This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.

1. Bug Bounty 101
Shahee Mirza

2. About Me
System Security Engineer at Tasawr Interactive
Security Researcher
OWASP contributor
Bug Bounty Hunter
FB: http://fb.me/shahee.mirza.5
Twitter: @shaheemirza
WEB: http://www.shaheemirza.com

3. What is Bug Bounty?
Bug bounties, also known as responsible disclosure
programmes, are setup by companies to encourage
people to report potential issues discovered on their
sites. Some companies chose to reward a researcher
with money, swag, or an entry in their hall-of-fame. If
you’re interested in web application security then
they’re a great way of honing your skills, with the
potential of earning some money and/or credibility at
the same time.

4. History of Bug Bounty
At October 1995 by Netscape.
At August 2002 by iDefense [VCP].
At August 2004 by Mozilla.
2007 CanSecWest……ZDI…$10k..
March 24, 2010…pwn2own..big money.
Days before 2008 was Tough for Security
Researchers.
2009, the year of revolution.

5. Vendor Response

6. Then ..Our Response

7. Now…… :p

8. Why bug bounties ?

9. For us
Values of your Resume.
Increase Possibility of getting a job in the
industry.
Opportunity to make money on spare time.
Glory and Fame.
 Knowledge.
 The proven one.

10. For Vendors
Less Hacks and Breaches.
Better and more secure apps or services.
Faster security implementation.
More researchers.
More experience.
More bugs.

11. My favorite programs !!

12. GOOGLE
– Min $1337
– Acquisitions’ min: $100
– Max.: $20,000
URL:
http://www.google.com.bd/about/appsecurity/reward-program/

13. FACEBOOK
– Min.: $500
– Max. payout: …………
URL: https://www.facebook.com/whitehat

14. MORE
https://bugcrowd.com/list-of-bug-bounty-programs

15. My favorite platforms !!

16. BugCrowd
URL: https://bugcrowd.com/

17. HackerOne
URL: https://hackerone.com/

18. ..and
URL: https://www.synack.com/
URL: https://www.crowdcurity.com/

19. READY !!

20. Lesson 000
Patience – The Patience

21. Lesson 001
Avoid – OS Arguments.
Avoid – Browser Arguments.
Avoid – Language Arguments.

22. Lesson 010
Do not use automated scanners:
- Acunetix
- Nikto
- Etc
Learn to Code
- Python
- PHP
- Etc

23. Lesson 011
TOOLS:

24. Lesson 011 cont.
URL:
Burp Suite - http://portswigger.net/burp/
ZAP - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Nmap - http://nmap.org/
DNS-Discovery - http://dns-discovery.googlecode.com
Fierce - http://ha.ckers.org/fierce/

25. Lesson 100
Self Practice ground:
URL: http://www.dvwa.co.uk/

26. Lesson 100 cont.
Self Education:
Attack:
https://www.owasp.org/index.php/Category:Attack
Code Snippet:
https://www.owasp.org/index.php/Category:Code_Snippet
Control:
https://www.owasp.org/index.php/Category:Control
Vulnerability:
https://www.owasp.org/index.php/Category:Vulnerability

27. Lesson 101
The Base and Basics:
Read the Rules of programs.
Read the Scope and Limits.
Read the Payment scheme and Methods.
Read, how to get a test account.
Respect the Panel Decisions.

28. Lesson 101 cont.
Please DO NOT:
Don’t be a Shit.
Don’t Lie.
Don’t cry for SWAG /Money /HOF if it’s out of rules.
Don’t disrespect other researchers.
Don’t Copy-Paste from other reports.
Please, Don’t share your payouts. [amounts]

29. Lesson 101 cont.
Quality > Quantity
Quality ==> Reputation ==> Opportunities

30. Lesson 101 cont.
Be very Sharp and Clear on Issue description.
Steps to reproduce the issue
Impact
Attach screenshot(s) if needed.
If you recorded any video:
- Don’t use music.
- Make it quick.
- Use Mp4 or Flv format.
How to write Report:
Bad Report

31. Lesson 101 cont.
GOOGLE for us:
URL:
https://sites.google.com/site/bughunteruniversity/

32. Lesson 101 cont.
Bugs on Fire:
URL: http://osvdb.org/

33. Lesson 101 cont.
Just a demo:
Rate limiting bypass

34. Lesson 101 cont.
Public Disclosure:
Ask for permission.
Hide sensitive information.

35. Future of Bug Bounties:
More companies, More bounty.
More money, More opportunities.

36. Bangladeshi Hackers on Bug Bounty
…………………………We are everywhere
Google <> Facebook <> Twitter
Microsoft <> PayPal <> GitHub

37. When I was Alone
I love to dance:

38. When rest of all came
I love to dance with them:

39. Thank you buddies:
Tarek Siddiki
Faisal Ahmed
Md. Ishrat Shahriyar
Abdullah Shahriar
…………..and rest of all

40. Helpful Books

41. Helpful Blogs
http://www.breaksec.com/
http://homakov.blogspot.co.uk/
https://bitquark.co.uk/blog/
https://nealpoole.com/blog/
http://nahamsec.com/
http://stephensclafani.com/
http://insertco.in/articles
http://josipfranjkovic.blogspot.co.uk/
http://olivierbeg.nl/
https://fin1te.net/

42. THANK YOU ALL