Welcome to Scribd!

0% found this document useful (0 votes)

82 views

Decoding Bug Bounty Programs: Jon Rose

Uploaded by

Bug bounty programs allow independent security researchers to identify vulnerabilities for companies and receive cash rewards in return. Traditional security testing methods are outdated, while bug bounty programs leverage crowdsourcing to cost-effectively improve security. The document discusses how programs work, common bug types, benefits for companies and researchers, and statistics on payouts from Google's program. It also notes challenges like verifying bugs and maintaining efficient communication with researchers.

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Decoding Bug Bounty Programs: Jon Rose

Uploaded by

Adil Raza Siddiqui

0% found this document useful (0 votes)

82 views72 pages

Original Description:

Rose

Original Title

Rose

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

0% found this document useful (0 votes)

82 views72 pages

Decoding Bug Bounty Programs: Jon Rose

Uploaded by

Adil Raza Siddiqui

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

Jump to Page

You are on page 1of 72

Search inside document

Decoding Bug

Bounty Programs

Jon Rose
Its all about
YOU
What is your Role?

Builder
Breaker
Defender
Bug Bounty Programs are
Revolutionizing
the way businesses
protect themselves
O RLY?
Traditional security
testing is
1. Automated tools dont work
2. Waterfall security isnt Agile
3. Massive shortage of talent
4. Cost prohibitive
Responsible
Disclosure
Plus
CrowdSourcing
With
Ca$h
Google Chrome

6-2012
9-2010
8-2004

11-2010

9-2012
2004 2010 2013

5-2012
11-2010

8-2005

9-2012
7-2011

2002
3-2009
No More Free Bugs
Any Bug Reporters?
Keys to Running a
Bug Bounty
5 Simple
Rules
Bug Payouts

Remote Auth
Code Bypass
Execution
SQL
Injection
XSS
Not all bugs are

equal
Disclosure
Policy
First In,
Best
Dressed
Well Defined
Targets and Scope
Do you pay for valid
bugs that are
out of scope?
5 Major
Benefits
Embrace
Continuous Testing
Market
Your Security
Diversity in
Tools,
Techniques,
Approach
Only Pay for results
Only Pay For
Results
Are
companies with
bug bounties
MORE
secure?
8 Potential
Problems
International
Legal Issues
Fixing bugs is hard
and requires
teamwork
Spot the difference
Understanding
Language Barriers
FALSE
POSITIVES
ARE A
NECESSARY
EVIL
Weak Security
Foundation
Unclear Policies
and Processes
Hackers
Cheat
Bounty
Hunters
Helping secure popular
services, improving my
skills, the credit, and of
course the payment for a
job well done

@NightRang3r
Bug Bounty Hunter
enhances my logical
bug finding creativity
and approach. It
motivates me..

@AjaySinghNegi
Bug Bounty Hunter
First of
all is the
challenge, and
second, the
acknowledgement
of researchers hard
work and rewarding
them accordingly
@NightRang3r
Bug Bounty Hunter
I like the training
aspects of bug bounties

@makash
Bug Bounty Hunter
The new challenges
which I get in the bug
bounty programs and
also the appreciation
by the bug bounty
security team

@AjaySinghNegi
Bug Bounty Hunter
3
Benefits
Prestige
and fame
Practice
Makes
Perfect
Cash
Money
Pick One:

Money
Fame
Experience
4
Problems
Ahead
No
Visibility
Terms can change at any
time
Inefficient
use of
testers time
Fixes Take
Time
Free
Advice
Be prepared to run
such a program, have
the professional man
power to deal with
bug submissions and to
understand them
@NightRang3r
Bug Bounty Hunter
Proper verification,
timely reply to bugs
submissions with status

@AjaySinghNegi
Bug Bounty Hunter
Statistics
dont Lie
Almost 80% of bug
submissions are sent in
by researchers who
submit less than 10 bugs
total
PayPal
44% percent of all bugs
are the first and only bug
sent by a researcher

PayPal
10% of the researchers
submit 25 bugs or more

PayPal
Google has paid out
$806,501 as of
3/11/2013

Google
Almost 70% of valid bugs
are XSS

XSRF
XSS

Google
Does it
Work?
Google is reporting fewer
bug submissions

Harder to find
Google Bug Hunter
Crowd-Sourced Security
is
changing
testing
Outsourcing

CrowdSecurify Bugwolf
Submit bugs
Accept bugs
Provide Rewards
Get Secure
Thank You!
Dark on Light
Continuous

Light on Dark
Be prepared to run
such a program, have
the professional man
power to deal with
bug submissions and to
understand them
@NightRang3r
Bug Bounty Hunter
Callout for Dark
Dark Grey Text
POP
Light Grey

Callout for Light

Program Costs

Analysis
Tracking
Development
Payment
Crowd Sourcing

PCIP Practice Questions
Document30 pages
PCIP Practice Questions
Adil Raza Siddiqui
93% (30)
Penetration Test Report Mr. Robot
Document12 pages
Penetration Test Report Mr. Robot
Abubakar Shehu
No ratings yet
Elite Dangerous Pilots Guide Manual Tutorial
Document213 pages
Elite Dangerous Pilots Guide Manual Tutorial
Kornelius Briedis
98% (43)
No Disintegrations SWRPG
Document98 pages
No Disintegrations SWRPG
JimWauters
100% (2)
Nxlog User Guide
Document1,480 pages
Nxlog User Guide
Tuan MA
No ratings yet
Edu 330 9x Datasheet
Document1 page
Edu 330 9x Datasheet
rd00700
0% (1)
SEC542 CTF Draft Presentation
Document7 pages
SEC542 CTF Draft Presentation
cikgufatah
No ratings yet
DW 3
Document137 pages
DW 3
chuckufarley999
100% (2)
Cartols Emporium
Document60 pages
Cartols Emporium
Joseph
100% (7)
WF-500 Datasheet
Document2 pages
WF-500 Datasheet
Nhat Tan Mai
No ratings yet
Quantum Risk Analysis PDF
Document8 pages
Quantum Risk Analysis PDF
Sergio Porta
No ratings yet
Sec Incident Resp Short Form
Document1 page
Sec Incident Resp Short Form
neuclearalpha
No ratings yet
2282a 00
Document16 pages
2282a 00
pablodoe
No ratings yet
Forensics Recommended-Practice PDF
Document51 pages
Forensics Recommended-Practice PDF
Ferney
No ratings yet
Vmware Vsphere Version Comparison: Across Versions
Document7 pages
Vmware Vsphere Version Comparison: Across Versions
mohamad septianto nugroho
No ratings yet
Claroty License Portal - Partner User Guide 20230417
Document13 pages
Claroty License Portal - Partner User Guide 20230417
Bruno Rossin
No ratings yet
Ics Nisttt PDF
Document155 pages
Ics Nisttt PDF
Ruchir
No ratings yet
Lutze Switch Power
Document268 pages
Lutze Switch Power
kanbouch
No ratings yet
Network Intrusion Detection System
Document46 pages
Network Intrusion Detection System
sachin mohan
No ratings yet
IndustrialCybersecurity CICP
Document13 pages
IndustrialCybersecurity CICP
Man101a
No ratings yet
I2IoT20 Chp4 Instructor Supplemental Material
Document18 pages
I2IoT20 Chp4 Instructor Supplemental Material
yaseer almohzri
No ratings yet
Security by Design (SBD) For Operational Technology (OT) - A Comprehensive Analysis
Document18 pages
Security by Design (SBD) For Operational Technology (OT) - A Comprehensive Analysis
minojnext
No ratings yet
Final Thesis
Document39 pages
Final Thesis
Mbanzabugabo Jean Baptiste
No ratings yet
Security Monitoring Windows Containers 38887
Document34 pages
Security Monitoring Windows Containers 38887
Danildo Mateus
No ratings yet
Cetiprof Cyber Security Consolidated V3
Document120 pages
Cetiprof Cyber Security Consolidated V3
ross simbiak
100% (5)
Traffic Lights
Document19 pages
Traffic Lights
Dina Rachmayati
No ratings yet
10 Intrusion Detection FAQ
Document8 pages
10 Intrusion Detection FAQ
Anwar Ahmad Sobarna
No ratings yet
CHP 4 IIOT
Document26 pages
CHP 4 IIOT
Ritesh5
No ratings yet
Itec413 15
Document33 pages
Itec413 15
Burak Ulucinar
100% (1)
SCADA OT Security Consultant24
Document7 pages
SCADA OT Security Consultant24
azzu
No ratings yet
Competitor: Virtual Tunnel
Document14 pages
Competitor: Virtual Tunnel
Vitthal Chaudhari
100% (1)
SE571 Air Craft Solutions - Phase 1
Document7 pages
SE571 Air Craft Solutions - Phase 1
zkeatley
No ratings yet
Security Automation
Document30 pages
Security Automation
Pavan Kantamsetti
No ratings yet
Security Information & Event Management: Your Teammate in Cyber Security
Document23 pages
Security Information & Event Management: Your Teammate in Cyber Security
okan aktas
No ratings yet
ICSSCADAIToT and Cybersecurity Presentation
Document27 pages
ICSSCADAIToT and Cybersecurity Presentation
George Carvalho
No ratings yet
XDR For Users: Trend Micro
Document3 pages
XDR For Users: Trend Micro
riyasathsafran
No ratings yet
WindEurope Response NIS2 Directive EC Proposal
Document2 pages
WindEurope Response NIS2 Directive EC Proposal
Hadd
No ratings yet
Sample Report
Document11 pages
Sample Report
qzombexzombe114
No ratings yet
Snort As Intrusion Detection and Prevention Tool - RESEARCH PAPER 1
Document20 pages
Snort As Intrusion Detection and Prevention Tool - RESEARCH PAPER 1
kim891
No ratings yet
Web Application Pentesting
Document6 pages
Web Application Pentesting
Adam Grace
No ratings yet
Seminar On Honeypot Technology
Document33 pages
Seminar On Honeypot Technology
Dhanya Sasidharan
No ratings yet
Gartner CASB Report NetSkope
Document26 pages
Gartner CASB Report NetSkope
Anthony
No ratings yet
Snort
Document20 pages
Snort
Choi Siwon
No ratings yet
OWASP Top 10 - Threats and Mitigations
Document54 pages
OWASP Top 10 - Threats and Mitigations
Swathi Patibandla
No ratings yet
CIS Fortigate 7.0.x Benchmark v1.3.0
Document180 pages
CIS Fortigate 7.0.x Benchmark v1.3.0
Veronica Vega
No ratings yet
Dragos - WP - Implementing A Defensible Architecture
Document11 pages
Dragos - WP - Implementing A Defensible Architecture
cybersouhimbou
No ratings yet
Vineet Sharma Keylogger
Document51 pages
Vineet Sharma Keylogger
vineet
No ratings yet
Malware
Document65 pages
Malware
jordanbelfort388
No ratings yet
Beauty Plc. VPN Project Proposal
Document16 pages
Beauty Plc. VPN Project Proposal
Baraka Mhanuka Wilson
No ratings yet
Watchguard System Manager 11.8
Document1,931 pages
Watchguard System Manager 11.8
Luis Angel
100% (1)
Activity 1.4.5: Identifying Top Security Vulnerabilities
Document4 pages
Activity 1.4.5: Identifying Top Security Vulnerabilities
micernz1071
100% (1)
CEH Practical Exam Blueprintv1
Document2 pages
CEH Practical Exam Blueprintv1
thespyeyeseverywhere
No ratings yet
Bitdefender GravityZone AdministratorsGuide 3 enUS
Document331 pages
Bitdefender GravityZone AdministratorsGuide 3 enUS
Ilir Daka
No ratings yet
Incident-Response-and-Recovery and Cloud Security
Document10 pages
Incident-Response-and-Recovery and Cloud Security
SHIVASAI
No ratings yet
Waterfall Top 20 Attacks Article d2 Article S508NC
Document3 pages
Waterfall Top 20 Attacks Article d2 Article S508NC
odie99
No ratings yet
Cyber Security in Africa
Document5 pages
Cyber Security in Africa
Black Hat Hacker
No ratings yet
The Emerging Roles of Automation in Safety and Security
Document4 pages
The Emerging Roles of Automation in Safety and Security
researchparks
No ratings yet
Vapt
Document21 pages
Vapt
Sri Gouri
No ratings yet
Insecure Deserialization
Document16 pages
Insecure Deserialization
MANSI BISHT
No ratings yet
Forcepoint Bandwidth Optimizer
Document2 pages
Forcepoint Bandwidth Optimizer
Ajeet
No ratings yet
Correlation Rules and Engine Debugging1
Document30 pages
Correlation Rules and Engine Debugging1
JC AM
No ratings yet
Data Compression Techniques - Project Synopsis
Document4 pages
Data Compression Techniques - Project Synopsis
Harsh Vardhan Jha
No ratings yet
310information Gathering
Document63 pages
310information Gathering
Saw Gyi
No ratings yet
Poster Coolest-Careers v0423 WEB
Document1 page
Poster Coolest-Careers v0423 WEB
amin 0
No ratings yet
Antivirus A Complete Guide - 2021 Edition
From Everand
Antivirus A Complete Guide - 2021 Edition
Gerardus Blokdyk
No ratings yet
Vulnerability Assessment and Penetration Testing Services-Masked
Document4 pages
Vulnerability Assessment and Penetration Testing Services-Masked
Adil Raza Siddiqui
No ratings yet
Cyber Strategy and Governance-Lead Solution Advisor / SR Solution Advisor - Payment Security
Document2 pages
Cyber Strategy and Governance-Lead Solution Advisor / SR Solution Advisor - Payment Security
Adil Raza Siddiqui
No ratings yet
3rd Party Outsourcing Information Security Assessment Questionnaire V1.4
Document15 pages
3rd Party Outsourcing Information Security Assessment Questionnaire V1.4
Adil Raza Siddiqui
No ratings yet
Mwaa Security Assessment Questionnaire: Topic Security Issue Response
Document4 pages
Mwaa Security Assessment Questionnaire: Topic Security Issue Response
Adil Raza Siddiqui
No ratings yet
What Is The Purpose of A Firewall?
Document3 pages
What Is The Purpose of A Firewall?
Adil Raza Siddiqui
No ratings yet
E10179 Information Security Analyst L4
Document5 pages
E10179 Information Security Analyst L4
Adil Raza Siddiqui
No ratings yet
Security Risk Management
Document35 pages
Security Risk Management
nandaanuj
No ratings yet
Information Security Management Protocol
Document38 pages
Information Security Management Protocol
Adil Raza Siddiqui
No ratings yet
Effec Ve Vulnerability Management: 10 Steps For Achieving
Document23 pages
Effec Ve Vulnerability Management: 10 Steps For Achieving
Adil Raza Siddiqui
No ratings yet
Information Security Risk Assessment Checklist
Document7 pages
Information Security Risk Assessment Checklist
Adil Raza Siddiqui
No ratings yet
Iso 27001 Compliance With Observeit
Document11 pages
Iso 27001 Compliance With Observeit
Adil Raza Siddiqui
No ratings yet
Lucideus ISACA Mobile App VAPT Workshop
Document7 pages
Lucideus ISACA Mobile App VAPT Workshop
Adil Raza Siddiqui
No ratings yet
Datasheet Security and Risk Consulting
Document4 pages
Datasheet Security and Risk Consulting
Adil Raza Siddiqui
No ratings yet
Web Application Pro Pentesting
Document502 pages
Web Application Pro Pentesting
Adil Raza Siddiqui
No ratings yet
Application Guide: Ontario's Express Entry Human Capital Priorities Stream
Document57 pages
Application Guide: Ontario's Express Entry Human Capital Priorities Stream
Adil Raza Siddiqui
No ratings yet
Asa Lab 1
Document5 pages
Asa Lab 1
Adil Raza Siddiqui
No ratings yet
Era of Change Bounty Hunting Doc
Document2 pages
Era of Change Bounty Hunting Doc
rashid jones
No ratings yet
Bounty Hunter
Document17 pages
Bounty Hunter
juan toledano
100% (1)
Ar Chronic Us
Document18 pages
Ar Chronic Us
Loprti
No ratings yet
Equal: A Self-Deflationary, Fairly Distributed, Multiplatform Utility Token
Document8 pages
Equal: A Self-Deflationary, Fairly Distributed, Multiplatform Utility Token
Gungaa Jaltsan
No ratings yet
FFG - Cartol's Emporium of Useful Things (v1.0)
Document60 pages
FFG - Cartol's Emporium of Useful Things (v1.0)
Christian Vikström
No ratings yet
Week 1 Police Patrol
Document12 pages
Week 1 Police Patrol
Ryan Gooco
No ratings yet
Outer Rim Character Solo Decks v2.3 Modified Chart Layout
Document9 pages
Outer Rim Character Solo Decks v2.3 Modified Chart Layout
janunezmendoza
No ratings yet
Firefly The Game Pirates and Bounty Hunters - Rules
Document9 pages
Firefly The Game Pirates and Bounty Hunters - Rules
guzlomi78
No ratings yet
Bounty Hunter - 1d4chan
Document2 pages
Bounty Hunter - 1d4chan
vefex13877
No ratings yet
(WN) Rebuild World - Volume 03 (Part 2)
Document244 pages
(WN) Rebuild World - Volume 03 (Part 2)
techmanOP amv's
No ratings yet
Decoding Bug Bounty Programs: Jon Rose
Document72 pages
Decoding Bug Bounty Programs: Jon Rose
Adil Raza Siddiqui
No ratings yet
TinyZine 26
Document29 pages
TinyZine 26
jjsena92
No ratings yet
(Moon Toad Publishing) MTP4120 Bounty Hunter Handbook (Cepheus Engine) (OEF) (2022!10!14)
Document159 pages
(Moon Toad Publishing) MTP4120 Bounty Hunter Handbook (Cepheus Engine) (OEF) (2022!10!14)
Tommy Anton
100% (3)
Every Star An Opportunity
Document19 pages
Every Star An Opportunity
chinkster
No ratings yet
Elysium Vol 3
Document82 pages
Elysium Vol 3
Alexander Gomberg
No ratings yet
Galaxy Guide 10 - Bounty Hunters
Document127 pages
Galaxy Guide 10 - Bounty Hunters
ezaw
100% (21)
Bug Bounty Field Manual Complete Ebook
Document72 pages
Bug Bounty Field Manual Complete Ebook
r3vhack
100% (1)
Bounty Hunters Necromunda 2024
Document4 pages
Bounty Hunters Necromunda 2024
Steve Monaghan
No ratings yet
The Few and The Cursed
Document32 pages
The Few and The Cursed
moox
0% (1)
64abc4471879916bc4e2aeb0 Arkham Whitepaper FINAL
Document11 pages
64abc4471879916bc4e2aeb0 Arkham Whitepaper FINAL
IT ADMIN
No ratings yet
Bug Bounty Webinar Slides 8-28-14
Document18 pages
Bug Bounty Webinar Slides 8-28-14
kishan
No ratings yet
HEXplore It - V4 Play Styles
Document52 pages
HEXplore It - V4 Play Styles
Liubartas Aleksiejus
No ratings yet
Reading For The Real World 1 Key
Document48 pages
Reading For The Real World 1 Key
JenelFernandez
No ratings yet
Bug Bounty Beginner's
Document8 pages
Bug Bounty Beginner's
pentest.b24
No ratings yet
Grim Pursuits Gathering Darkness Part3
Document157 pages
Grim Pursuits Gathering Darkness Part3
Robert Tucker
100% (1)