Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013
1. Release the hounds! A look
inside Bugcrowd.
Casey Ellis
casey@bugcrowd.com
@caseyjohnellis
2. Summary
• I’m not here to sell you anything
– Unless you’re buying
• Quick overview of how Bugcrowd works
• Some stats from the bounties we’ve run and
general experience of how it all goes down
• Questions
3. About me
• 12 years in I.T.
• Started off technical then moved to the
business side, then went rogue
• Got bitten by the entrepreneur bug
– White Label Security, RDPCheck, others
• I know enough to *sometimes* ask the right
questions
– but right now I’m probably the dumbest guy in the
room.
4. Bug bounties are awesome…
• Just ask Google, Facebook, Paypal
• Lots of eyes == more bugs found faster
• Lots of eyes = diverse talent pool
• Theoretically continuous coverage
– If your rewards are big enough
5. …but hard.
• Just ask Google, Facebook, Paypal
• Overhead of managing the tester community
• Spurious findings
– Here’s Nessus scan, I can haz money nao?
• Managing payments to testers
• How do I cap my spend?
• How do I control the crowd?
7. The gist of it…
• Managed bug bounties for web, mobile and
client/server apps
• “Came out of stealth” in December
• Founded by Sergei Belokamen (@sergicles) and I
• Nick Ellsmore (strategic advisor)
• Funded and mentored by Startmate Accelerator
– Validating and improve the idea and the business
model
– Off to Silicon Valley in April to raise capital and work
on the US market
8. How does it work?
• Ongoing bounties (a la Google)
– Bugs validated, scored & passed on “as discovered”
– Payments managed, etc
• Time-boxed bounties
– Kind of like a crowd-sourced pen test
– Client sets size of reward pool and duration of testing
– Fixed rewards
• Higher reward for the 3 most “creative” bugs
• Lower for the rest
– Report at the end of the bounty
9. What else?
• Kudos points
• Private bounties
• Crowdcontrol
• Free bounties for charities (awesomesauce)
• Charity or non-paid valid findings = ISC2 CPE
11. A typical bounty:
• 2 mins – Clickjacking (EVERY. SINGLE. TIME)
• 0 to 6 hours – Lots of XSS, CSRF and other
“common” bugs
• 6 to 24 hours – Stragglers
• 24 hours + - The interesting stuff… bug
chaining, non traditional vectors, etc
13. 0-day?
• An unpatched security bug in 3rd party
software has been disclosed in 4 of the
bounties we’ve run so far
• OK, not really 0-day, but goes to show that
these guys are going reasonably deep
14. Total validated submissions
• Up to Beta 006
• 85 unique bug types (e.g. Reflected XSS,
storage-based XSS, SQL Injection,
authentication/automation, etc)
• 140 unique findings
15. Countries of origin
• Australia
• New Zealand
• UK
• Italy
• Germany
• Spain
• France
• Sweden
• Georgia
• Pakistan
• India
• Malaysia
• Norway
• South Africa
• Argentina
• Israel
• USA
• Iceland
• A lot of “known”
bounty hunters
• A lot of day-job pen
testers
16. General observations
• IT’S WORKING (mostly… still a lot to learn)
• Charity bounties work too!
• Running an accelerated start-up is wicked hard
work
• Start-ups and charities have no idea how bad
their appsec is
• Bug bounty on outdated Wordpress on GoDaddy?
– You’re gonna have a bad time
17. Next…
• More bounties
• Get some ongoing bounties going
• Get better at running these things
• Off to the valley…