HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
-
Upload
mailrugroup -
Category
Internet
-
view
203 -
download
2
Transcript of HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group
![Page 1: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/1.jpg)
#SecurityMeetUpMail.Ru
![Page 2: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/2.jpg)
Bounties and Other Incentives
Katie MoussourisChief Policy Officer
http://twitter.com/k8em0 <-- that’s a zero
![Page 3: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/3.jpg)
Who I amChief Policy Officer, HackerOne
Mother of Microsoft’s Bounty Programs, Internet Bug Bounty Panelist
Chair of BlueHat Content Board 2010-2013
My (security*) work in bullet points:
◆ Linux Dev and Security Tzarina - TurboLinux, circa 2000
◆ Pen Tester - Artist formerly known as @stake
◆ Founder - Symantec Vulnerability Research (SVR)◆ Founder - Microsoft Vulnerability Research (MSVR)
◆ Policy Maker
◆ Editor for ISO standard on Vulnerability Handling (30111)
◆ Lead SME for US National Body on Vulnerability Disclosure (29147)
◆ Lead editor for Penetration Testing as it applies to Common Criteria (20004-2)and Secure Application Development processes (27034-3)
* Was a molecular biologist in a past professional life; worked on the Human Genome Project
![Page 4: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/4.jpg)
● Vulnerability Coordination Platform
o Built by Facebook, Microsoft, Chrome security folks
● 100+ live programs with well over $100k paid out each month
● 1,000+ users hackers (researchers?) recognized for their work
● Important: We only host these programs.
o Researchers & Security Teams manage their own programs.
o HackerOne employees do not have access to reports.
What is HackerOne?
![Page 5: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/5.jpg)
![Page 6: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/6.jpg)
H1 Programs (Average)
![Page 7: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/7.jpg)
Signal-to-Noise Ratio
● There's noise on the internet
● Researcher Reputation - Good for researchers and teams
o The best researchers stand out from noisier ones
Mutual incentives to maintain a high-signal environment
o Security Teams benefit from additional context
o An Anecdote!
"Noisiest" researcher had 1,500+ submissions and a <5% success rate.
One month later: same researcher now has 60%+ success rate.
![Page 8: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/8.jpg)
Reputation: Plus Rate Limiting
![Page 9: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/9.jpg)
● Sharing knowledge is valuable to the entire community
o Those who do not learn from the mistakes of the past are doomed
to repeat them
● Q: How can we encourage more vulnerability sharing?
o One-click disclosures
o Streamlined coordination
o Shared goals
o No surprises
Knowledge
![Page 10: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/10.jpg)
HackerOne Transparency
View the details of every vulnerability HackerOne has ever had: https://hackerone.com/security
![Page 11: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/11.jpg)
IE Preview Bug Bounty: All in the timing
● Running a bounty program during the Preview (beta) period for IE11 addressed the greatest number of issues with the least impact to customers AND engineers
● Vulnerability brokers don’t offer payment for the IE browser in beta, so there is a gap in the marketplace
● Actual Results: 23 submissions, 18 bulletin-class issues – including 4 sandbox escapes
![Page 12: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/12.jpg)
IE 11 Preview Bounty --> Reverses Reporting Trend
![Page 13: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/13.jpg)
![Page 14: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/14.jpg)
Hacker!
![Page 15: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/15.jpg)
![Page 16: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/16.jpg)
"Hacker"?
● Definitions suck.
● Security is for everyone
o It needs to be more accessible & inclusive.
● Be a part of the security community
![Page 17: HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group](https://reader033.fdocuments.net/reader033/viewer/2022042701/55a5f39b1a28abd53d8b47c5/html5/thumbnails/17.jpg)
Questions?