security  Undergrad in Biz Management  Undergrad in IATA  Cyber Security Researcher  Lyricist Security Researcher with a FACE
TOPIC S  Understanding Bug Bounty  Bug Bounty Programs  Why Bug Bounty Programs Important in todays’ Context  Bug Bounty Platforms  Bug Bounty Hunter  Type of Hackers  How to Start a Bug Bounty Program  Forums of Incident Response and Security Teams  Crowdsource platforms  Rewards  My experience as a Security Researcher  Things to Consider  Useful Links  Questions | Pasan Rawana Lamahewa
What is Bug Bounty Bounty and bounty hunting dates back to many centuries and synonymous with England and USA | Pasan Rawana Lamahewa Bug Bounty Hunting
| Pasan Rawana Lamahewa  The IT Teams at many organizations don’t have enough time or they lack in skills to think “beyond the routine” in order to identify and squash bugs in their systems.  So organizations ‘reach out to private individuals for help’. This is called a Bug Bounty Program.  The Bug Bounty Hunter uses his tools to break into systems, write up a vulnerability report to the organization who issued the bounty and then get paid or rewarded.
A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP) could be simply defined as an organizational initiative that rewards & recognize individual who discover flaws/loopholes in software/systems/web and ACTING ETHICALLY to report them to the organization. In other words BBP/VRP is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and rewards. | Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 HISTORY
WHY BUG BOUNTY PROGRAM Bug bounty program is not Fighting the Fire with Fire, but prevention of fire! It takes a White Hacker to think before a bad guy creeps in. Remember the story of Frank Abagnale, the most talented fraudster in history, who ended up helping FBI. The winning formula for any organization is to recognize cyber security researcher who helped discover vulnerabilities. This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities/loopholes before the bad guys creep in. In other words: Getting Ahead. This is all about Bug Bounty Program. | Pasan Rawana Lamahewa
Hacking takes place in Vicious Minds & Divine Minds • Divine Minds White Hackers Black Hackers Gray Hackers | Pasan Rawana Lamahewa
As organizations implements latest with technology, so the destructive minds are getting more and more sophisticated | Pasan Rawana Lamahewa Organizations and their IT professionals are aware of this impending danger, but many believe they are satisfactorily protected, they can swiftly restore or that their organizations are too small to be observed by vicious minds.
Why Bug Bounty Program Bugs exist in any software or system, and that is a fact. Cybercrimes are committed using a computer or computer technology or smart phone as primary tool. Types of Criminals • Social Engineer - manipulates human minds • Phisher - information / password theft • Hacker - blocking systems • Disgruntle Employee - information theft / blocking systems • Ransom Artist - spread malware /demand ransom | Pasan Rawana Lamahewa
Common Vulnerabilities SQL Injection flaws. Cross Site Scripting - XSS Broken Authentication. Insecure Direct Object References. Cross Site Request Forgery. - CSRF Security Misconfiguration. Insecure Cryptographic Storage. Sensitive data Exposure Failure to restrict URL Access. Missing function Level Access Control Using Components with known vulnerabilities Invalidated redirects and forwards | Pasan Rawana Lamahewa
Critical Vulnerabilities Source & Information Credit to: 2019 edescan vulnerability Stats report: Eoin & The Security | Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa WHY BUG BOUNTY PROGRAMS ARE IMPORTANT Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing Security Researchers thinks differently and we the White Hat Hackers must think beyond the box, think beyond a “hacker’s thinking pattern” and “act ethically & responsibly”
How to Start a Bug Bounty Program  Evaluate your Organization, its Systems and IT / Security Team  Decide on a Bug Bounty / Reward System  Decide on a Flatform / Direct approach to Security Researcher  Prepare a draft Vulnerability Disclosure Policy  The Rules of Engagement - define the Scope of Bug Bounty Program  Decide on unquestionable clarity about the authorized conduct of the Security Researcher and decide what proof need to confirm a vulnerability and how both ethical hacker and organization share the findings.  Discuss with your Team, Senior Management and agree  Document > Validate> Authorization>Public Knowledge/Web | Pasan Rawana Lamahewa VERY IMPORTANT  Select your point person very carefully  Provide the contact details of your point person, he must be responsive and tech savvy  Provide the clear instructions about the program, along with the specifications of the overall surface which may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
BUG BOUNTY PROGRAM - LIFECYCLE Invite Security Researchers / Flatforms to test and find flaws ORGANIZATIONS Research PenTest/ SECURITY RESEARCHERS Vulnerabilities Found Not Found REPORT IT / Security Teams Validate the Issue Valid issues are REWARDED
Consider Bug Bounties Carefully bug bounty programs are all about creating a culture of openness, transparency, responsibility and above all the thrust. Even if an organization doesn't offer bug bounties, it is pertinent to establish a “vulnerability disclosure policy” or ethical disclosure policy: A legal statement stating that an organization will not prosecute ethical hackers who detect vulnerabilities in systems / webs and report them ethically . • Since a bounty program is about trust and transparency, an organization ethically be open about how it will pay, reward or recognize for vulnerability detection. | Pasan Rawana Lamahewa
Hand Pic your Goose for Golden Egg  Register in Good Flatforms  Research for Security Researchers  Conversation  Be Sure and mindful of side effects  Vulnerability Discloser Agreements  Connect and implement | Pasan Rawana Lamahewa SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
The Testimonies  Marten Mickos, CEO of bug bounty platform HackerOne, said we need Hackers. “Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.“ “Ethical Hackers are truly the immune system of the internet," he added.  Justin Brookman, director of the Privacy and Technology Policy Consumers Union, said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law.“ Google operates one of the largest bug bounty programs. Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing | Pasan Rawana Lamahewa
SOME HISTORY | Pasan Rawana Lamahewa Source WIKIPEDIA  Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real -Time Executive operating system. • Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.  In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication Corporation given the phrase 'Bugs Bounty’. • Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the Netscape Executive Team, everyone except the VP of Engineering did not agree thinking it to be a waste of time and resources. • However, Ridlinghafer was given an initial $50 budget to run with the proposal and the first official 'Bug Bounty' program was launched in 1995. • The program was such a huge success, it's mentioned in many of the books detailing Netscape's successes.
| Pasan Rawana Lamahewa  In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in 100’s of prominent high-tech companies, some of them are Facebook, Google, Apple, Microsoft, and Twitter.  While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne, a crowed sourcing platform.  In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs funded by Microsoft and Facebook. By June 2015, HackerOne's had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. In April the company announced 240% year-over-year customer growth in
Katie Moussouris had created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cyber security researchers. This is one of the first companies, along with Synack andBugCrowd, to utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of July 2018, HackerOne’s network consisted of approximately 200,000 researchers and had resolved 72,000 vulnarabilities across over 1,000 customer programs and HackerOne had paid $31 Million in bounties | Pasan Rawana Lamahewa
• Facebook operates a large bug bounty program • HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories. • Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451. | Pasan Rawana Lamahewa
REWARDS In year 2018 HackerOne paid $11Millions in Bounties | Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa
| Pasan Rawana Lamahewa 10: Even More Facebook Data Exposure When: April 2018 The payout: $8,000 The bug: Data exposure by third-party app. 9: Google Administrative Authentication Bypass When: February 2018 The payout: $13,337 The bug: Broken authentication for YouTube TV’s admin panel. 8:Shopify Open to Takeovers When: December 2017-February 2018 The payout: $15,250 Free Games from Valve When: November 2018 The payout: $20,000 The bug: An API exploit allowing generation of game activation keys. 7.Google’s RCE Flaw When: May 2018 The payout: $36,337 The bug: A remote code execution flaw in Google’s deployment environment. 6. Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. 5: Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also the largest ever bounty payout from Facebook of $50,000.
| Pasan Rawana Lamahewa 4.New Variants of Spectre When: July 2018 The payout: $100,000 The bug: New subvariants of the Spectre processor vulnerability. 3 Two Google Pixel Bugs When: August 2017-January 2018 The payout: $112,500 The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone. 2. Hack the Marines and Hack the Air Force When: October-November 2018 The payout: $150,000 from the Marines; $130,000 from the Air Force The bug: Hundreds of security vulnerabilities. 1. Oath’s Days of Bounties When: April and November 2018 The payout: Over $400,000 - twice The bug: Hundreds of bugs across two hacking events. Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000. Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
| Pasan Rawana Lamahewa DOs  Earlier the better  Be the user first  Understand the logic to break it  Think beyond mind set of Black or Gray Hacker  Have custom methods/payloads  Not just XSS, CSRF, IDOR, SQL  Act Ethically and Report  Be professional Approach for happy hunting DON’Ts × XSS, Cntrl C, Cntrl V everywhere × Easy way is not the right way × Half filled submissions & reports × Unethical / irresponsible behavior × Unethical disclosure × Unethical reporting × Selfishness × Abusing info /data accessed × Don’t do BEG HUNTING / Never beg for rewards
MOTIVATORS FOR A SECURITY RESEARCHER Motivator #1 Set Self Target Motivator #2 Recognition Motivator #3 Money Motivator #4 Self Satisfaction – “I am not a Common Hacker wearing a Black Hat” “I keep on Collecting and Counting my White Hats” | Pasan Rawana Lamahewa
My Experience Types of Organizations 1. The Genius - take ethical reports very seriously, rewards, recognizes and partner with the security researcher. 2. The Bulletproof – Never recognize or acknowledge and think they are Immortals. 3. Mr. Know it All– oops, we knew this before you and planning to fix 4. The Blind & Deaf – Never response 5. The Neutrals – a bug?, bug bounty program ?! News to us, anyway thank you, we’ll look into this. | Pasan Rawana Lamahewa
My Experience The “Fixed Line Telecommunication Company” in a South Asian Country | Pasan Rawana Lamahewa I reported a serious flaw in their system, which can certainly expose subscribers sensitive information and many more, if found by a bad guy. It has now passed 8 months since my responsible responsible reporting of this vulnerability to their IT Team, no action has been initiated to de-bug it to-date This is a good example for organizations and its IT Professionals are thinking that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are liabilities to their customers and to the society.
Useful Links https://www.hackerone.com https://www.bugcrowd.com https://www.openbugbounty.org | Pasan Rawana Lamahewa HackerOne Bugcrowd Vulnerability Lab Fire Bounty
Please feel free to contact me | Pasan Rawana Lamahewa pasanrlamahewa@gmail.com 🐦 https://twitter.com/Pasan_Rav
Happy to be with you all and gain knowledge in my pursue of Cyber Security Ethical Research | Pasan Rawana Lamahewa

Empfohlen

Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Bug bounty hunting
Bug bounty huntingBug bounty hunting
Bug bounty hunting
redteamacademypromo
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Bug Bounty
Bug BountyBug Bounty
Bug Bounty
Hariprasad KA
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 

Empfohlen

Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Bug bounty hunting
Bug bounty huntingBug bounty hunting
Bug bounty hunting
redteamacademypromo
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Bug Bounty
Bug BountyBug Bounty
Bug Bounty
Hariprasad KA
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Bug bounty
Bug bountyBug bounty
Bug bounty
Ramin Farajpour Cami
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bounty
vinoth kumar
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
Lookout
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter Evasion
Nipun Jaswal
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Spyware
SpywareSpyware
Spyware
Farheen Naaz
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Spyware
SpywareSpyware
Spyware
Babur Rahmadi
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
Brian Pichman
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 

Weitere ähnliche Inhalte

Was ist angesagt?

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 

Was ist angesagt? (20)

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bounty
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter Evasion
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Spyware
SpywareSpyware
Spyware
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
 
Spyware
SpywareSpyware
Spyware
 

Ähnlich wie LKNOG3 - Bug Bounty

Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiCopy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
AlleneMcclendon878
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
NetSPI
 

Ähnlich wie LKNOG3 - Bug Bounty (20)

I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-SiCopy of The Ongoing Threat of Ransomware on Small to Medium-Si
Copy of The Ongoing Threat of Ransomware on Small to Medium-Si
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
 
Investigating the Universe of Moral Hacking.pdf
Investigating the Universe of Moral Hacking.pdfInvestigating the Universe of Moral Hacking.pdf
Investigating the Universe of Moral Hacking.pdf
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 

Kürzlich hochgeladen

Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
Escorts Call Girls
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
anilsa9823
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
Diya Sharma
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
soniya singh
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Delhi Call girls
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
ruhi
 

Kürzlich hochgeladen (20)

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 

LKNOG3 - Bug Bounty

  • 1. | Pasan Rawana Lamahewa
  • 2. | Pasan Rawana Lamahewa
  • 3. ILLUSIVE MINDS ARE AT WORK Your home, business and Organizations are at risk PROTECT YOUR SELF TODAY |Pasan Rawana Lamahewa
  • 4. | Pasan Rawana Lamahewa Lets get Friendly First I am not a hacker I am a Bug Bounty Hunter I break security not Heart 💘 PASAN RAWANA LAMAHEWA  Civil Aviation Pilot Trainee  Undergrad in Cyber Security  Undergrad in Biz Management  Undergrad in IATA  Cyber Security Researcher  Lyricist Security Researcher with a FACE
  • 5. TOPIC S  Understanding Bug Bounty  Bug Bounty Programs  Why Bug Bounty Programs Important in todays’ Context  Bug Bounty Platforms  Bug Bounty Hunter  Type of Hackers  How to Start a Bug Bounty Program  Forums of Incident Response and Security Teams  Crowdsource platforms  Rewards  My experience as a Security Researcher  Things to Consider  Useful Links  Questions | Pasan Rawana Lamahewa
  • 6. What is Bug Bounty Bounty and bounty hunting dates back to many centuries and synonymous with England and USA | Pasan Rawana Lamahewa Bug Bounty Hunting
  • 7. | Pasan Rawana Lamahewa  The IT Teams at many organizations don’t have enough time or they lack in skills to think “beyond the routine” in order to identify and squash bugs in their systems.  So organizations ‘reach out to private individuals for help’. This is called a Bug Bounty Program.  The Bug Bounty Hunter uses his tools to break into systems, write up a vulnerability report to the organization who issued the bounty and then get paid or rewarded.
  • 8. A simple DEFINITION Bug Bounty Program Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP) could be simply defined as an organizational initiative that rewards & recognize individual who discover flaws/loopholes in software/systems/web and ACTING ETHICALLY to report them to the organization. In other words BBP/VRP is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and rewards. | Pasan Rawana Lamahewa
  • 9. | Pasan Rawana Lamahewa Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 HISTORY
  • 10. WHY BUG BOUNTY PROGRAM Bug bounty program is not Fighting the Fire with Fire, but prevention of fire! It takes a White Hacker to think before a bad guy creeps in. Remember the story of Frank Abagnale, the most talented fraudster in history, who ended up helping FBI. The winning formula for any organization is to recognize cyber security researcher who helped discover vulnerabilities. This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities/loopholes before the bad guys creep in. In other words: Getting Ahead. This is all about Bug Bounty Program. | Pasan Rawana Lamahewa
  • 11. Hacking takes place in Vicious Minds & Divine Minds • Divine Minds White Hackers Black Hackers Gray Hackers | Pasan Rawana Lamahewa
  • 12. As organizations implements latest with technology, so the destructive minds are getting more and more sophisticated | Pasan Rawana Lamahewa Organizations and their IT professionals are aware of this impending danger, but many believe they are satisfactorily protected, they can swiftly restore or that their organizations are too small to be observed by vicious minds.
  • 13. Why Bug Bounty Program Bugs exist in any software or system, and that is a fact. Cybercrimes are committed using a computer or computer technology or smart phone as primary tool. Types of Criminals • Social Engineer - manipulates human minds • Phisher - information / password theft • Hacker - blocking systems • Disgruntle Employee - information theft / blocking systems • Ransom Artist - spread malware /demand ransom | Pasan Rawana Lamahewa
  • 14. Common Vulnerabilities SQL Injection flaws. Cross Site Scripting - XSS Broken Authentication. Insecure Direct Object References. Cross Site Request Forgery. - CSRF Security Misconfiguration. Insecure Cryptographic Storage. Sensitive data Exposure Failure to restrict URL Access. Missing function Level Access Control Using Components with known vulnerabilities Invalidated redirects and forwards | Pasan Rawana Lamahewa
  • 15. Critical Vulnerabilities Source & Information Credit to: 2019 edescan vulnerability Stats report: Eoin & The Security | Pasan Rawana Lamahewa
  • 16. | Pasan Rawana Lamahewa WHY BUG BOUNTY PROGRAMS ARE IMPORTANT Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing Security Researchers thinks differently and we the White Hat Hackers must think beyond the box, think beyond a “hacker’s thinking pattern” and “act ethically & responsibly”
  • 17. How to Start a Bug Bounty Program  Evaluate your Organization, its Systems and IT / Security Team  Decide on a Bug Bounty / Reward System  Decide on a Flatform / Direct approach to Security Researcher  Prepare a draft Vulnerability Disclosure Policy  The Rules of Engagement - define the Scope of Bug Bounty Program  Decide on unquestionable clarity about the authorized conduct of the Security Researcher and decide what proof need to confirm a vulnerability and how both ethical hacker and organization share the findings.  Discuss with your Team, Senior Management and agree  Document > Validate> Authorization>Public Knowledge/Web | Pasan Rawana Lamahewa VERY IMPORTANT  Select your point person very carefully  Provide the contact details of your point person, he must be responsive and tech savvy  Provide the clear instructions about the program, along with the specifications of the overall surface which may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
  • 18. BUG BOUNTY PROGRAM - LIFECYCLE Invite Security Researchers / Flatforms to test and find flaws ORGANIZATIONS Research PenTest/ SECURITY RESEARCHERS Vulnerabilities Found Not Found REPORT IT / Security Teams Validate the Issue Valid issues are REWARDED
  • 19. Consider Bug Bounties Carefully bug bounty programs are all about creating a culture of openness, transparency, responsibility and above all the thrust. Even if an organization doesn't offer bug bounties, it is pertinent to establish a “vulnerability disclosure policy” or ethical disclosure policy: A legal statement stating that an organization will not prosecute ethical hackers who detect vulnerabilities in systems / webs and report them ethically . • Since a bounty program is about trust and transparency, an organization ethically be open about how it will pay, reward or recognize for vulnerability detection. | Pasan Rawana Lamahewa
  • 20. Hand Pic your Goose for Golden Egg  Register in Good Flatforms  Research for Security Researchers  Conversation  Be Sure and mindful of side effects  Vulnerability Discloser Agreements  Connect and implement | Pasan Rawana Lamahewa SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
  • 21. The Testimonies  Marten Mickos, CEO of bug bounty platform HackerOne, said we need Hackers. “Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.“ “Ethical Hackers are truly the immune system of the internet," he added.  Justin Brookman, director of the Privacy and Technology Policy Consumers Union, said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law.“ Google operates one of the largest bug bounty programs. Bug bounties are an important tool that helps finding potential vulnerabilities or flaws But this has been often misunderstood. That was why the nature and the purpose of bug bounty schemes are openly discussed in a U.S. Senate hearing | Pasan Rawana Lamahewa
  • 22. SOME HISTORY | Pasan Rawana Lamahewa Source WIKIPEDIA  Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real -Time Executive operating system. • Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.  In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication Corporation given the phrase 'Bugs Bounty’. • Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the Netscape Executive Team, everyone except the VP of Engineering did not agree thinking it to be a waste of time and resources. • However, Ridlinghafer was given an initial $50 budget to run with the proposal and the first official 'Bug Bounty' program was launched in 1995. • The program was such a huge success, it's mentioned in many of the books detailing Netscape's successes.
  • 23. | Pasan Rawana Lamahewa  In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in 100’s of prominent high-tech companies, some of them are Facebook, Google, Apple, Microsoft, and Twitter.  While many firms ignored their disclosure attempts, the COO of Facebook, Sheryl Sandberg, gave the warning to their head of product security, Alex Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne, a crowed sourcing platform.  In November 2013, the company hosted a program encouraging the discovery and responsible disclosure of software bugs funded by Microsoft and Facebook. By June 2015, HackerOne's had identified approximately 10,000 vulnerabilities and paid researchers over $1 million in bounties. In April the company announced 240% year-over-year customer growth in
  • 24. Katie Moussouris had created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cyber security researchers. This is one of the first companies, along with Synack andBugCrowd, to utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of July 2018, HackerOne’s network consisted of approximately 200,000 researchers and had resolved 72,000 vulnarabilities across over 1,000 customer programs and HackerOne had paid $31 Million in bounties | Pasan Rawana Lamahewa
  • 25. • Facebook operates a large bug bounty program • HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories. • Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451. | Pasan Rawana Lamahewa
  • 26. REWARDS In year 2018 HackerOne paid $11Millions in Bounties | Pasan Rawana Lamahewa
  • 27. | Pasan Rawana Lamahewa
  • 28. | Pasan Rawana Lamahewa
  • 29. | Pasan Rawana Lamahewa
  • 30. | Pasan Rawana Lamahewa 10: Even More Facebook Data Exposure When: April 2018 The payout: $8,000 The bug: Data exposure by third-party app. 9: Google Administrative Authentication Bypass When: February 2018 The payout: $13,337 The bug: Broken authentication for YouTube TV’s admin panel. 8:Shopify Open to Takeovers When: December 2017-February 2018 The payout: $15,250 Free Games from Valve When: November 2018 The payout: $20,000 The bug: An API exploit allowing generation of game activation keys. 7.Google’s RCE Flaw When: May 2018 The payout: $36,337 The bug: A remote code execution flaw in Google’s deployment environment. 6. Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. 5: Facebook’s Largest Ever Bug Bounty When: Undisclosed; part of bounty program launched in April. The payout: $50,000 The bug: A privacy/monitoring vulnerability. Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also the largest ever bounty payout from Facebook of $50,000.
  • 31. | Pasan Rawana Lamahewa 4.New Variants of Spectre When: July 2018 The payout: $100,000 The bug: New subvariants of the Spectre processor vulnerability. 3 Two Google Pixel Bugs When: August 2017-January 2018 The payout: $112,500 The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone. 2. Hack the Marines and Hack the Air Force When: October-November 2018 The payout: $150,000 from the Marines; $130,000 from the Air Force The bug: Hundreds of security vulnerabilities. 1. Oath’s Days of Bounties When: April and November 2018 The payout: Over $400,000 - twice The bug: Hundreds of bugs across two hacking events. Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000. Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
  • 32. | Pasan Rawana Lamahewa DOs  Earlier the better  Be the user first  Understand the logic to break it  Think beyond mind set of Black or Gray Hacker  Have custom methods/payloads  Not just XSS, CSRF, IDOR, SQL  Act Ethically and Report  Be professional Approach for happy hunting DON’Ts × XSS, Cntrl C, Cntrl V everywhere × Easy way is not the right way × Half filled submissions & reports × Unethical / irresponsible behavior × Unethical disclosure × Unethical reporting × Selfishness × Abusing info /data accessed × Don’t do BEG HUNTING / Never beg for rewards
  • 33. MOTIVATORS FOR A SECURITY RESEARCHER Motivator #1 Set Self Target Motivator #2 Recognition Motivator #3 Money Motivator #4 Self Satisfaction – “I am not a Common Hacker wearing a Black Hat” “I keep on Collecting and Counting my White Hats” | Pasan Rawana Lamahewa
  • 34. My Experience Types of Organizations 1. The Genius - take ethical reports very seriously, rewards, recognizes and partner with the security researcher. 2. The Bulletproof – Never recognize or acknowledge and think they are Immortals. 3. Mr. Know it All– oops, we knew this before you and planning to fix 4. The Blind & Deaf – Never response 5. The Neutrals – a bug?, bug bounty program ?! News to us, anyway thank you, we’ll look into this. | Pasan Rawana Lamahewa
  • 35. My Experience The “Fixed Line Telecommunication Company” in a South Asian Country | Pasan Rawana Lamahewa I reported a serious flaw in their system, which can certainly expose subscribers sensitive information and many more, if found by a bad guy. It has now passed 8 months since my responsible responsible reporting of this vulnerability to their IT Team, no action has been initiated to de-bug it to-date This is a good example for organizations and its IT Professionals are thinking that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are liabilities to their customers and to the society.
  • 36. Useful Links https://www.hackerone.com https://www.bugcrowd.com https://www.openbugbounty.org | Pasan Rawana Lamahewa HackerOne Bugcrowd Vulnerability Lab Fire Bounty
  • 37. Please feel free to contact me | Pasan Rawana Lamahewa pasanrlamahewa@gmail.com 🐦 https://twitter.com/Pasan_Rav
  • 38. Happy to be with you all and gain knowledge in my pursue of Cyber Security Ethical Research | Pasan Rawana Lamahewa