Post on 14-Oct-2020
Running aBug Bounty Program
Adam Ruddermann15 March 2018
IIA / ISACA / ACFE Joint Spring Training Event
Bug bounty?Responsible disclosure?
Huh?
Huh?
“Security Researchers”“Whitehats”“Hackers”“Your children”
Find a securityvulnerability ina company
Report it to a companyand give them time to fix itbefore telling anyone else
(Optional) Thecompany gives amonetary award
The agenda!
- Part 2: Huh?
- The component parts of these programs
- Where it fits, where it doesn’t
- Questions
Adam ‘rudd’ Ruddermann, Practice Director
Who is rudd?
Ok so, back to ‘huh?’
What is ‘responsible disclosure?’
• Researchers make a reasonable effort to contact the organization that can fix the security vulnerability and provide them actionable data about the bug to enable a fix.
• Researchers give the organization a reasonable amount of time to fix the bug and distribute it to their customers before disclosing it to anyone else.• CCERT: 45 days• Google: 90 days
• If the organization does not act in good faith or does not intend to fix the bug, the researcher is reasonably enabled to publicly disclose the unfixed vulnerability.
Clearing the air on terminology
• Publicly published:• Responsible disclosure rules• Product scope and boundaries• Legal safe harbor provisions• A dedicated channel to submit bugs
• Thanks page and/or Hall of Fame• Monetary and/or prize awards
Responsible Disclosure
Bug Bounty
Wait. How did we get here?
The component partsI promise this won’t be too boring
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• Engine room of the cruise ship
• Noise filtering• Staff typically do not need to read code or be able to suggest fixes• Unambiguous and well understood final decisions are made here• Feels a lot like a help desk, but is much more technical
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• The captain of the ship
• The most technical person in the process• Looks deep to understand root causes – including reading code• Usually has day-to-day oversight of how things are going• Everyone is supporting this person
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• Working with engineering teams to get it fixed
• Step 1: Let the team know• Step 2: Agree on how impactful the vulnerability• Step 3: Agree on resourcing and timelines• Step 4: Track it!
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
• Verify and land the fix, pay the researcher
• Make sure the fix actually works… or doesn’t introduce other problems• Land it in production… does it break the product? (it happens)• Let the researcher know and pay them (if you haven’t already)
Day-to-day Operations / Lifecycle of a Submission
InitialTriage
DecisionTriage Fix Resolve
Program Operations Management
• This process can be as ad hoc or refined as necessary for an org
• Good software – either built in house or outsourced through a vendor – is critical
• Operational metrics will define your success and failure
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
Legal
• Clear lines of communications and expectations with corporate legal teams
• Contract law• EULA – exempt whitehats, precise carve outs, or fully require adherence?• Program-unique terms
• Criminal law and legal safe harbors• USA: CFAA, DMCA• UK: CMA
• Corporate compliance• Data privacy: GDPR, Privacy Shield, etc• Sanctions and anti-terrorism: Various US and EU lists• Diversity and anti-corruption: checks for verifying corporate policies
Public Relations / Communications
“You’re the only engineers that regularly speak officially on the behalf of the company that don’t
have time to clear every word with PR first.”
- Melanie Ensign (@imeluny)
Public Relations / Communications
• Communications training for engineers and PMs
• Build a library of templated responses
• Consensus on when to escalate internally and when escalate to the Comms team
Engineering Partnerships
Product ManagementSoftware Engineering
Corporate IT
Engineering Partnerships
• Coordinating scope changes with the product roadmap
• Thoughtful prioritization of low/mid severity bugs
• Software security education
• Very specific scope considerations
• Managing potential false positives on sensors
• This is Expert Mode bug bounty
Product ManagementSoftware Engineering
Corporate IT
Paying out awards
• What?• How much should you pay?
• How?• PayPal, Payoneer, Bitcoin, Wire
Transfer, Airline Points (United), Gift Cards?
• Taxes!• Withhold income tax?• Require W8s?
The component parts of these programs
Legal PublicRelations
DailyOps
EngineeringPartnerships
AwardPayouts
”Ok, now what?”
Why this is worth it
• With good relationships, leveraging researchers will enable you you scale your security team
• Think of it like QA: Dozens of good testers will find more bugs than just 2 or 3 excellent testers
• Traditional pen tests are only accurate for a point in time, bug bounty testing is continuous
Where this fits
• Products should have a security architecture review and a traditional source code enabled pen test before considering bug bounty
• A small, private bug bounty is a great safe way to give top hackers access to a product first before launching an open bounty
• Recurring source code enabled pen tests to find deep, complex vulnerabilities
About those hacker parties…
Questions?
Adam RuddermannPractice Director, Bug Bounty Services
Email: rudd@nccgroup.trustTwitter: @adamruddermann