5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne

64 %
36 %
Information about 5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne
guy

Published on December 28, 2016

Author: hacker0x01

Source: slideshare.net

1. hackerone.com @hacker0x01hackerone.com @hacker0x01

2. hackerone.com @hacker0x01 Who is this guy? 2 ● Adam Bacchus ● Work ○ Pentester (~4 yrs) ○ Google (~4 years) ○ Snapchat (~1 year) ○ HackerOne ● Play ○ Gaming ○ Playing with fire

3. hackerone.com @hacker0x01 What is a bug bounty program? 3

4. hackerone.com @hacker0x01 5 reasons NOT to start a bug bounty program 4 1. Who are these hackers? Can I trust them? 2. It’ll be a PR disaster! 3. It’s a budgeting black hole! 4. We don’t have bandwidth to start and run a bounty program! 5. (??? to be revealed later ???)

5. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 5

6. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 6 ● Anyone from across the world! ● Student hackers ● Professional hackers ● Casual hackers ● Young, old, all genders, all races - everyone

7. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 7 ● Why do they hack? ○ Intellectual curiosity ○ Recognition ○ It’s the “right thing” to do ○ Financial rewards ○ Helping protect brands they like ○ Satisfaction from improving security

8. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 8 Reality check: 1. Vulnerabilities are inevitable. 2. Hackers are gonna hack. 3. Give them the opportunity to do the right thing!

9. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 9 ● What if they go outside of scope? ● What if they leak vulnerability details? ● What if they use what they found as a weapon against me?

10. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 10 What if they go out of scope? ● First step - create a “rules page,” AKA your “security page” ● What’s in scope? What’s out of scope? ● How do they contact you? ● Are you offering rewards? ● Rules page is an iterative process

11. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 11 Transparency is key! Transparency reduces misunderstandings.

12. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 12 ● What if they go outside of scope? ● What if they leak vulnerability details? ● What if they use what they found as a weapon against me?

13. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 13 What if they leak vulnerability details? ● Set the “rules of the road” in your security page ● No disclosure until the bug is fixed! Otherwise, you’re outta here ● When are bounties paid? ● Incentives + negative impact ○ Loss of reputation for the hacker ○ Other companies won’t want to work with them

14. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 14 Transparency is key! Transparency reduces misunderstandings.

15. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 15 ● What if they go outside of scope? ● What if they leak vulnerability details? ● What if they use what they found as a weapon against me?

16. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 16 What if they use what they found as a weapon against me? ● Hackers are gonna hack; it’s a race between good and evil ○ Truly evil hackers aren’t going to bother with your bug bounty ○ Encourage friendly hackers to find and report bugs first ● Clearly state to use test accounts only in your security@ page ○ Hacking other users is not allowed! ● Outline the limits of testing in your security@ page ○ How far should/shouldn’t a hacker go with a PoC?

17. hackerone.com @hacker0x01 #1 - Who are these hackers? Can I trust them? 17 Did I mention transparency yet? :)

18. hackerone.com @hacker0x01 #2 - It’s a budgeting black hole! 18

19. hackerone.com @hacker0x01 #2 - It’s a budgeting black hole! 19 ● I don’t know how much budget I need for bounties! ● This sounds like it costs a ton of money! What’s my ROI?

20. hackerone.com @hacker0x01 #2 - It’s a budgeting black hole! I don’t know how much budget I need for bounties! ● Start small! Ensure your scope is well-defined ● Figure out your bounty pricing structure ● Think of vulnerability types and scopes that matter most to you ○ These areas should have higher rewards ○ Healthcare? Bugs that expose patient data ○ Financial? Bugs that alter financial data ○ Advertising? Bugs that impact daily revenue ○ etc. 20

21. hackerone.com @hacker0x01 #2 - It’s a budgeting black hole! 21 I don’t know how much budget I need for bounties! ● Consider starting with a “private” / invite-only program first ● Test the waters ● Avg. bounty based on HackerOne data = $500 per bug ● Check out similar bug bounty programs to see how they structure pricing

22. hackerone.com @hacker0x01 #2 - It’s a budgeting black hole! 22 ● I don’t know how much budget I need for bounties! ● This sounds like it costs a ton of money! What’s my ROI?

23. hackerone.com @hacker0x01 #2 - It’s a budgeting black hole! 23 This sounds like it costs a ton of money! What’s my ROI? ● What’s more expensive - getting breached, or getting a head’s up from a friendly hacker? ● Data from bug bounty programs helps you identify gaps in your SDLC ● Positive security PR by virtue of even having a bounty program ● HackerOne has ROI tools to walk you through this; contact sales@hackerone.com for more info The Dept. of Defense paid $5 million+ over three years to a single vendor which found < 10 vulns. Hack the Pentagon bug bounty program cost $150k and resulted in 138 valid vulnerabilities. That’s 14x output for 1/33 the cost!

24. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 24

25. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 25 ● Our security team is already swamped, how can we find time to run a bounty program? ● We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?

26. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 26 Our security team is already swamped, how can we find time to run a bounty program? ● It definitely takes time ● Initial launch will have the biggest flood of reports ● Consider a “private” / invite only program to start out

27. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 27 Our security team is already swamped, how can we find time to run a bounty program? ● Setup a weekly on-duty/interrupts rotation ● Primary on-duty is responsible for responding to all reports ● Share the operational load, prevent burnout ● Depending on volume, assume 20 hrs / week initially ● Otherwise, you can pay to play ○ HackerOne offers various levels of managed service for triaging reports, managing bounties, etc.

28. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 28 ● Our security team is already swamped, how can we find time to run a bounty program? ● We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?

29. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 29 We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that? ● Engage early with your dev team; “bugs are coming” ● Bugs are live in prod and were found by a friendly hacker ● This means an evil hacker could find it too ● Provides real world motivation for more timely remediation ● Improve security culture and priority throughout the org

30. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 30 We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that? ● This is a new stream/source of bugs ● Tie-in to your existing vulnerability management processes ● Ensure the impact of the issue is clearly communicated ○ Classify severity of the issue (ease of exploit, impact, what’s affected, etc.)

31. hackerone.com @hacker0x01 #3 - We don’t have bandwidth! 31 We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that? ● If devs have questions, be the glue between them and the hacker ● Create incentive programs for devs, celebrate: ○ Fastest fixers ○ Cleanest code ○ Most improved ○ etc.

32. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 32

33. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 33 ● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak! ● What if we disagree with a hacker and they go to the media? ● My PR team would never allow us to do something like this!

34. hackerone.com @hacker0x0134 I mean, nobody does this stuff!

35. hackerone.com @hacker0x0135 ...and even if they do, no one talks about it

36. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 36 Who would publicly state they wanted help from hackers?

37. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 37 Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak! ● It’s impossible to catch everything yourself ● Bug bounty programs let friendly hackers work with you to help identify issues before the bad guys do ● Big names have public programs - they are a best practice ○ Not having a program puts you behind the race ● Even the US DoD invited hackers to Hack the Pentagon!

38. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 38 ● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak! ● What if we disagree with a hacker and they go to the media? ● My PR team would never allow us to do something like this!

39. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 39 What if we disagree with a hacker and they go to the media? ● Transparency and high quality comms to keep things smooth ● Invariably you’ll have an outlier wanting to go public on a non-issue ● If it’s truly a non-issue, the hacker will end up looking silly

40. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 40 ● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak! ● What if we disagree with a hacker and they go to the media? ● My PR team would never allow us to do something like this!

41. hackerone.com @hacker0x01 #4 - It’ll be a PR disaster! 41 My PR team would never allow us to do something like this! ● Having a publicly facing bug bounty program is actually a source of great security PR ● Your public bug bounty program is a public track record of your commitment to security ● Security is a competitive differentiator ● Need to ensure PR understands how bug bounties work ● Show them examples of positive security PR from bug bounty programs (e.g. Hack The Pentagon)

42. hackerone.com @hacker0x01 #5 - ??? 42 ● Alright, the fifth reason NOT to start a bug bounty program… (drumroll please)

43. hackerone.com @hacker0x01 #5 - I don’t know where to start! 43 I don’t know where to start! ● Maybe you’re convinced - you’re ready to start a program… but how? ● There are a ton of resources out there to get started ● Lots of great existing examples...

44. hackerone.com @hacker0x01 #5 - I don’t know where to start! 44 Example: Uber’s rules page - hackerone.com/uber

45. hackerone.com @hacker0x01 #5 - I don’t know where to start! 45 Example: Twitter’s rules page - hackerone.com/twitter

46. hackerone.com @hacker0x01 #5 - I don’t know where to start! ● HackerOne’s “Hacktivity” feed: https://hackerone.com/hacktivity/popular ● Collin Greene’s blog on bug bounty programs: https://hackerone.com/blog/bug-bounty-5-years-in-uber-facebook ● Creating a private team on HackerOne: https://hackerone.com/teams/new ● Crafting your security page: https://hackerone.com/blog/Bug-Bounty-or-Bust-Crafting-Your-Security-Page 46

47. hackerone.com @hacker0x01 So… why shouldn’t you start a bug bounty program? 47 1. Who are these hackers? Can I trust them? 2. It’ll be a PR disaster! 3. It’s a budgeting black hole! 4. We don’t have bandwidth to start and run a bounty program! 5. (??? to be revealed later ???)

48. hackerone.com @hacker0x01 So… why shouldn’t you start a bug bounty program? 48 1. Who are these hackers? Can I trust them? Friendly hackers are your friends! 2. It’ll be a PR disaster! 3. It’s a budgeting black hole! 4. We don’t have bandwidth to start and run a bounty program! 5. (??? to be revealed later ???)

49. hackerone.com @hacker0x01 So… why shouldn’t you start a bug bounty program? 49 1. Who are these hackers? Can I trust them? Friendly hackers are your friends! 2. It’ll be a PR disaster! Bug bounty programs improve your security PR stature 3. It’s a budgeting black hole! 4. We don’t have bandwidth to start and run a bounty program! 5. (??? to be revealed later ???)

50. hackerone.com @hacker0x01 So… why shouldn’t you start a bug bounty program? 50 1. Who are these hackers? Can I trust them? Friendly hackers are your friends! 2. It’ll be a PR disaster! Bug bounty programs increase your security PR stature 3. It’s a budgeting black hole! Estimate your budget and start small 4. We don’t have bandwidth to start and run a bounty program! 5. (??? to be revealed later ???)

51. hackerone.com @hacker0x01 So… why shouldn’t you start a bug bounty program? 51 1. Who are these hackers? Can I trust them? Friendly hackers are your friends! 2. It’ll be a PR disaster! Bug bounty programs increase your security PR stature 3. It’s a budgeting black hole! Estimate your budget and start small 4. We don’t have bandwidth to start and run a bounty program! Sell the ROI to get buy-in on necessary resources, build a great structure around operational coverage 5. (??? to be revealed later ???)

52. hackerone.com @hacker0x01 So… why shouldn’t you start a bug bounty program? 52 1. Who are these hackers? Can I trust them? Friendly hackers are your friends! 2. It’ll be a PR disaster! Bug bounty programs increase your security PR stature 3. It’s a budgeting black hole! Estimate your budget and start small 4. We don’t have bandwidth to start and run a bounty program! Sell the ROI to get buy-in on necessary resources, build a great structure around operational coverage 5. (??? to be revealed later ???) Get started!

53. hackerone.com @hacker0x01 Conclusion 53 Thanks for watching! 1. HackerOne’s “Hacktivity” feed: https://hackerone.com/hacktivity/popular 2. Collin Greene’s blog on bug bounty programs: https://hackerone.com/blog/bug-bounty-5-years-in-uber-facebook 3. Creating a private team on HackerOne: https://hackerone.com/teams/new 4. Crafting your security page: https://hackerone.com/blog/Bug-Bounty-or-Bust-Crafting-Your-Security-Page Twitter: @sushihack

Add a comment