Download - Bug Bounty Secrets
![Page 1: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/1.jpg)
Bug Bounty Secrets
![Page 2: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/2.jpg)
HARI KRISHNAN. R
Security Researcher and new to ppt :P
![Page 3: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/3.jpg)
And get fame and cash
Select the
target
Gather Information
Find bug and
report
Basic steps
![Page 4: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/4.jpg)
Paying rewards to independent security researchers for finding vulnerabilities in their products. Major Players
Google Mozilla Facebook Paypal
And what we get ? Money and Fame. And what the company get ? They get their application secured and is very cost effective for them as they pay the independent researchers a minimal amount
About Bug Bounty
![Page 5: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/5.jpg)
What all you need to start hunting for bounty ? Know about the target, their products, acquired companies ( which you can find it by searching it in Google ) , sub domains, etc. Do have a good understanding of the application which you are testing. Know which all company is having bug bounty program and some of them are AT&T Barracuda Chromium Project Etsy Facebook Gallery Google Hex-Rays Kaneva LaunchKey ManageWP Mozilla PayPal Samsung Yandex
![Page 6: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/6.jpg)
What kind of bugs are in scope ? XSS XSRF / CSRF SQL injection or equivalent Remote code execution Authentication bypass or information leak Rewards for qualifying bugs can range from 100 $ to 20,000$ or more. So far, Google have paid $828,000 to more than 250 individuals. Mozilla has paid $570,000+
![Page 7: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/7.jpg)
Reference:Slides from Adam Mein at SANS AppSec 2011
![Page 8: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/8.jpg)
Reference: Slides from Adam Mein at SANS AppSec 2011
![Page 9: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/9.jpg)
Example 1 : Dom based Xss in Google Partners
![Page 10: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/10.jpg)
Example 2: XSS vulnerabilities in Google's Gmail's mobile view by Nils juenemann
![Page 11: Bug Bounty Secrets](https://reader035.vdocuments.us/reader035/viewer/2022081204/548f3e4ab479591e1d8b4c4e/html5/thumbnails/11.jpg)
Conclusion: Report the bugs to the company rather than selling it in black market ;)