This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.
2. About Me
System Security Engineer at Tasawr Interactive
Security Researcher
OWASP contributor
Bug Bounty Hunter
FB: http://fb.me/shahee.mirza.5
Twitter: @shaheemirza
WEB: http://www.shaheemirza.com
3. What is Bug Bounty?
Bug bounties, also known as responsible disclosure
programmes, are setup by companies to encourage
people to report potential issues discovered on their
sites. Some companies chose to reward a researcher
with money, swag, or an entry in their hall-of-fame. If
you’re interested in web application security then
they’re a great way of honing your skills, with the
potential of earning some money and/or credibility at
the same time.
4. History of Bug Bounty
At October 1995 by Netscape.
At August 2002 by iDefense [VCP].
At August 2004 by Mozilla.
2007 CanSecWest……ZDI…$10k..
March 24, 2010…pwn2own..big money.
Days before 2008 was Tough for Security
Researchers.
2009, the year of revolution.
9. For us
Values of your Resume.
Increase Possibility of getting a job in the
industry.
Opportunity to make money on spare time.
Glory and Fame.
Knowledge.
The proven one.
10. For Vendors
Less Hacks and Breaches.
Better and more secure apps or services.
Faster security implementation.
More researchers.
More experience.
More bugs.
27. Lesson 101
The Base and Basics:
Read the Rules of programs.
Read the Scope and Limits.
Read the Payment scheme and Methods.
Read, how to get a test account.
Respect the Panel Decisions.
28. Lesson 101 cont.
Please DO NOT:
Don’t be a Shit.
Don’t Lie.
Don’t cry for SWAG /Money /HOF if it’s out of rules.
Don’t disrespect other researchers.
Don’t Copy-Paste from other reports.
Please, Don’t share your payouts. [amounts]
30. Lesson 101 cont.
Be very Sharp and Clear on Issue description.
Steps to reproduce the issue
Impact
Attach screenshot(s) if needed.
If you recorded any video:
- Don’t use music.
- Make it quick.
- Use Mp4 or Flv format.
How to write Report:
Bad Report