bug bounty secrets
DESCRIPTION
null Trivandrum Chapter - July 2013 MeetTRANSCRIPT
Bug Bounty Secrets
HARI KRISHNAN. R
Security Researcher and new to ppt :P
And get fame and cash
Select the
target
Gather Information
Find bug and
report
Basic steps
Paying rewards to independent security researchers for finding vulnerabilities in their products. Major Players
Google Mozilla Facebook Paypal
And what we get ? Money and Fame. And what the company get ? They get their application secured and is very cost effective for them as they pay the independent researchers a minimal amount
About Bug Bounty
What all you need to start hunting for bounty ? Know about the target, their products, acquired companies ( which you can find it by searching it in Google ) , sub domains, etc. Do have a good understanding of the application which you are testing. Know which all company is having bug bounty program and some of them are AT&T Barracuda Chromium Project Etsy Facebook Gallery Google Hex-Rays Kaneva LaunchKey ManageWP Mozilla PayPal Samsung Yandex
What kind of bugs are in scope ? XSS XSRF / CSRF SQL injection or equivalent Remote code execution Authentication bypass or information leak Rewards for qualifying bugs can range from 100 $ to 20,000$ or more. So far, Google have paid $828,000 to more than 250 individuals. Mozilla has paid $570,000+
Reference:Slides from Adam Mein at SANS AppSec 2011
Reference: Slides from Adam Mein at SANS AppSec 2011
Example 1 : Dom based Xss in Google Partners
Example 2: XSS vulnerabilities in Google's Gmail's mobile view by Nils juenemann
Conclusion: Report the bugs to the company rather than selling it in black market ;)