A document discusses bug bounty programs and security research. It defines bug bounty programs as initiatives that reward individuals for discovering and ethically reporting software flaws. It discusses the history of bug bounties dating back to the 1980s. It also outlines why bug bounty programs are important for finding vulnerabilities before malicious hackers, and describes common vulnerabilities, critical vulnerabilities, and how to start a bug bounty program.
3. ILLUSIVE MINDS ARE AT WORK
Your home, business and
Organizations are at risk
PROTECT YOUR SELF TODAY
|Pasan Rawana Lamahewa
4. | Pasan Rawana Lamahewa
Lets get Friendly First
I am not a hacker
I am a Bug Bounty Hunter
I break security not Heart 💘
PASAN RAWANA LAMAHEWA
Civil Aviation Pilot Trainee
Undergrad in Cyber Security
Undergrad in Biz Management
Undergrad in IATA
Cyber Security Researcher
Lyricist
Security
Researcher
with a
FACE
5. TOPIC S
Understanding Bug Bounty
Bug Bounty Programs
Why Bug Bounty Programs Important in todays’ Context
Bug Bounty Platforms
Bug Bounty Hunter
Type of Hackers
How to Start a Bug Bounty Program
Forums of Incident Response and Security Teams
Crowdsource platforms
Rewards
My experience as a Security Researcher
Things to Consider
Useful Links
Questions
| Pasan Rawana Lamahewa
6. What is Bug Bounty
Bounty and bounty
hunting dates back to
many centuries and
synonymous with
England and USA
| Pasan Rawana Lamahewa
Bug Bounty Hunting
7. | Pasan Rawana Lamahewa
The IT Teams at many organizations don’t have enough
time or they lack in skills to think “beyond the routine”
in order to identify and squash bugs in their systems.
So organizations ‘reach out to private individuals for
help’. This is called a Bug Bounty Program.
The Bug Bounty Hunter uses his tools to break into
systems, write up a vulnerability report to the
organization who issued the bounty and then get paid
or rewarded.
8. A simple DEFINITION
Bug Bounty Program
Bug Bounty Program (BBP) or Vulnerability Reward Program (VRP)
could be simply defined as an organizational initiative that
rewards & recognize individual who discover flaws/loopholes in
software/systems/web and ACTING ETHICALLY to report them to
the organization.
In other words BBP/VRP is a deal offered by many websites,
organizations and software developers by which individuals can
receive recognition and rewards.
| Pasan Rawana Lamahewa
9. | Pasan Rawana Lamahewa
Source:
https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3
HISTORY
10. WHY BUG BOUNTY PROGRAM
Bug bounty program is not Fighting the Fire with Fire, but prevention of fire!
It takes a White Hacker to think before a bad guy creeps in.
Remember the story of Frank
Abagnale, the most
talented fraudster in
history, who ended
up helping FBI.
The winning formula for any organization is to recognize cyber security
researcher who helped discover vulnerabilities.
This is what a bug bounty program is about:
Ethical hackers help businesses detect
vulnerabilities/loopholes before the bad
guys creep in.
In other words: Getting Ahead. This is all
about Bug Bounty Program.
| Pasan Rawana Lamahewa
11. Hacking takes place in
Vicious Minds
&
Divine Minds
• Divine Minds White Hackers
Black Hackers
Gray Hackers
| Pasan Rawana Lamahewa
12. As organizations implements latest with
technology, so the destructive minds are
getting more and more sophisticated
| Pasan Rawana Lamahewa
Organizations and their IT professionals are
aware of this impending danger, but many
believe they are satisfactorily protected, they
can swiftly restore or that their organizations
are too small to be observed by vicious
minds.
13. Why Bug Bounty Program
Bugs exist in any software or system, and that is a fact.
Cybercrimes are committed using a computer or computer technology
or smart phone as primary tool.
Types of Criminals
• Social Engineer - manipulates human minds
• Phisher - information / password theft
• Hacker - blocking systems
• Disgruntle Employee - information theft / blocking systems
• Ransom Artist - spread malware /demand ransom
| Pasan Rawana Lamahewa
14. Common Vulnerabilities
SQL Injection flaws.
Cross Site Scripting - XSS
Broken Authentication.
Insecure Direct Object References.
Cross Site Request Forgery. - CSRF
Security Misconfiguration.
Insecure Cryptographic Storage.
Sensitive data Exposure
Failure to restrict URL Access.
Missing function Level Access Control
Using Components with known vulnerabilities
Invalidated redirects and forwards
| Pasan Rawana Lamahewa
15. Critical Vulnerabilities
Source & Information Credit to:
2019 edescan vulnerability Stats report: Eoin &
The Security
| Pasan Rawana Lamahewa
16. | Pasan Rawana Lamahewa
WHY BUG BOUNTY PROGRAMS ARE IMPORTANT
Bug bounties are an important tool that helps finding potential
vulnerabilities or flaws
But this has been often misunderstood.
That was why the nature and the purpose of bug bounty
schemes are openly discussed in a U.S. Senate hearing
Security Researchers thinks differently and
we the White Hat Hackers must think beyond
the box, think beyond a “hacker’s thinking
pattern” and “act ethically & responsibly”
17. How to Start a Bug Bounty Program
Evaluate your Organization, its Systems and IT / Security Team
Decide on a Bug Bounty / Reward System
Decide on a Flatform / Direct approach to Security Researcher
Prepare a draft Vulnerability Disclosure Policy
The Rules of Engagement - define the Scope of Bug Bounty Program
Decide on unquestionable clarity about the authorized conduct of
the Security Researcher and decide what proof need to confirm a
vulnerability and how both ethical hacker and organization share the
findings.
Discuss with your Team, Senior Management and agree
Document > Validate> Authorization>Public Knowledge/Web
| Pasan Rawana Lamahewa
VERY IMPORTANT
Select your point person very carefully
Provide the contact details of your point person, he must be responsive and tech savvy
Provide the clear instructions about the program, along with the specifications of the overall surface which
may be IP Address, Domain name, type of test and type of reports etc. and emphasis on any exclusions
18. BUG BOUNTY PROGRAM - LIFECYCLE
Invite Security
Researchers / Flatforms
to test and find flaws
ORGANIZATIONS
Research
PenTest/
SECURITY RESEARCHERS
Vulnerabilities Found Not Found
REPORT
IT / Security Teams
Validate the Issue
Valid issues are
REWARDED
19. Consider Bug Bounties Carefully
bug bounty programs are all about creating a culture of openness, transparency,
responsibility and above all the thrust.
Even if an organization doesn't offer bug bounties, it is pertinent to establish a
“vulnerability disclosure policy” or ethical disclosure policy: A legal statement
stating that an organization will not prosecute ethical hackers who detect
vulnerabilities in systems / webs and report them ethically .
• Since a bounty program is about trust and transparency, an organization
ethically be open about how it will pay, reward or recognize for
vulnerability detection.
| Pasan Rawana Lamahewa
20. Hand Pic your Goose for Golden Egg
Register in Good Flatforms
Research for Security Researchers
Conversation
Be Sure and mindful of side effects
Vulnerability Discloser Agreements
Connect and implement
| Pasan Rawana Lamahewa
SECLECT YOUR SECURITY RESEARCHER OR FLATFORM and/or
MAKE YOUR BUG BOUNTY PROGRM OPEN TO PUBLIC
21. The Testimonies
Marten Mickos, CEO of bug bounty platform
HackerOne, said we need Hackers. “Our goal
must be an internet that enables privacy and
protects consumers. This is not achievable
without ethical hackers taking an active role in
safeguarding our collective security.“ “Ethical
Hackers are truly the immune system of the
internet," he added.
Justin Brookman, director of the Privacy and
Technology Policy Consumers Union, said
during the Senate hearing. "Used properly,
bug bounty programs enable companies to
learn of breaches and vulnerabilities, in
service to the larger goals of protecting
consumer data and alerting consumers to
threats as warranted and/or required by law.“
Google operates one of the largest bug
bounty programs.
Bug bounties are an
important tool that helps
finding potential
vulnerabilities or flaws
But this has been often
misunderstood.
That was why the nature
and the purpose of bug
bounty schemes are openly
discussed in a U.S. Senate
hearing
| Pasan Rawana Lamahewa
22. SOME HISTORY
| Pasan Rawana Lamahewa
Source WIKIPEDIA
Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile
Real -Time Executive operating system.
• Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug)
in return.
In 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communication
Corporation given the phrase 'Bugs Bounty’.
• Ridlinghafer presented a proposal for the 'Netscape Bugs Bounty Program’, at the
Netscape Executive Team, everyone except the VP of Engineering did not agree
thinking it to be a waste of time and resources.
• However, Ridlinghafer was given an initial $50 budget to run with the proposal and
the first official 'Bug Bounty' program was launched in 1995.
• The program was such a huge success, it's mentioned in many of the books detailing
Netscape's successes.
23. | Pasan Rawana Lamahewa
In 2011, Dutch hackers Jobert Abma and Michiel Prins found security flaws in
100’s of prominent high-tech companies, some of them are Facebook, Google,
Apple, Microsoft, and Twitter.
While many firms ignored their disclosure attempts, the COO of Facebook,
Sheryl Sandberg, gave the warning to their head of product security, Alex
Rice. Alex Rice, connected with Abma and Prins. They founded HackerOne,
a crowed sourcing platform.
In November 2013, the company hosted a program encouraging the
discovery and responsible disclosure of software bugs funded by Microsoft
and Facebook.
By June 2015, HackerOne's had identified approximately 10,000
vulnerabilities and paid researchers over $1 million in bounties. In April
the company announced 240% year-over-year customer growth in
24. Katie Moussouris had created the bug bounty program at
Microsoft and was directly involved in creating the U.S.
Department of Defense's first bug bounty program for hackers
HackerOne is a vulnerability coordination and bug
bounty platform that connects businesses with penetration
testers and cyber security researchers. This is one of the first
companies, along with Synack andBugCrowd, to utilize
crowd-sourced security and cybersecurity researchers as
linchpins of its business model; it is the largest cybersecurity
firm of its kind. As of July 2018, HackerOne’s network
consisted of approximately 200,000 researchers and had
resolved 72,000 vulnarabilities across over 1,000 customer
programs and HackerOne had paid $31 Million in bounties
| Pasan Rawana Lamahewa
25. • Facebook operates a large bug bounty program
• HackerOne, which provides managed bug bounty
programs for organizations, found that in 2017
the average bug bounty for a critical vulnerability
was $1,923, although payment varies across
different industry categories.
• Bugcrowd also provides a managed bug bounty
platform and has its own set of data on
vulnerability payouts. Bugcrowd's 2017 State of
the Bug Bounty report found that the average
bug across all categories was $451.
| Pasan Rawana Lamahewa
26. REWARDS
In year 2018 HackerOne paid $11Millions in
Bounties
| Pasan Rawana Lamahewa
30. | Pasan Rawana Lamahewa
10: Even More Facebook Data Exposure
When: April 2018
The payout: $8,000
The bug: Data exposure by third-party app.
9: Google Administrative Authentication Bypass
When: February 2018
The payout: $13,337
The bug: Broken authentication for YouTube TV’s admin panel.
8:Shopify Open to Takeovers
When: December 2017-February 2018
The payout: $15,250
Free Games from Valve
When: November 2018
The payout: $20,000
The bug: An API exploit allowing generation of game activation keys.
7.Google’s RCE Flaw
When: May 2018
The payout: $36,337
The bug: A remote code execution flaw in Google’s deployment environment.
6. Facebook’s Largest Ever Bug Bounty
When: Undisclosed; part of bounty program launched in April.
The payout: $50,000
The bug: A privacy/monitoring vulnerability.
5: Facebook’s Largest Ever Bug Bounty
When: Undisclosed; part of bounty program launched in April.
The payout: $50,000
The bug: A privacy/monitoring vulnerability.
Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also
the largest ever bounty payout from Facebook of $50,000.
31. | Pasan Rawana Lamahewa
4.New Variants of Spectre
When: July 2018
The payout: $100,000
The bug: New subvariants of the Spectre processor vulnerability.
3 Two Google Pixel Bugs
When: August 2017-January 2018
The payout: $112,500
The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone.
2. Hack the Marines and Hack the Air Force
When: October-November 2018
The payout: $150,000 from the Marines; $130,000 from the Air Force
The bug: Hundreds of security vulnerabilities.
1. Oath’s Days of Bounties
When: April and November 2018
The payout: Over $400,000 - twice
The bug: Hundreds of bugs across two hacking events.
Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company
which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event.
Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000.
Read more at: https://www.immuniweb.com/blog/top-ten-bug-bounty-payouts-of-2018.html
32. | Pasan Rawana Lamahewa
DOs
Earlier the better
Be the user first
Understand the logic to break it
Think beyond mind set of Black
or Gray Hacker
Have custom methods/payloads
Not just XSS, CSRF, IDOR, SQL
Act Ethically and Report
Be professional
Approach for happy hunting
DON’Ts
× XSS, Cntrl C, Cntrl V everywhere
× Easy way is not the right way
× Half filled submissions & reports
× Unethical / irresponsible behavior
× Unethical disclosure
× Unethical reporting
× Selfishness
× Abusing info /data accessed
× Don’t do BEG HUNTING / Never
beg for rewards
33. MOTIVATORS FOR A SECURITY RESEARCHER
Motivator #1
Set Self Target
Motivator #2
Recognition
Motivator #3
Money
Motivator #4
Self Satisfaction – “I am not a Common Hacker wearing a Black Hat”
“I keep on Collecting and Counting my White Hats”
| Pasan Rawana Lamahewa
34. My Experience
Types of Organizations
1. The Genius - take ethical reports very seriously,
rewards, recognizes and partner with the security
researcher.
2. The Bulletproof – Never recognize or acknowledge
and think they are Immortals.
3. Mr. Know it All– oops, we knew this before you and
planning to fix
4. The Blind & Deaf – Never response
5. The Neutrals – a bug?, bug bounty program ?! News
to us, anyway thank you, we’ll look into this.
| Pasan Rawana Lamahewa
35. My Experience
The “Fixed Line Telecommunication Company”
in a South Asian Country
| Pasan Rawana Lamahewa
I reported a serious flaw in their system, which can certainly expose
subscribers sensitive information and many more, if found by a bad guy.
It has now passed 8 months since my responsible responsible reporting of
this vulnerability to their IT Team, no action has been initiated to de-bug it
to-date
This is a good example for organizations and its IT Professionals are thinking
that they are “Bullet Proof” / or acts “Mr. Know it All”. Rather they are
liabilities to their customers and to the society.