HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs

Similar documents
Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Invest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan

Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov

Top 10 most interes.ng SAP vulnerabili.es and a9acks

NETWORK DEVICE SECURITY AUDITING

How To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9

Flex Bounty Program. Efficiency Report

Adding Value to Automated Web Scans. Burp Suite and Beyond

Computer Security Incident Handling Detec6on and Analysis

Defending Against Web App A0acks Using ModSecurity. Jason Wood Principal Security Consultant Secure Ideas

Screw Being A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Bank of America Security by Design. Derrick Barksdale Jason Gillam

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Alexander Polyakov CTO ERPScan

UAB Cyber Security Ini1a1ve

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Member Municipality Security Awareness Training. End- User Informa/on Security Awareness Training

HIPAA Breaches, Security Risk Analysis, and Audits

Secure Coding in Node.js

Vulnerability Management Nirvana: A Study in Predicting Exploitability

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Assessing BYOD with the Smarthpone Pentest Framework. Georgia Weidman

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Mobile Security Framework

JBoss security: penetration, protection and patching. David Jorm

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Project 2: Web Security Pitfalls

ITDays Security issues

CS 558 Internet Systems and Technologies

Innovation Quality Flexibility

THE DEPUTIES ARE STILL CONFUSED RICH LUNDEEN

How To Protect Virtualized Data From Security Threats

Hacking cookies in modern web applications and browsers

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Case Study. The SACM Journey at the Ontario Government

Exchange of experience from a SuccessFactors LMS Implementa9on

Common Security Vulnerabilities in Online Payment Systems

Offensive & Defensive & Forensic Techniques for Determining Web User Iden<ty

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Please Complete Speaker Feedback Surveys. SecurityTube.net

Penetration Testing in Romania

ModSecurity as Universal Cross- pla6orm Web Protec;on Tool. Ryan Barne? Greg Wroblewski

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Mtivity Client Support System. Quick start guide

MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term

Criteria for web application security check. Version

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Legacy Archiving How many lights do you leave on? September 14 th, 2015

Microsoft STRIDE (six) threat categories

Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Hacking the WordpressEcosystem

Identity and Access Positioning of Paradgimo

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document.

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Pentests more than just using the proper tools

Pentests more than just using the proper tools

CRYPTUS DIPLOMA IN IT SECURITY

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Client logo placeholder XXX REPORT. Page 1 of 37

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Unified Monitoring with AppDynamics

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Healthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Authen'cator Leakage Through Backup Channels on Android

Security testing the Internet-of-things

Preventing Cyber Security Attacks Against the Water Industry

Webapps Vulnerability Report

Lotus Domino Security

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

IOActive Security Advisory

Where every interaction matters.

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

SQL Injection for newbie

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

This presenta,on covers the essen,al informa,on about IT services and facili,es which all new students will need to get started.

Transcription:

HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Opera5ons Bugcrowd @Kym_Possible

whoami? Senior Director of a Red Team PSIRT Case Manager Data Analyst Internet Crime Inves5gator Behavioral Psychologist @kym_possible

Agenda Intro Red Blue tl;dr Ques5ons

What this talk isn t Determining if a bug bounty program is appropriate for your company Selling you a bug bounty program Recrui5ng you to be a bounty hunter

C:\intro

VRP 2014 h[ps://sites.google.com/site/bughunteruniversity/behind- the- scenes/charts

VRP 2014 h[ps://sites.google.com/site/bughunteruniversity/behind- the- scenes/charts

VRP 2014 Bugs found per ac5ve researcher Payouts h[ps://sites.google.com/site/bughunteruniversity/behind- the- scenes/charts

VRP 2014 h[ps://sites.google.com/site/bughunteruniversity/behind- the- scenes/charts

2014 Submissions: 17,011 submissions 16% increase YoY 61 high severity bugs 49% increase YoY Minimum reward: $500 Geography: 65 countries received rewards 12% increase YoY 123 countries repor5ng bugs h[ps://www.facebook.com/notes/facebook- bug- bounty/2014- highlights- boun5es- get- be[er- than- ever/1026610350686524

2014 Payouts: $1.3 million to 321 researchers Average reward: $1,788. The top 5 researchers earned a total of $256,750 Top 5 Countries: India 196 valid bugs Egypt 81 valid bugs USA 61 valid bugs UK 28 valid bugs Philippines 27 valid bugs $1,343 $1,220 $2,470 $2,768 $1,093 $263,228 $98,820 $150,670 $77,504 $29,511 $619,733

2014 73 vulnerabili5es iden5fied and fixed 1,920 submissions 33 researchers earned $50,100 for 57 bugs Minimum reward: $200 Doubled maximum bounty payout to celebrate h[ps://github.com/blog/1951- github- security- bug- bounty- program- turns- one

2014 h[ps://github.com/blog/1951- github- security- bug- bounty- program- turns- one

Online Services: O365 and Azure 46 rewarded submissions since launch in late Sept 2014 Reward amounts to each researcher not published Program offers minimum $500 up to $15,000 MiMgaMon Bypass Up to $100,000 for novel exploita5on techniques against protec5ons built into the OS Bounty for Defense Up to $100,000 for defensive ideas accompanying a qualifying Mi5ga5on Bypass submission h[ps://technet.microson.com/en- us/security/dn469163.aspx

Sonware Boun5es Online Services

RESEARCHERS - SOFTWARE LaMn America 3% Oceania 3% RESEARCHERS ONLINE SERVICES Middle East 8% Europe 21% North America 31% India 41% Europe 25% Africa 5% India 8% Asia (excluding India) 29% Asia (excluding India) 15% North America 8% LaMn America 3%

h[ps://technet.microson.com/en- us/security/dn469163.aspx

166 Customer programs 37,227 submissions 7,958 non- duplicate, valid vulnerabili5es Rewarded 3,621 submissions $724,839 paid out 2013- present Average reward $200.81, top reward of $10,000 h[p://bgcd.co/bcsbb2015

Big Bugs: 2013- present 4.39 high- or cri5cal- priority vulnerabili5es per program Total: 729 high- priority vulnerabili5es 175 rated cri5cal by trained applica5on security engineers h[p://bgcd.co/bcsbb2015

P1 and P2 Defined P1 CRITICAL Vulnerabili5es that cause a privilege escala5on on the plaqorm from unprivileged to admin, allows remote code execu5on, financial then, etc. Examples: Ver5cal Authen5ca5on bypass, SSRF, XXE, SQL Injec5on, User authen5ca5on bypass P2 SEVERE Vulnerabili5es that affect the security of the plaqorm including the processes it supports. Examples: Lateral authen5ca5on bypass, Stored XSS, some CSRF depending on impact

Who finds these bugs? Professional Pen Testers and consultants Former developers, QA engineers, and IT Admins that have shined focus into applica5on security University students that have self taught security skills Bugcrowd has over 18,000 researchers signed up in 147 countries worldwide h[p://bgcd.co/bcsbb2015

C:\red

XXE in produc5on exploited using Google Toolbar bu[on gallery Reported in April 2014 Fredrik Almroth and Mathias Karlsson Google responded to the report within 20 minutes

Reginaldo Silva reported an XML external en5ty vulnerability within a PHP page that would have allowed a hacker to change Facebook's use of Gmail as an OpenID provider to a hacker- controlled URL, before servicing requests with malicious XML code.

Laxman Muthiyah iden5fied a way for a malicious user to delete any photo album owned by a user, page, or group on Facebook. He found this vulnerability when he tried to delete one of his own photo albums using the graph explorer access token.

Cross- domain Informa5on Disclosure

Clifford s first private bounty invita5on Launched at midnight in PH Found an IDOR à eleva5on of privilege

Bug in import user feature no check whether the user who is reques5ng the import has the the right privilege

h[ps://www.cliffordtrigo.info/hijacking- smartsheet- accounts/

IDOR à eleva5on of privilege 1) login to h[ps://service.teslamotors.com/ 2) navigate to h[ps://service.teslamotors.com/admin/bulle5ns 3) now you are admin, you can delete, modify and publish documents

h[p://nbsriharsha.blogspot.in/2015/07/a- style- of- bypassing- authen5ca5on.html

C:\blue

Rapid triage & priori5za5on (get to the P1 s faster) Submission framework & expecta5ons Eloquence of wri[en communica5on Clear in and out of scope documenta5on

How to reduce noise Guidance and training Google: Bughunter University Facebook: Bounty Hunter s Guide Bugcrowd: Bugcrowd Forum Clear in and out of scope documenta5on Direct Performance Feedback

Rapid triage & priori5za5on Clear the queue daily Communicate your priori5es Dealing with Duplicates

Rapid triage & priori5za5on Defined vulnerability taxonomy

Is it worth the hassle? In Mortal Combat terms, it is a Fatality If we get nothing else from the bounty, this vuln was worth the whole program alone. Due to the cri5cal nature of the issue, we immediately patched the Prod servers this evening to close this exploit. We are also reviewing all logs since we don't delete them yet to iden5fy any instance where this ever happened in the past.

How to reduce noise Publish and s5ck to your program SLA Stop rewarding bad behavior Don t create bad behavior Reward consistently Reward fairly Fix quickly Again with the documenta5on

C:\tl;dr

conclusions Bug boun5es successfully generate high severity vulnerability disclosures, delivering real value that improves applica5on security for companies of all sizes. Crowdsourcing engages skilled researchers around the world that you may not have heard of.

call to ac5on Write strong scope documenta5on Clear submission expecta5ons Provide feedback Stay consistently engaged Reward good behavior

HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Opera5ons Bugcrowd @Kym_Possible

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information