BSides LA/PDX
65
‹#› State of Bug Bounty Leif Dreizler, Sr. Security Engineer @leifdreizler
-
Upload
leifdreizler -
Category
Technology
-
view
243 -
download
1
Transcript of BSides LA/PDX
‹#›
State of Bug Bounty
Leif Dreizler, Sr. Security Engineer@leifdreizler
‹#›
Things I’ll Cover
oBug Bounty: 👻 🎁🔮oPro tips, pitfalls, war storiesoQuestions!
What’s a bug bounty program?
‹#›
A Brief History of Bug Bounty Programs
‹#›
1995
‹#›
20052002
‹#›
2004
‹#›
2007
‹#›
BigDataSecurityMetrics
9
‹#›
Highlightsfromthe2014Google
o Started in 2010o In 2014 paid over 200 researcherso Highest single payout: $150ko Total payout: $1.5+ milliono Over 500 unique and valid bugso Over half of the bugs in Chrome were reported and fixed in
beta or dev builds
src: http://googleonlinesecurity.blogspot.com/2015/01/security-reward-programs-year-in-review.html
‹#›
Google VRP
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
‹#›
‹#›
Highlights from the 2014 Facebook Report
o Started in 2011o Currently $500 minimum, no
defined maximumo 17,011 Submissionso 61 Eligible bugs were high severityo 123 Countries (65 Rewarded)o $1.3 million paid to 321
researchers
Countries with High # of Valid Subs
Valid Bugs Average $ RewardIndia 196 $1,343
Egypt 81 $1,220USA 61 $2,470UK 28 $2,768
Philippines 27 $1,093
src: https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/1026610350686524
‹#›
Microsoft Bounty Expansion
o Started in 2013o Online services like Azure and 0365 have a
maximum bounty of $15ko Doubled this during Aug 5 - Oct 5 for auth
vulnerabilities in Windows Liveo “Mitigation Bypass” bounty for novel methods to
bypass paramount OS protections like ASLR and DEP - $100ko “Bonus Bounty for Defense” - $50k
src: http://blogs.technet.com/b/msrc/archive/2015/04/22/microsoft-bounty-programs-expansion-azure-and-project-spartan.aspxsrc: https://technet.microsoft.com/en-us/security/dn800983
‹#›
Highlights from the 2014 Github Report
o First year of the programo $200 - $5,000 (doubled for 2015)o 1,920 Submissionso 73 Unique Vulnerabilities (57 medium/high)
o 33 Unique Researchers earned a total of $50,100 for the med/high vulnerabilities
src:h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one
‹#›
Tesla Motors
o Began their program with Bugcrowd in 2015o Includes all Tesla Motors hosts, mobile apps, and any hardware
you’re authorized to test against (don’t hack your neighbors car)o Initially had an upper end of $1,000o Increased the upper end to $10k at Black Hat
o Researchers were able to gain access to the Model S computer system, remotely lock and unlock the car, and apply the emergency brake if under 5 m.p.h.
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work
with themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the
right thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security teamoHelps level the playing fieldoShows the security community you’ll work with
themoMakes it easy for researchers to “do the right
thing”oThe program makes a statementoContinuous testing
‹#›
I’malreadydoingenough
oRed TeamoScannersoTraditional Pentests
‹#›
I’m already getting continuous testing from my red team
o Bug bounties don’t replace red teamso They work in concert, providing a different
perspectiveo Red teams have access to privileged information that
may create bias in their testing
‹#›
I’m already getting continuous testing from my red team
o Bug bounties don’t replace red teamso They work in concert, providing a different
perspectiveo Red teams have access to privileged information that
may create bias in their testing
‹#›
I’m already getting continuous testing from a scanner
oThey report false positivesoScanners miss a lot of
vulnerabilities
‹#›
I’m already having my application pen tested
oLimited resources compared to the crowd
oPaying for time vs. resultsoSnapshot in time
‹#›
src:h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one
GithubProgramLifecycle
‹#›
CommunityManagement
oDeluge of submissionsoTriage and ValidationoResearcher CommunicationoResearcher PaymentoRemediation
‹#›
CommunityManagement
oDeluge of submissionsoTriage and ValidationoResearcher CommunicationoResearcher PaymentoRemediation
‹#›
CommunityManagement
oDeluge of submissionsoTriage and ValidationoResearcher CommunicationoResearcher PaymentoRemediation
‹#›
ProgramGrowthoIncrease number of researchersoIncrease scopeoIncrease reward rangesoIncrease publicity
‹#›
January 2013 - June 2015
State of Bug Bounty
36
‹#›
AreasofTrends:TypesofProgramsSignaltoNoiseRaSoSeverityofSubmissionsTypesofSubmissionsResearcherDemographics&Behavior
CulminaSonof2YearsofBugBountyData
37
‹#›
Researchersaremeasuredonthebelowfactorsandinvitedaccordingly…
Quality ifasubmissionisvalidandinscopeImpact ifasubmissionisworthyourSmeAcSvity ifaresearcherisreadytowork
Trust
Howdoresearchersjoinprivateprograms?
‹#›
» Valid» Fixable» High-Priority» Reproducible» InScope
NoiseSignal» Invalid» Ignored» Duplicate» Non-Reproducible» Out-of-Scope
WhyInviteOnly?
‹#›
Program Statistics
o $725k paid to researcherso 38k submissionso 8k valid & unique (21%)
o $200 average payouto 4.39 “big bugs” per program
‹#›
P1 - Critical
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.
Examples: Vertical Authentication bypass, SSRF, XXE, SQL injection, User Authentication bypass
P2 - High
Vulnerabilities that affect the security of the platform including the processes it supports.
Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact
Whatarebigbugs?
‹#›
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
Google VRP
‹#›
43
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
Google VRP
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
‹#›
How to reduce noise
o Provide clear directives to researcherso What’s in/out of scopeo Play by your own rules
o Reward Quickly and Consistentlyo Fix Quicklyo Provide feedback/education
‹#›
Provide Feedback/Education
o Respond to researcherso Improve submissionso Note deficiencieso Clarify scope
o Trainingo Google: Bughunter Universityo Facebook: Bounty Hunter’s Guideo Bugcrowd: Bugcrowd Forum
‹#›
Shaping the Future of Bug Bounty
o Paid Summer Internshipso Guest blog postso Bugcrowd Forumo Training
o https://github.com/jhaddix/tbhmo https://www.youtube.com/watch?
v=VtFuAH19Qz0o https://blog.bugcrowd.com/bugcrowds-2015-
guide-hacker-summer-camp/
‹#›
Shaping the Future of Bug BountyBugBountiesasPrimarySourceofIncome(Researcherswith15+ValidSubmissions)
‹#›
Shaping the Future of Bug Bounty
‹#›
Researcher Statistics
o 20,000 total sign upso 90 Countrieso India - 31%o US - 18%o UK - 9%
o Highest average payouto Cyprus - $644o Switzerland - $512o Austria - $475
‹#›
Google VRP
55
src:h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
‹#›
Submissions:Whatdotheyfind?
‹#›
Submissions:Whatdotheyfind?
‹#›
Big Bugs!
‹#›
Cross-domainInformationDisclosureDiscoveredbyPeterAdkins(@Darkarnium)
‹#›
• Clifford’s first private bounty invitation• Launched at midnight in Philippines• Found an IDOR à elevation of privilege
• Clifford’sfirstprivatebountyinvitation• LaunchedatmidnightinPhilippines• FoundanIDORà elevationofprivilege
src:h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
‹#›
src:h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
‹#›
src:h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
‹#›
h?p://nbsriharsha.blogspot.in/2015/07/a-style-of-bypassing-authenScaSon.html
• IDORà elevationofprivilege1)logintohttps://service.teslamotors.com/2)navigatetohttps://service.teslamotors.com/admin/bulletins3)nowyouareadmin,youcandelete,modifyandpublishdocuments
‹#›
In Summaryo Bug bounty programs have been around for a whileo Managing a bug bounty program can be difficulto Security-conscious companies keep running themo More companies are adopting (private) programso Researchers are reporting interesting and critical vulnerabilities
