running a bug bounty program - chapters site - home county/iia oc presentation downlo… ·...
TRANSCRIPT
![Page 1: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/1.jpg)
Running aBug Bounty Program
Adam Ruddermann15 March 2018
IIA / ISACA / ACFE Joint Spring Training Event
![Page 2: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/2.jpg)
Bug bounty?Responsible disclosure?
Huh?
![Page 3: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/3.jpg)
Huh?
“Security Researchers”“Whitehats”“Hackers”“Your children”
Find a securityvulnerability ina company
Report it to a companyand give them time to fix itbefore telling anyone else
(Optional) Thecompany gives amonetary award
![Page 4: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/4.jpg)
![Page 5: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/5.jpg)
The agenda!
- Part 2: Huh?
- The component parts of these programs
- Where it fits, where it doesn’t
- Questions
![Page 6: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/6.jpg)
Adam ‘rudd’ Ruddermann, Practice Director
![Page 7: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/7.jpg)
Who is rudd?
![Page 8: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/8.jpg)
Ok so, back to ‘huh?’
![Page 9: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/9.jpg)
What is ‘responsible disclosure?’
• Researchers make a reasonable effort to contact the organization that can fix the security vulnerability and provide them actionable data about the bug to enable a fix.
• Researchers give the organization a reasonable amount of time to fix the bug and distribute it to their customers before disclosing it to anyone else.• CCERT: 45 days• Google: 90 days
• If the organization does not act in good faith or does not intend to fix the bug, the researcher is reasonably enabled to publicly disclose the unfixed vulnerability.
![Page 10: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/10.jpg)
Clearing the air on terminology
• Publicly published:• Responsible disclosure rules• Product scope and boundaries• Legal safe harbor provisions• A dedicated channel to submit bugs
• Thanks page and/or Hall of Fame• Monetary and/or prize awards
Responsible Disclosure
Bug Bounty
![Page 11: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/11.jpg)
Wait. How did we get here?
![Page 12: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/12.jpg)
The component partsI promise this won’t be too boring
![Page 13: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/13.jpg)
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
![Page 14: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/14.jpg)
![Page 15: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/15.jpg)
![Page 16: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/16.jpg)
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
![Page 17: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/17.jpg)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
![Page 18: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/18.jpg)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• Engine room of the cruise ship
• Noise filtering• Staff typically do not need to read code or be able to suggest fixes• Unambiguous and well understood final decisions are made here• Feels a lot like a help desk, but is much more technical
![Page 19: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/19.jpg)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• The captain of the ship
• The most technical person in the process• Looks deep to understand root causes – including reading code• Usually has day-to-day oversight of how things are going• Everyone is supporting this person
![Page 20: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/20.jpg)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• Working with engineering teams to get it fixed
• Step 1: Let the team know• Step 2: Agree on how impactful the vulnerability• Step 3: Agree on resourcing and timelines• Step 4: Track it!
![Page 21: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/21.jpg)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• Verify and land the fix, pay the researcher
• Make sure the fix actually works… or doesn’t introduce other problems• Land it in production… does it break the product? (it happens)• Let the researcher know and pay them (if you haven’t already)
![Page 22: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/22.jpg)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
![Page 23: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/23.jpg)
Program Operations Management
• This process can be as ad hoc or refined as necessary for an org
• Good software – either built in house or outsourced through a vendor – is critical
• Operational metrics will define your success and failure
![Page 24: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/24.jpg)
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
![Page 25: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/25.jpg)
Legal
• Clear lines of communications and expectations with corporate legal teams
• Contract law• EULA – exempt whitehats, precise carve outs, or fully require adherence?• Program-unique terms
• Criminal law and legal safe harbors• USA: CFAA, DMCA• UK: CMA
• Corporate compliance• Data privacy: GDPR, Privacy Shield, etc• Sanctions and anti-terrorism: Various US and EU lists• Diversity and anti-corruption: checks for verifying corporate policies
![Page 26: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/26.jpg)
![Page 27: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/27.jpg)
Public Relations / Communications
“You’re the only engineers that regularly speak officially on the behalf of the company that don’t
have time to clear every word with PR first.”
- Melanie Ensign (@imeluny)
![Page 28: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/28.jpg)
Public Relations / Communications
• Communications training for engineers and PMs
• Build a library of templated responses
• Consensus on when to escalate internally and when escalate to the Comms team
![Page 29: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/29.jpg)
Engineering Partnerships
Product ManagementSoftware Engineering
Corporate IT
![Page 30: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/30.jpg)
Engineering Partnerships
• Coordinating scope changes with the product roadmap
• Thoughtful prioritization of low/mid severity bugs
• Software security education
• Very specific scope considerations
• Managing potential false positives on sensors
• This is Expert Mode bug bounty
Product ManagementSoftware Engineering
Corporate IT
![Page 31: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/31.jpg)
Paying out awards
• What?• How much should you pay?
• How?• PayPal, Payoneer, Bitcoin, Wire
Transfer, Airline Points (United), Gift Cards?
• Taxes!• Withhold income tax?• Require W8s?
![Page 32: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/32.jpg)
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
![Page 33: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/33.jpg)
”Ok, now what?”
![Page 34: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/34.jpg)
Why this is worth it
• With good relationships, leveraging researchers will enable you you scale your security team
• Think of it like QA: Dozens of good testers will find more bugs than just 2 or 3 excellent testers
• Traditional pen tests are only accurate for a point in time, bug bounty testing is continuous
![Page 35: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/35.jpg)
Where this fits
• Products should have a security architecture review and a traditional source code enabled pen test before considering bug bounty
• A small, private bug bounty is a great safe way to give top hackers access to a product first before launching an open bounty
• Recurring source code enabled pen tests to find deep, complex vulnerabilities
![Page 36: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/36.jpg)
About those hacker parties…
![Page 37: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/37.jpg)
![Page 38: Running a Bug Bounty Program - Chapters Site - Home County/IIA OC Presentation Downlo… · Decision Triage. Fix. Resolve. Day-to-day Operations / Lifecycle of a Submission Initial](https://reader035.vdocuments.us/reader035/viewer/2022070111/604efc02b3280352a133f053/html5/thumbnails/38.jpg)
Questions?
Adam RuddermannPractice Director, Bug Bounty Services
Email: [email protected]: @adamruddermann