View
348
Download
0
Category
Preview:
Citation preview
Bug bounty
n|u - The Open security communityChennai Meet
Presenter : Vinoth KumarDate : 22/07/2017
# About Me
Application security engineer.
Blogger @ http://www.tutorgeeks.net
Email @ vinothpkumar333@gmail.com
Tweet @vinothpkumar
Agenda for the session
● What is bug bounty● How to start with bug bounty● My career as a bug bounty hunter● Advantages of participating in bug bounty programs● Advantages of conducting a bug bounty program● Disappointments in bug bounty● Popular bug bounty platforms● Tips and resources
What is bug bounty
Paying monetary reward to security researchers for certain qualifying security bugs.
● Researcher finds a security bug in example.com● Responsibly report the identified bug to Example ● Example security team validates your findings and fix the issue ● Example pays $$$ / swag / Gift according to its impact and their program policy
How to start with Bug bounty
● Start with easier sites. Understand the logic of the site. Find sites that are not tested by many.
● Never hunt for money, hunt for learning. ( 500 USD in facebook.com is equal to five 100 USD in spreaker.com )
● Enumeration is the key. Target the subdomains instead of the main site. ● Always check if a site is running a bug bounty program before performing the test
cases. Testing the site without permission is a cyber crime, even if your intention is good. ( Responsibly reporting the identified security vulnerabilities )
● Say no to scanners
Quality of a good report - Earns more respect
Vulnerability :
Detailed explanation of the vulnerability :
Steps to reproduce : ( With attachments and video if required )
How does it affect example.com:
Remediation:
Note : Don’t blindly copy paste the contents from other researchers blogs or h1 reports. Understand the vulnerabilities and it’s exploitation.
My career as a bug bounty hunter
Seeking security engineer job was difficult
Applied to security engineer jobs - 25+ companies
Either “No response”
(or)
“You don’t have relevant experience”
(Since, I spent 1.5 years of my career, in non-security
Getting a security engineer job was difficult)
No
Why I didn’t get interview calls
● No relevant experience. ● No Industry recognized security certifications.● Didn’t have anything to showcase my ability.
Advantages of participating in bug bounty programs
● Values of your resume● Increase possibility of getting a job in the industry.● Opportunity to make more money in less time.● Recognition● Knowledge ● You’ll learn to work hard because of the competitions.
Advantages of conducting a bug bounty program
● Less hack and breaches● Lot of people are testing your application - ( Different approaches towards testing )● Cost Efficient
○ Company has to spend huge amount when they outsource security assessment to a 3rd party vendor. $$$ is charged based on the time duration spent on testing your application whereas when you run a bug bounty program, you only pay the researcher for the reported bugs and not for the whole effort spent on security testing.
Disappointments in Bug Bounty
● Duplicate submission will hurt more than your love failure.● Companies not responding to your report but silently fix the vulnerabilities without
giving you a credit.● Companies not rewarding the appropriate amount for the severity of the bug.
Popular Bug bounty platforms
● https://www.bugcrowd.com/bug-bounty-list/● Hackerone.com● Bugcrowd.com● Synack● Use google dorks
○ inurl:bugbounty
Indian companies that run’s BB programs
Tips and Resources
● Read all public disclosures of Hackerone - http://h1.nobbd.de/● Always strict to the program scope.● Follow some great bug bounty hunter’s. Read their blogs. ● Keep your eyes glued on twitter. ● Be very strong in at least one vulnerability and its exploitation.
○ I admire Anand prakash for his IDOR skills - http://www.anandpraka.sh/
● Select a particular target while focussing on bug bounty. Don’t test random sites.○ FYI - File descriptor earned 2.5 crores only from Twitter - https://hackerone.com/filedescriptor
● Choose your passion. Go for either Web application or Mobile application security testing.
● Join some bug bounty forums - https://bugbounty-world.slack.com● Keep watching Nullcon, Defcon, Blackhat talks● Sign up for Google alerts.
○ ( You’ll never know when you’ll get a pop up in Google :P )
Thank You
Recommended