hackerone, security meetup 4 декабря 2014, mail.ru group
TRANSCRIPT
#SecurityMeetUpMail.Ru
Bounties and Other Incentives
Katie MoussourisChief Policy Officer
http://twitter.com/k8em0 <-- that’s a zero
Who I amChief Policy Officer, HackerOne
Mother of Microsoft’s Bounty Programs, Internet Bug Bounty Panelist
Chair of BlueHat Content Board 2010-2013
My (security*) work in bullet points:
◆ Linux Dev and Security Tzarina - TurboLinux, circa 2000
◆ Pen Tester - Artist formerly known as @stake
◆ Founder - Symantec Vulnerability Research (SVR)◆ Founder - Microsoft Vulnerability Research (MSVR)
◆ Policy Maker
◆ Editor for ISO standard on Vulnerability Handling (30111)
◆ Lead SME for US National Body on Vulnerability Disclosure (29147)
◆ Lead editor for Penetration Testing as it applies to Common Criteria (20004-2)and Secure Application Development processes (27034-3)
* Was a molecular biologist in a past professional life; worked on the Human Genome Project
● Vulnerability Coordination Platform
o Built by Facebook, Microsoft, Chrome security folks
● 100+ live programs with well over $100k paid out each month
● 1,000+ users hackers (researchers?) recognized for their work
● Important: We only host these programs.
o Researchers & Security Teams manage their own programs.
o HackerOne employees do not have access to reports.
What is HackerOne?
H1 Programs (Average)
Signal-to-Noise Ratio
● There's noise on the internet
● Researcher Reputation - Good for researchers and teams
o The best researchers stand out from noisier ones
Mutual incentives to maintain a high-signal environment
o Security Teams benefit from additional context
o An Anecdote!
"Noisiest" researcher had 1,500+ submissions and a <5% success rate.
One month later: same researcher now has 60%+ success rate.
Reputation: Plus Rate Limiting
● Sharing knowledge is valuable to the entire community
o Those who do not learn from the mistakes of the past are doomed
to repeat them
● Q: How can we encourage more vulnerability sharing?
o One-click disclosures
o Streamlined coordination
o Shared goals
o No surprises
Knowledge
HackerOne Transparency
View the details of every vulnerability HackerOne has ever had: https://hackerone.com/security
IE Preview Bug Bounty: All in the timing
● Running a bounty program during the Preview (beta) period for IE11 addressed the greatest number of issues with the least impact to customers AND engineers
● Vulnerability brokers don’t offer payment for the IE browser in beta, so there is a gap in the marketplace
● Actual Results: 23 submissions, 18 bulletin-class issues – including 4 sandbox escapes
IE 11 Preview Bounty --> Reverses Reporting Trend
Hacker!
"Hacker"?
● Definitions suck.
● Security is for everyone
o It needs to be more accessible & inclusive.
● Be a part of the security community
Questions?