SlideShare una empresa de Scribd logo

If You Can't Beat 'Em, Join 'Em

bugcrowd
bugcrowd

1) The document discusses tips for running a successful bug bounty program, including defining scope, focus, and exclusions up front; setting up an accessible testing environment; managing researcher expectations through clear communication; and establishing a vulnerability rating taxonomy. 2) It emphasizes the importance of preparation before launching a program, as well as ongoing communication and process improvement after launch. 3) Not preparing adequately by failing to provide scope or consider exclusions can result in a disaster, whereas a company that took bug bounty seriously saw a reduction in critical issues over time.

Tecnología
1 de 35
Descargar para leer sin conexión
If You Can’t Beat ‘Em Join ‘Em Tips For Running a Successful Bug Bounty Program Grant McCracken Daniel Trauner BSides Austin April 1, 2016
Grant ● Technical Account Manager @Bugcrowd ○ formerly an ASE ● Before that, Whitehat ● Did some traveling ● Music BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Dan ● AppSec Engineer (ASE) @Bugcrowd ● Before that, Fortify SCA @HPSR ○ Static analysis -- lots of languages ○ Focus on iOS ● Art History/Collecting! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Bug Bounty Programs BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
wut BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
A (Brief) History of Bug Bounty Programs BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Why? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Do you really want to let people attack you? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016 Source: http://hyperboleandahalf.blogspot.com/2010_06_01_archive.html
Yes! (They’re doing it anyways…) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016 Source: http://hyperboleandahalf.blogspot.com/2010_06_01_archive.html
You vs. and Them BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Who are these people? ● All over the place! ○ All ages ○ All levels of experience ○ All over the world ○ Users and non-users ● Passionate about security BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Value ● Lots of eyes ● Only pay for valid results ● Shows a more advanced security posture ● Better overall reputation! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
How? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
How? ● Pre-Launch ○ Scope ○ Focus ○ Exclusions ○ Environment ○ Access ● Post-Launch ○ Managing Expectations ○ Communicating Effectively ○ Defining a Vulnerability Rating Taxonomy (VRT) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
“Touch the code, pay the bug.” BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Pre-Launch BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Scope, scope, scope ● Step 0... ○ Basic resources/requirements to run a program ● The researcher’s universe ○ Leave nothing open to interpretation ○ Understand your attack surface ○ The path of least resistance BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Focus ● You might care about specific: ○ Targets ○ Vuln types ○ Functionalities (e.g. payment processing) ● How? ○ Incentives ○ Create a focused program Source: https://xkcd.com/1361/ BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Exclusions ● You might not care about: ○ “Low-hanging fruit” ○ Intended functionality ○ Known issues ○ Accepted Risks ○ Issues resulting from pivoting BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Environment ● Different based on: ○ Prod vs. Staging ■ Make sure it can stand up to testing! 1. Scanners 2. Contact forms 3. Pentesting requests ○ Target type ■ IoT? iOS? ○ Special bounty type? ○ Researcher environments BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
What a shared environment looks like... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Access ● Easier = better ● How will researchers get there? ○ Whitelist? Proxy? Geo-restrictions? ● Public or private? ● SSN/CCs/phone numbers? ● Intuitive credentials management ○ NO SHARED CREDS BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Remember... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Post-Launch BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Expectations, expectations, expectations... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Expectations, expectations, expectations... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Communication is Key ● Researchers like: ○ Concise, unambiguous responses ■ ESL ○ Quick responses ○ Predictable time to reward ● Stay on top of these issues! ● Public disclosure? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Define a Vulnerability Rating Taxonomy ● For you: ○ Speed up triage process ○ Track your organization’s posture ○ Arrive at reward amount more quickly ● For them (if published): ○ Focus on high-value bugs ○ Avoid reporting wontfix issues ○ Feel a sense of trust (goes with brief) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Discuss the VRT at a Roundtable ● Priority will change as your organization does ● Establish a discussion meeting ○ Review interesting bugs ○ Discuss additions to VRT ○ Propose changes to vulnerability classification/priorities ● This is an ongoing process! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Meanwhile, IRL... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
$UNPREPARED_COMPANY Recipe for disaster: 1. Don’t provide known issues 2. Don’t consider exclusions 3. Sneaky brief changes BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Instructure 2013 (Pentest) 2014 (Bug Bounty) Critical 0 0 High 1 25 Medium 1 8 Low 2 16 Source: https://www.canvaslms.com/security BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
tl;dr BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
Source: https://xkcd.com/1256/ BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016

Recomendados

Lexus Venture Indonesia
Lexus Venture IndonesiaLexus Venture Indonesia
Lexus Venture IndonesiaLexus Ventura
 
laatsch_0315TrendReport
laatsch_0315TrendReportlaatsch_0315TrendReport
laatsch_0315TrendReportMichael Laatsch
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 

Recomendados

Lexus Venture Indonesia
Lexus Venture IndonesiaLexus Venture Indonesia
Lexus Venture IndonesiaLexus Ventura
 
laatsch_0315TrendReport
laatsch_0315TrendReportlaatsch_0315TrendReport
laatsch_0315TrendReportMichael Laatsch
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 
Rtp rsp16-bronto-final deck
Rtp rsp16-bronto-final deckRtp rsp16-bronto-final deck
Rtp rsp16-bronto-final deckG3 Communications
 
Managing Technology Innovation In Contact Centres
Managing Technology Innovation In Contact CentresManaging Technology Innovation In Contact Centres
Managing Technology Innovation In Contact CentresMartin Hill-Wilson
 
Content blocking and content distribution channels
Content blocking and content distribution channelsContent blocking and content distribution channels
Content blocking and content distribution channelsPierre Far
 
How to Leverage Glassdoor Analytics
How to Leverage Glassdoor AnalyticsHow to Leverage Glassdoor Analytics
How to Leverage Glassdoor AnalyticsGlassdoor
 
Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Ajit Kumar
 
The Long Game: Identify Your Readers to Build Loyalty and Revenue
The Long Game: Identify Your Readers to Build Loyalty and RevenueThe Long Game: Identify Your Readers to Build Loyalty and Revenue
The Long Game: Identify Your Readers to Build Loyalty and RevenueMediaPost
 
Client Story: Lockheed Martin
Client Story: Lockheed MartinClient Story: Lockheed Martin
Client Story: Lockheed MartinGlassdoor
 
Integrating social customer service into your omni channel strategyv2
Integrating social customer service into your omni channel strategyv2Integrating social customer service into your omni channel strategyv2
Integrating social customer service into your omni channel strategyv2Martin Hill-Wilson
 
Get Any Job You Want
Get Any Job You Want Get Any Job You Want
Get Any Job You Want Trepoint
 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) “How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) TheFamily
 
Presentation Job Search Circle. New from LinkedIn 2016
Presentation Job Search Circle. New from LinkedIn 2016Presentation Job Search Circle. New from LinkedIn 2016
Presentation Job Search Circle. New from LinkedIn 2016BRUCE Bixler
 
Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Ajit Kumar
 
How Leading Staffing Firms Leverage Glassdoor
How Leading Staffing Firms Leverage GlassdoorHow Leading Staffing Firms Leverage Glassdoor
How Leading Staffing Firms Leverage GlassdoorGlassdoor
 
Zweig group BBR webinar intro - session 1
Zweig group BBR webinar intro - session 1 Zweig group BBR webinar intro - session 1
Zweig group BBR webinar intro - session 1 Encourage Build Grow
 
Holy Family new from LinkedIn 2016
Holy Family new from LinkedIn 2016Holy Family new from LinkedIn 2016
Holy Family new from LinkedIn 2016BRUCE Bixler
 
You, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found Online
You, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found OnlineYou, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found Online
You, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found OnlineDigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Building a Content Marketing Machine -Dan Patterson's Deck
Building a Content Marketing Machine -Dan Patterson's DeckBuilding a Content Marketing Machine -Dan Patterson's Deck
Building a Content Marketing Machine -Dan Patterson's DeckUtah Digital Marketing Collective
 
Def Con 28 - entrepreneurial adventures starting your own company
Def Con 28 - entrepreneurial adventures starting your own companyDef Con 28 - entrepreneurial adventures starting your own company
Def Con 28 - entrepreneurial adventures starting your own companyBryson Bort
 
Building sustainable indie studio in 2018
Building sustainable indie studio in 2018Building sustainable indie studio in 2018
Building sustainable indie studio in 2018Kris Nurwono
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 

Más contenido relacionado

Similar a If You Can't Beat 'Em, Join 'Em

Managing Technology Innovation In Contact Centres
Managing Technology Innovation In Contact CentresManaging Technology Innovation In Contact Centres
Managing Technology Innovation In Contact CentresMartin Hill-Wilson
 
Content blocking and content distribution channels
Content blocking and content distribution channelsContent blocking and content distribution channels
Content blocking and content distribution channelsPierre Far
 
How to Leverage Glassdoor Analytics
How to Leverage Glassdoor AnalyticsHow to Leverage Glassdoor Analytics
How to Leverage Glassdoor AnalyticsGlassdoor
 
Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Ajit Kumar
 
The Long Game: Identify Your Readers to Build Loyalty and Revenue
The Long Game: Identify Your Readers to Build Loyalty and RevenueThe Long Game: Identify Your Readers to Build Loyalty and Revenue
The Long Game: Identify Your Readers to Build Loyalty and RevenueMediaPost
 
Client Story: Lockheed Martin
Client Story: Lockheed MartinClient Story: Lockheed Martin
Client Story: Lockheed MartinGlassdoor
 
Integrating social customer service into your omni channel strategyv2
Integrating social customer service into your omni channel strategyv2Integrating social customer service into your omni channel strategyv2
Integrating social customer service into your omni channel strategyv2Martin Hill-Wilson
 
Get Any Job You Want
Get Any Job You Want Get Any Job You Want
Get Any Job You Want Trepoint
 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) “How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) TheFamily
 
Presentation Job Search Circle. New from LinkedIn 2016
Presentation Job Search Circle. New from LinkedIn 2016Presentation Job Search Circle. New from LinkedIn 2016
Presentation Job Search Circle. New from LinkedIn 2016BRUCE Bixler
 
Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Ajit Kumar
 
How Leading Staffing Firms Leverage Glassdoor
How Leading Staffing Firms Leverage GlassdoorHow Leading Staffing Firms Leverage Glassdoor
How Leading Staffing Firms Leverage GlassdoorGlassdoor
 
Zweig group BBR webinar intro - session 1
Zweig group BBR webinar intro - session 1 Zweig group BBR webinar intro - session 1
Zweig group BBR webinar intro - session 1 Encourage Build Grow
 
Holy Family new from LinkedIn 2016
Holy Family new from LinkedIn 2016Holy Family new from LinkedIn 2016
Holy Family new from LinkedIn 2016BRUCE Bixler
 
Def Con 28 - entrepreneurial adventures starting your own company
Def Con 28 - entrepreneurial adventures starting your own companyDef Con 28 - entrepreneurial adventures starting your own company
Def Con 28 - entrepreneurial adventures starting your own companyBryson Bort
 
Building sustainable indie studio in 2018
Building sustainable indie studio in 2018Building sustainable indie studio in 2018
Building sustainable indie studio in 2018Kris Nurwono
 

Similar a If You Can't Beat 'Em, Join 'Em (19)

Rtp rsp16-bronto-final deck
Rtp rsp16-bronto-final deckRtp rsp16-bronto-final deck
Rtp rsp16-bronto-final deck
 
Managing Technology Innovation In Contact Centres
Managing Technology Innovation In Contact CentresManaging Technology Innovation In Contact Centres
Managing Technology Innovation In Contact Centres
 
Content blocking and content distribution channels
Content blocking and content distribution channelsContent blocking and content distribution channels
Content blocking and content distribution channels
 
How to Leverage Glassdoor Analytics
How to Leverage Glassdoor AnalyticsHow to Leverage Glassdoor Analytics
How to Leverage Glassdoor Analytics
 
Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?
 
The Long Game: Identify Your Readers to Build Loyalty and Revenue
The Long Game: Identify Your Readers to Build Loyalty and RevenueThe Long Game: Identify Your Readers to Build Loyalty and Revenue
The Long Game: Identify Your Readers to Build Loyalty and Revenue
 
Client Story: Lockheed Martin
Client Story: Lockheed MartinClient Story: Lockheed Martin
Client Story: Lockheed Martin
 
Integrating social customer service into your omni channel strategyv2
Integrating social customer service into your omni channel strategyv2Integrating social customer service into your omni channel strategyv2
Integrating social customer service into your omni channel strategyv2
 
Get Any Job You Want
Get Any Job You Want Get Any Job You Want
Get Any Job You Want
 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) “How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
“How to Build Products for Growth” by Neal Kemp, cofounder @Women.com (YC S14) 
 
Presentation Job Search Circle. New from LinkedIn 2016
Presentation Job Search Circle. New from LinkedIn 2016Presentation Job Search Circle. New from LinkedIn 2016
Presentation Job Search Circle. New from LinkedIn 2016
 
Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?Application Migration - What, When, Why, How?
Application Migration - What, When, Why, How?
 
How Leading Staffing Firms Leverage Glassdoor
How Leading Staffing Firms Leverage GlassdoorHow Leading Staffing Firms Leverage Glassdoor
How Leading Staffing Firms Leverage Glassdoor
 
Zweig group BBR webinar intro - session 1
Zweig group BBR webinar intro - session 1 Zweig group BBR webinar intro - session 1
Zweig group BBR webinar intro - session 1
 
Holy Family new from LinkedIn 2016
Holy Family new from LinkedIn 2016Holy Family new from LinkedIn 2016
Holy Family new from LinkedIn 2016
 
You, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found Online
You, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found OnlineYou, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found Online
You, AI & the Future of Organic Search (aka SEO) - Steve Krull, Be Found Online
 
Building a Content Marketing Machine -Dan Patterson's Deck
Building a Content Marketing Machine -Dan Patterson's DeckBuilding a Content Marketing Machine -Dan Patterson's Deck
Building a Content Marketing Machine -Dan Patterson's Deck
 
Def Con 28 - entrepreneurial adventures starting your own company
Def Con 28 - entrepreneurial adventures starting your own companyDef Con 28 - entrepreneurial adventures starting your own company
Def Con 28 - entrepreneurial adventures starting your own company
 
Building sustainable indie studio in 2018
Building sustainable indie studio in 2018Building sustainable indie studio in 2018
Building sustainable indie studio in 2018
 

Más de bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 

Más de bugcrowd (15)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

If You Can't Beat 'Em, Join 'Em

  • 1. If You Can’t Beat ‘Em Join ‘Em Tips For Running a Successful Bug Bounty Program Grant McCracken Daniel Trauner BSides Austin April 1, 2016
  • 2. Grant ● Technical Account Manager @Bugcrowd ○ formerly an ASE ● Before that, Whitehat ● Did some traveling ● Music BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 3. Dan ● AppSec Engineer (ASE) @Bugcrowd ● Before that, Fortify SCA @HPSR ○ Static analysis -- lots of languages ○ Focus on iOS ● Art History/Collecting! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 4. Bug Bounty Programs BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 5. wut BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 6. A (Brief) History of Bug Bounty Programs BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 7. Why? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 8. Do you really want to let people attack you? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016 Source: http://hyperboleandahalf.blogspot.com/2010_06_01_archive.html
  • 9. Yes! (They’re doing it anyways…) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016 Source: http://hyperboleandahalf.blogspot.com/2010_06_01_archive.html
  • 10. You vs. and Them BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 11. Who are these people? ● All over the place! ○ All ages ○ All levels of experience ○ All over the world ○ Users and non-users ● Passionate about security BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 12. Value ● Lots of eyes ● Only pay for valid results ● Shows a more advanced security posture ● Better overall reputation! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 13. How? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 14. How? ● Pre-Launch ○ Scope ○ Focus ○ Exclusions ○ Environment ○ Access ● Post-Launch ○ Managing Expectations ○ Communicating Effectively ○ Defining a Vulnerability Rating Taxonomy (VRT) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 15. BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 16. “Touch the code, pay the bug.” BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 17. Pre-Launch BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 18. Scope, scope, scope ● Step 0... ○ Basic resources/requirements to run a program ● The researcher’s universe ○ Leave nothing open to interpretation ○ Understand your attack surface ○ The path of least resistance BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 19. Focus ● You might care about specific: ○ Targets ○ Vuln types ○ Functionalities (e.g. payment processing) ● How? ○ Incentives ○ Create a focused program Source: https://xkcd.com/1361/ BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 20. Exclusions ● You might not care about: ○ “Low-hanging fruit” ○ Intended functionality ○ Known issues ○ Accepted Risks ○ Issues resulting from pivoting BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 21. Environment ● Different based on: ○ Prod vs. Staging ■ Make sure it can stand up to testing! 1. Scanners 2. Contact forms 3. Pentesting requests ○ Target type ■ IoT? iOS? ○ Special bounty type? ○ Researcher environments BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 22. What a shared environment looks like... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 23. Access ● Easier = better ● How will researchers get there? ○ Whitelist? Proxy? Geo-restrictions? ● Public or private? ● SSN/CCs/phone numbers? ● Intuitive credentials management ○ NO SHARED CREDS BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 24. Remember... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 25. Post-Launch BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 26. Expectations, expectations, expectations... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 27. Expectations, expectations, expectations... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 28. Communication is Key ● Researchers like: ○ Concise, unambiguous responses ■ ESL ○ Quick responses ○ Predictable time to reward ● Stay on top of these issues! ● Public disclosure? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 29. Define a Vulnerability Rating Taxonomy ● For you: ○ Speed up triage process ○ Track your organization’s posture ○ Arrive at reward amount more quickly ● For them (if published): ○ Focus on high-value bugs ○ Avoid reporting wontfix issues ○ Feel a sense of trust (goes with brief) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 30. Discuss the VRT at a Roundtable ● Priority will change as your organization does ● Establish a discussion meeting ○ Review interesting bugs ○ Discuss additions to VRT ○ Propose changes to vulnerability classification/priorities ● This is an ongoing process! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 31. Meanwhile, IRL... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 32. $UNPREPARED_COMPANY Recipe for disaster: 1. Don’t provide known issues 2. Don’t consider exclusions 3. Sneaky brief changes BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 33. Instructure 2013 (Pentest) 2014 (Bug Bounty) Critical 0 0 High 1 25 Medium 1 8 Low 2 16 Source: https://www.canvaslms.com/security BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 34. tl;dr BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • 35. Source: https://xkcd.com/1256/ BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016