Download - Mise en place d'un programme de Bug Bounty
BUG BOUNTY PROGRAMPRESENTATION & FEEDBACK
WHAT’S A BUG BOUNTY▸Deal for reporting bugs and security leaks
▸First appeared in 1995
▸Google: 2010
▸Rest of the world: 2011
▸No more consultants, audits, blah blah
PRESENTATION
HACK YOURSELF BEFORE OTHERS DO
PRESENTATION
ADVANTAGES▸Cheap
▸Pay as you go
▸Distributed
▸Transparency
▸Experts
PRESENTATION
DRAWBACKS
▸Bandwidth
▸Reactivity
▸Trust
PRESENTATION
FEEDBACK
HUNTER.IO▸Distributed team of 5
▸No security expert
▸Focused on UX and data quality, not on security
FEEDBACK
ANNOUNCEMENT
FEEDBACK
ANNOUNCEMENT▸Rules (do not disturb, no automation, test
with your own data, don’t publish until we fixed, etc.)
▸Rewards
▸What’s included and what’s not
▸How to report
FEEDBACK
RESULTS
FEEDBACK
RESULTS▸> 30 reports
▸7 rewards
▸About 2000$ bounties
▸A few disappointed hackers
▸A tested and retested app by dozens of hackers
FEEDBACK
KEY SUCCESS FACTORS▸Be reactive
▸Be generous
▸Be kind
▸Be transparent
▸Be confiant
FEEDBACK
SOURCES▸https://hackerone.com/
▸https://bountyfactory.io
▸https://internetbugbounty.org/