Download - Bug Bounty Programs : Good for Government
Bug Bounty
Bug Bounty PROGRAMS:
GOOD FOR Government
My hands &
Your world
is secured!
Presented at The Hackers Conference, New Delhi
August 25, 2013
Tim
e
ForReal ChangeA Security budget is inversely
proportional to a CxOs feel-good
factor
Is
NOW!Bug Bounty Programs
will attract the best
Security brains for
~ZERO cost!
NO
W
The Bounty Hunter
He hunted humans !
WIL
D W
ES
T T
IME
S
Better than the best gunslinger or tracker
Harrison Ford as
Han Solo in Star Wars
The Bounty Hunter W
ILD
S
PA
CE
A
GE
Better than the
best!
Mercenary Gun
for Hire
Harrison Ford as
Han Solo in Star Wars
INT
ER
NE
T A
GE
Wild
Dangerous
Unknown
Constantly Morphing
Dynamic Surface
Virtual / Intangible
Supports Life
Ethical Helper
Khabri (informer)
Responsible Citizen
Good Samaritan
Honest Person
Black Hats
are among
organizations
and business
men too who
will cheat the
good hacker
of reward and
recognition !
Star Wars Episode IV (1977)
Han Solo (Harrison Ford), to
Princess Leia (Carrie Fisher)
Lucas Films/Courtesy Everett Collection
I'm not in it for
you, princess.
Look, I ain't in this for
your revolution, and
I expect to be well
paid. I'm in it for
the money.
Men Are Nothing
Until They Are
Excited
Govt Dept was target of spear phishing
Malware was put out for analysis to bounty of 25k this was increased to 50k due to increase in scope and tie between two teams
in phase 1
Bounty hunter has to identify the malicious activity and the command centre
Time bound results expected (24 hours)
Maximum information and good presentation to be given weightage
Information was of high quality and the department was able to contain the attack malware and the attacker
Market Value of work done Man hours if assignment was carried out internally: min 100
Value of work if I had quoted: Rs. 5,00,000
Bounteous rewards await the
Government department that starts a
BB program. They are able to identify
(actually) good testers who will
HONESTLY disclose vulnerabilities.
Capability for Security management, protection or response primarily with intelligence agencies
Departments depend on CERT empanelled firms and carry out only one time assessment
Total lack of awareness (or respect for IS) among HoDs and security expertise in Ops team
Most government infrastructure is waiting for a kehar
Someones Death Wish!
Capacity and Capability building sans resources
Lack of skills, awareness and knowledge
Uncertainty about skills / ethics of testers
Big PPP players work (only) on big projects
Attain high level of assurance at low cost
Supporting independent research
Fulfill our national Mission Impossible:
500k IS professionals in 3 yrs
PPP (Public + Professional Participation will work better than the Public, Private
Participation)
Continuous Testing by proven professionals
Critical Infrastructure Protection
Information Sharing
Identify professional friends-in-need
Find vulnerabilities missed by your team
Save BIG money on housekeeping
Best brains in the business work free !!
Success fee based non negotiable.
Potential candidates for hire
Crowd sourced quality control
Use a BB Escrow Service
Start one on your own or crowd-source
Contact hackers in Hall of Fame
Reach out via Social Media
Word of Mouth
Offer Good Bounty
Companies have to be as ethical as the hackers
Admin super geek
Workflow / bug tracking system
Your terms and conditions transparent and in plain simple language
Escalation path (in case one does not agree to the admins decision for payout)
Open playing field for unknowns
Researcher sells in the underground
Revenge attack by unhappy hunter
Rogue hacker steals data
Wrong, slow or improper communication
Dealing with young hot professionals
OOPS!
http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/
Technically sound head geek !
Quick Communication Plan
Transparency
Acknowledge and Pamper
Pay Good Money (be the best)
Media Announcements
Wall of Fame
NOW !!
Cost of Web Application Testing using automated open source tools = 50k to 200k
Cost paid by a very aware govt department to a CERT empaneled auditor = 20k to 50k
the audit firm will be foolish to carry out one
manual test!
With this pricing the client can forget getting anyone to even give a jhalak of a commercial tool like Core, IBM, Qualys
Me a big
corporation, or
me a big guy its not good for my image
or reputation
Priority Nature of Bug
1 Remote Code Execution
2 SQLi
3 Authentication Bypass
4 Privilege escalation
5 Circumvention of web app permissions
6 Stored XSS
7 Reflected XSS
8 CSRF
9 Clickjacking
Age: 0 > 25
Started BH: 3 5 years
Amount of money made: Y0 Y2 .. About $ 0 500 (unless
very lucky or good)
Y2 onwards average minimum $ 800 1000 per mo growing to av$ 2 3k
Daily work life: Regular life; average 6 to 8 hours
daily, less on weekends
Bug Hunting: 8 10 hours, more if excited, more on weekends
Sleep: whenever !
Social Acceptability: Y0 Y3 .. BAD, parents gave
up
Y2 onwards great !
Taxable Income: who knows !
Has PAN Number, Bank account
you do not want your anyone from here!
- visiting you
- buying your data
- selling your data
NO Siree !
Facebook Whitehat List https://www.facebook.com/whitehat/thanks/
Twitter Whitehat List https://www.twitter.com/about/security
Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of-fame/distinction/
PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention
Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks
Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html
Apple Security Notifications http://support.apple.com/kb/HT1318
Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy
Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-
Facebook Whitehat List https://www.facebook.com/whitehat/thanks/
Twitter Whitehat List https://www.twitter.com/about/security
Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of-fame/distinction/
PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention
Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks
Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html
Apple Security Notifications http://support.apple.com/kb/HT1318
Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy
Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-
Vignesh Kumar
Amol Naik (25/26)
Riyaz Walikar (24)
Krutarth Shukla
Ajay Singh Negi
Prakhar Prasad (20)
Mahadev Subedi
Aditya Gupta (22)
Subho Halder (22)
Harsh Vardhan Bopanna
Open Security Alliance, Principal and CEO
Jharkhand Police, Cyber Security Advisor
Pyramid Cyber Security & Forensics, Principal Advisor
Indian Honeynet Project, Co Founder
Professional skills and special interest areas
Security Consulting and Advisory services for IS Architecture, Analysis, Optimization.
Government policy, strategy, law enforcement
Technologies: SOC, DLP, IRM, SIEM
Practices: Incident Response, SAM, Forensics, Regulatory guidance..
Community: mentoring, training, citizen outreach, India research..
Opinioned Blogger, occasional columnist, wannabe photographer
Contact Information
T: +91.9769890505
Twitter: @bizsprite
L: http://in.linkedin.com/in/dineshbareja
Facebook: dineshobareja
Acknowledgements & DisclaimerVarious resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this will be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).