bug bounty from a program’s...
TRANSCRIPT
![Page 1: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/1.jpg)
bug bounty from a program’s perspective
hack in the box ams -- april 14, 2017
![Page 2: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/2.jpg)
rob fletcher, [email protected]
product security team
previous bug bounty participant
actively involved in managing uber bug bounty -- security.uber.com
fan of gifs, stand-up comedy, and recently chess
![Page 3: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/3.jpg)
uber bug bounty programsecurity.uber.com - public program started on March 22, 2016
$974,000+ (€918,478+) in bounties; 500+ reports awarded bounty
![Page 4: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/4.jpg)
the researchers
![Page 5: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/5.jpg)
the team
![Page 6: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/6.jpg)
agenda
soup to nuts: an ideal bug bounty experience
maximize report value: user security is our top priority
uber bug bounty program updates
![Page 7: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/7.jpg)
soup to nuts: an ideal bug bounty experiencei·de·al - a person or thing regarded as perfect
GOOOOOOOAAAAAAAAAALLLLLLLLL:provide insight into our program’s
experiences and philosophies
![Page 8: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/8.jpg)
benefit of the doubt: assume best intent
example: respectful peer-to-peer interactions vs adversarial interactions
program advantage: maintain healthy relationships with researchers
researcher advantage: maintain healthy relationships with programs
![Page 9: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/9.jpg)
treat everyone with respect
![Page 10: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/10.jpg)
evaluating security impact: willingness to learn and teach
example: understanding mitigations vs dire straits
program advantage: understand risk and prioritize
researcher advantage: higher bounty
![Page 11: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/11.jpg)
be willing to teach; be willing to learn
![Page 12: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/12.jpg)
report quality: succinct and reproducible
example: one-click POC vs speculative
program advantage: better reproducibility means we get our fix out faster
researcher advantage: faster time to bounty
![Page 13: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/13.jpg)
be conciseconcise - giving a lot of information clearly and in a few words; brief but comprehensive.
![Page 14: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/14.jpg)
professionalism: patience and empathy
example: being proffesional vs “Bloody Mother Fucker..You already ruined the report via making me angry....and make me abuse you....!!”
program advantage: increased ability to understand nuances of report
researcher advantage: increased reputation in security community
![Page 15: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/15.jpg)
bug bounty reports ≠ youtube comments
![Page 16: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/16.jpg)
agenda
soup to nuts: an ideal bug bounty experience
maximize report value: user security is our top priority
uber bug bounty program updates
![Page 17: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/17.jpg)
report value: user security is our top priority
security impact, not cleverness/complexity
scale of exposure
severity of exposure
![Page 18: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/18.jpg)
$$$$ ATO; user datastore access
$$$ location data
$$ rate limiting issues
$ authorized data exposure
![Page 19: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/19.jpg)
agenda
soup to nuts: an ideal bug bounty experience
maximize report value: user security is our top priority
uber bug bounty program updates
![Page 20: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/20.jpg)
program updates: more money, faster
![Page 21: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/21.jpg)
increase minimum bounty from $100 (€93.72) to $500 (€468.58)
![Page 22: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/22.jpg)
award minimum bounty ($500) at time of triage
full bounty at time of resolution
![Page 23: bug bounty from a program’s perspectiveconference.hitb.org/hitbsecconf2017ams/materials/D2T4... · 2017. 10. 15. · rob fletcher, fletcher@uber.com product security team previous](https://reader036.vdocument.in/reader036/viewer/2022081619/60fb8e07e3eff82da34f76eb/html5/thumbnails/23.jpg)
Thanks for coming! Questions?
security.uber.com - come hack us and make money!