Upload
bugcrowd
View
134
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Release the Hounds! A look inside Bugcrowd. This was a presentation Casey gave at the Sydney Ruxmon Information Security meetup at Google in 2013.
Citation preview
Summary
• I’m not here to sell you anything– Unless you’re buying
• Quick overview of how Bugcrowd works• Some stats from the bounties we’ve run and
general experience of how it all goes down• Questions
About me
• 12 years in I.T. • Started off technical then moved to the
business side, then went rogue• Got bitten by the entrepreneur bug– White Label Security, RDPCheck, others
• I know enough to *sometimes* ask the right questions– but right now I’m probably the dumbest guy in the
room.
Bug bounties are awesome…
• Just ask Google, Facebook, Paypal• Lots of eyes == more bugs found faster• Lots of eyes = diverse talent pool• Theoretically continuous coverage– If your rewards are big enough
…but hard.
• Just ask Google, Facebook, Paypal• Overhead of managing the tester community• Spurious findings– Here’s Nessus scan, I can haz money nao?
• Managing payments to testers• How do I cap my spend?• How do I control the crowd?
Enter Bugcrowd!
(hat tip to @snare)
The gist of it…
• Managed bug bounties for web, mobile and client/server apps
• “Came out of stealth” in December• Founded by Sergei Belokamen (@sergicles) and I• Nick Ellsmore (strategic advisor)• Funded and mentored by Startmate Accelerator– Validating and improve the idea and the business model– Off to Silicon Valley in April to raise capital and work on
the US market
How does it work?
• Ongoing bounties (a la Google)– Bugs validated, scored & passed on “as discovered”– Payments managed, etc
• Time-boxed bounties– Kind of like a crowd-sourced pen test– Client sets size of reward pool and duration of testing– Fixed rewards
• Higher reward for the 3 most “creative” bugs • Lower for the rest
– Report at the end of the bounty
What else?
• Kudos points• Private bounties• Crowdcontrol• Free bounties for charities (awesomesauce)• Charity or non-paid valid findings = ISC2 CPE
So, does it work?
A typical bounty:
• 2 mins – Clickjacking (EVERY. SINGLE. TIME)• 0 to 6 hours – Lots of XSS, CSRF and other
“common” bugs• 6 to 24 hours – Stragglers• 24 hours + - The interesting stuff… bug
chaining, non traditional vectors, etc
Some stats
• 10 bounties– 4 charity– 2 private paid– 3 open paid– 1 malware bounty
• 1,500 testers• ~ 250 active submitters• ~ 1,000 submissions
0-day?
• An unpatched security bug in 3rd party software has been disclosed in 4 of the bounties we’ve run so far
• OK, not really 0-day, but goes to show that these guys are going reasonably deep
Total validated submissions
• Up to Beta 006• 85 unique bug types (e.g. Reflected XSS,
storage-based XSS, SQL Injection, authentication/automation, etc)
• 140 unique findings
Countries of origin• Australia• New Zealand• UK• Italy• Germany• Spain• France• Sweden• Georgia• Pakistan• India• Malaysia• Norway• South Africa• Argentina• Israel• USA• Iceland
• A lot of “known” bounty hunters
• A lot of day-job pen testers
General observations
• IT’S WORKING (mostly… still a lot to learn)• Charity bounties work too!• Running an accelerated start-up is wicked hard
work• Start-ups and charities have no idea how bad
their appsec is• Bug bounty on outdated Wordpress on
GoDaddy?– You’re gonna have a bad time
Next…
• More bounties• Get some ongoing bounties going• Get better at running these things• Off to the valley…