bug bounty cash for hack
TRANSCRIPT
#Remember?
# And?
One More last And
What Common?
#BugBounty
Bug Bounty
Cash for Hack
Who Am I (#whoami)
Atul Shedage
@atul_shedage
Instructor at suruji.com
Bug Bounty Hunter (only when ever I run out of money :P)
Creator of SVWA (suruji vulnerable web application)
Laravel Developer (PHP Framework)
Bsc Graduate (Msc Under Progress)
Lucky Enough
And
Anddddd
Agenda
• What is BugBounty.
• History.
• Why to join BugBounty.
• Bug Bounty Programs and Platforms.
• How to Start with Bug Bounties.
• Tools to Use.
• Reporting / Bug Submission
• My Experience with Bug Bounty.
What is #BugBounty?
• Also called As VRP (Vulnerability Reward Program)
• Company (Security Team/Vendor) Create Program. Offer Cash , HOF , Swag. Fix Bugs. Acknowledge Your work.
• Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometimes Swag. Recheck Bug after fix. Write Blog Post.
History
Image Credit crowdcurity.com
Why to Join BugBounty?
• $$$$
• Swag (Tshirts + Stickers + Mugs + Company Gadgets)
• Free Service
• HOF
Bug Bounty Program and Platform
• Popular Programs– Google (Min 100$ & Max 20000$)
– Yahoo (Min 50$ & Max 15000$)
– Facebook (Min 500$)
– Want to know more?• Github
• Etsy
Want few more?
• https://bugcrowd.com/list-of-bug-bounty-programs/
• https://hackerone.com/programs
• https://www.crowdcurity.com/programs
Popular Platform
• BugCrowd
– Managed Security Programs for company
– 14300 world wide researchers
– 200+ Programs
• HackerOne
– Security Inbox for company
– 70+ Public Programs
– $1.9M Paid
• Synack
• CrowdCurity
How to start with BugBounties
• Theory OWASP Top 10 WASC 26 Classes
• Practical's SVWA (Suruji Vulnerable Web Application) OWASP Mutillidae DVWA Hack.me
• Read Blog Post
• Follow Some researchers on Twitter
http://h1.nobbd.de/
Key Points
Ninja Skills? No Way!!!!
Common Bugs
• Xss
• CSRF (Cross Site Request Forgery)
• Business Logical
• Insecure Direct Object References
• ClickJacking
• Session Management and BruteForce
• 0 Day CMS Vulnerabilities
• BurpSuite (http://portswigger.net/)
• Google,Bing,Yahoo (Google Dorks)
• Mozilla Addons
Tampar Data
HackBar
Live HTTP Headers
User Agent Switcher
Reporting and Bug Submission
• Make Standard format
Vulnerability Name
Domain
Vulnerable Subdomain
Infected URL
POC (Proof Of Concept)
Browser / Operating System
Description
My Experience
https://hackerone.com/reports/41409
Any Questions?