Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Release the hounds! A look
inside Bugcrowd.
Casey Ellis
casey@bugcrowd.com
@caseyjohnellis
Summary
• I’m not here to sell you anything
– Unless you’re buying
• Quick overview of how Bugcrowd works
• Some stats fro...
About me
• 12 years in I.T.
• Started off technical then moved to the
business side, then went rogue
• Got bitten by the e...
Bug bounties are awesome…
• Just ask Google, Facebook, Paypal
• Lots of eyes == more bugs found faster
• Lots of eyes = di...
…but hard.
• Just ask Google, Facebook, Paypal
• Overhead of managing the tester community
• Spurious findings
– Here’s Ne...
Enter Bugcrowd!
(hat tip to @snare)
The gist of it…
• Managed bug bounties for web, mobile and
client/server apps
• “Came out of stealth” in December
• Founde...
How does it work?
• Ongoing bounties (a la Google)
– Bugs validated, scored & passed on “as discovered”
– Payments managed...
What else?
• Kudos points
• Private bounties
• Crowdcontrol
• Free bounties for charities (awesomesauce)
• Charity or non-...
So, does it work?
A typical bounty:
• 2 mins – Clickjacking (EVERY. SINGLE. TIME)
• 0 to 6 hours – Lots of XSS, CSRF and other
“common” bugs...
Some stats
• 10 bounties
– 4 charity
– 2 private paid
– 3 open paid
– 1 malware bounty
• 1,500 testers
• ~ 250 active subm...
0-day?
• An unpatched security bug in 3rd party
software has been disclosed in 4 of the
bounties we’ve run so far
• OK, no...
Total validated submissions
• Up to Beta 006
• 85 unique bug types (e.g. Reflected XSS,
storage-based XSS, SQL Injection,
...
Countries of origin
• Australia
• New Zealand
• UK
• Italy
• Germany
• Spain
• France
• Sweden
• Georgia
• Pakistan
• Indi...
General observations
• IT’S WORKING (mostly… still a lot to learn)
• Charity bounties work too!
• Running an accelerated s...
Next…
• More bounties
• Get some ongoing bounties going
• Get better at running these things
• Off to the valley…
Thanks! Questions?
• casey@bugcrowd.com
• @caseyjohnellis
• @bugcrowd
Próximo SlideShare
Cargando en…5
×

de

Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 1 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 2 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 3 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 4 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 5 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 6 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 7 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 8 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 9 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 10 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 11 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 12 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 13 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 14 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 15 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 16 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 17 Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013 Slide 18
Próximo SlideShare
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

0 recomendaciones

Compartir

Descargar para leer sin conexión

Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013

Descargar para leer sin conexión

Release the Hounds! A look inside Bugcrowd.

This was a presentation Casey gave at the Sydney Ruxmon Information Security meetup at Google in 2013.

  • Sé el primero en recomendar esto

Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013

  1. 1. Release the hounds! A look inside Bugcrowd. Casey Ellis casey@bugcrowd.com @caseyjohnellis
  2. 2. Summary • I’m not here to sell you anything – Unless you’re buying • Quick overview of how Bugcrowd works • Some stats from the bounties we’ve run and general experience of how it all goes down • Questions
  3. 3. About me • 12 years in I.T. • Started off technical then moved to the business side, then went rogue • Got bitten by the entrepreneur bug – White Label Security, RDPCheck, others • I know enough to *sometimes* ask the right questions – but right now I’m probably the dumbest guy in the room.
  4. 4. Bug bounties are awesome… • Just ask Google, Facebook, Paypal • Lots of eyes == more bugs found faster • Lots of eyes = diverse talent pool • Theoretically continuous coverage – If your rewards are big enough
  5. 5. …but hard. • Just ask Google, Facebook, Paypal • Overhead of managing the tester community • Spurious findings – Here’s Nessus scan, I can haz money nao? • Managing payments to testers • How do I cap my spend? • How do I control the crowd?
  6. 6. Enter Bugcrowd! (hat tip to @snare)
  7. 7. The gist of it… • Managed bug bounties for web, mobile and client/server apps • “Came out of stealth” in December • Founded by Sergei Belokamen (@sergicles) and I • Nick Ellsmore (strategic advisor) • Funded and mentored by Startmate Accelerator – Validating and improve the idea and the business model – Off to Silicon Valley in April to raise capital and work on the US market
  8. 8. How does it work? • Ongoing bounties (a la Google) – Bugs validated, scored & passed on “as discovered” – Payments managed, etc • Time-boxed bounties – Kind of like a crowd-sourced pen test – Client sets size of reward pool and duration of testing – Fixed rewards • Higher reward for the 3 most “creative” bugs • Lower for the rest – Report at the end of the bounty
  9. 9. What else? • Kudos points • Private bounties • Crowdcontrol • Free bounties for charities (awesomesauce) • Charity or non-paid valid findings = ISC2 CPE
  10. 10. So, does it work?
  11. 11. A typical bounty: • 2 mins – Clickjacking (EVERY. SINGLE. TIME) • 0 to 6 hours – Lots of XSS, CSRF and other “common” bugs • 6 to 24 hours – Stragglers • 24 hours + - The interesting stuff… bug chaining, non traditional vectors, etc
  12. 12. Some stats • 10 bounties – 4 charity – 2 private paid – 3 open paid – 1 malware bounty • 1,500 testers • ~ 250 active submitters • ~ 1,000 submissions
  13. 13. 0-day? • An unpatched security bug in 3rd party software has been disclosed in 4 of the bounties we’ve run so far • OK, not really 0-day, but goes to show that these guys are going reasonably deep
  14. 14. Total validated submissions • Up to Beta 006 • 85 unique bug types (e.g. Reflected XSS, storage-based XSS, SQL Injection, authentication/automation, etc) • 140 unique findings
  15. 15. Countries of origin • Australia • New Zealand • UK • Italy • Germany • Spain • France • Sweden • Georgia • Pakistan • India • Malaysia • Norway • South Africa • Argentina • Israel • USA • Iceland • A lot of “known” bounty hunters • A lot of day-job pen testers
  16. 16. General observations • IT’S WORKING (mostly… still a lot to learn) • Charity bounties work too! • Running an accelerated start-up is wicked hard work • Start-ups and charities have no idea how bad their appsec is • Bug bounty on outdated Wordpress on GoDaddy? – You’re gonna have a bad time
  17. 17. Next… • More bounties • Get some ongoing bounties going • Get better at running these things • Off to the valley…
  18. 18. Thanks! Questions? • casey@bugcrowd.com • @caseyjohnellis • @bugcrowd

Release the Hounds! A look inside Bugcrowd. This was a presentation Casey gave at the Sydney Ruxmon Information Security meetup at Google in 2013.

Vistas

Total de vistas

1.767

En Slideshare

0

De embebidos

0

Número de embebidos

58

Acciones

Descargas

15

Compartidos

0

Comentarios

0

Me gusta

0

×