SlideShare a Scribd company logo

Bug Bounty Programs For The Web

Download as KEY, PDF
Michael Coates
Michael Coates

Presented at OWASP AppSecUSA 2011 It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good. This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market? In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.

1 of 35
Security Evolution - Bug Bounty Programs for Web Applications Michael Coates - Mozilla September, 2011 OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 2
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 3
History of Bounty Programs 1995 - Netscape 2010 2002 - iDefense Google Chromium 2004 - Mozilla Firefox Deutsche Post E-Postbrief Google Web 2005 - ZDI Mozilla Web 2007 - Pwn2Own Barracuda 2011 Hex Rays Facebook OWASP 4
Types of Programs Open to all - Reported Central “Clearing House” direct to software maker (2002) iDefense (1995) Netscape (2005) ZDI TippingPoint (2004) Mozilla Firefox (2010) Google Chromium Pre-Approved Teams / (2010) Google Web Competition (2010) Mozilla Web (2007) Pwn2Own (2010) Barracuda (2010) Deutsche Post E- (2011) Hex Rays Postbrief (2011) Facebook OWASP 5
Programs for the Web Mozilla Web Bounty General Policies $500 - $3000 Select web sites in Google Web Bounty scope $500 - $3137 Critical issues Facebook Security Bounty Paid for new issues Typically $500, paid up to (not dupes) $5000 OWASP 6
Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Work directly with researchers Consistent security at scale is hard Not competing with black market OWASP 7
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 8
Mozilla Web Bounty - Scope ‣ Goal: Protect Users ‣ Critical issues such as xss, csrf, code injection, authentication flaws Sites In Scope - bugzilla.mozilla.org - www.getfirefox.com - *.services.mozilla.com - addons.mozilla.org - getpersonas.com - services.addons.mozilla.org - aus*.mozilla.org - versioncheck.addons.mozilla.org - www.mozilla.com/org - pfs.mozilla.org - www.firefox.com - download.mozilla.org OWASP 9
Mozilla Web Bounty - Submission Timeline +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 10
Mozilla Web Bounty - Bugs Reported !"#$%&"'()*+,(-(."/(0,(1*#2345&"( %&#$ '()$*+,-$ !"#$ .+/01234(-$ OWASP 11
Mozilla Web Bounty - Types of Issues Reported !"#$%&'%()*+#,-'% (#$ &#$ )#$ '#$ *++$ %"#$ ,-./0$ 1+02$ !"#$ %&#$ 3456-$ +78349/1-$ :6-.$ -8+$ OWASP 12
Mozilla Web Bounty - The Reporters How Many Bugs Are People Submitting? Number of Bugs Submitted Percentage of Reporters 1 Bug 47% 2-5 Bugs 33% 6+ Bugs 20% Top 11% of bug finders contribute 56% of bugs OWASP 13
Mozilla Web Bounty - What is Submitted Failure in design patterns - ex: image uploads Procedural gaps / forgotten servers Smaller traditional bugs OWASP 14
Mozilla Web Bounty - The Bounties $104,000* Total Paid (since Dec, 2010) 175 Bugs Submitted 64 Qualifying bugs 24 Paid Contributors * Mozilla Web Bounty, not including Firefox Bounties OWASP 15
Mozilla Web Bounty - Bounty Payments !"#$%&'(&'"#$%(& %#" %#" %!" %!" $#" $$" $!" )" #" !" &#!!" &$'!!!" &$'#!!" &('!!!" OWASP 16
Mozilla Web Bounty - Bounty Payments -)*./'0.1)%*'2'()%"*'31'4%,5$6&+' !'$%"""# !'"%"""# (# !&$%"""# &&# !&"%"""# $# )# $# !$%"""# )# '# *# &# &# &# &# &# '# &# &# '# &# &# &# &# &# &# !"# !"#$%&'()"*+$,%*)+' OWASP 17
Mozilla Web Bounty - Benefits Engages community Produces many high value bugs Bounty is not purchasing silence Security at huge scope Identifies clever attacks & edge cases OWASP 18
Mozilla Web Bounty - Lessons Learned Initial spike of work load Prepare necessary teams Response time & communication is critical Researchers & directions - not always a perfect match +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 19
Mozilla Web Bounty - Worth It? YES! OWASP 20
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 21
Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Consistent security at scale is hard Not competing with black market OWASP 22
Launching Your Own Web Bounty Program Bug bounties are an enhancement, not a substitute for any portion of a secure SDLC OWASP 23
Bounty Programs - Preparation Gain developer & team lead support Check your code Define clear reporting process Define scope and types of issues Build team to respond to reports & establish response time goals Announce program Root cause analysis Learn & adjust OWASP 24
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 25
Bounty Concerns Common concerns with web bounty programs Encourages attackers Too expensive Veil of cover for attackers Bounty program duplicates internal security work Can’t compete with black market We’ll address why these concerns aren’t necessarily valid OWASP 26
Bounty Concerns - Encourages attackers Bad guys already attacking you Without bounty program good guys afraid to test or report Bounty program enables participants that will help you OWASP 27
Bounty Concerns - Too Expensive Very high value Compare bounty payout with equivalent 3rd party testing Provides continual testing Use individual bugs to identify root cause flaws What percentage of profit spent on security? OWASP 28
Bounty Concerns - Veil of cover for attackers Goal is to identify flaws, not identify bad guys One possible deployment: Full security controls & active blocking in prod Setup public stage for testing with dummy data Configure production to actively blocks attackers Stage area could be next revision of code for prod OWASP 29
Bounty Concerns - Duplicates Internal Security Work You don’t know what you don’t know Identifies process breakdowns Identifies areas for training in secure sdlc Another tactic to protect users & critical data OWASP 30
Bounty Concerns - Can’t Compete with Black Market Bounty programs and black market target different audiences Some people are bad, but many people are good Many don’t want hassle or questionable ethics/ legalities of black market OWASP 31
Bounty Concerns - Can’t Compete with Black Market Black market process Bug bounty process Identify critical issue Identify critical issue Weaponize exploit Report issue to Find buyer on underground reputable program market Negotiate price Receive bounty from Give bank account info for organization wire transfer? Arrange Feel happy you’ve meeting for large cash helped the world be exchange? safer File appropriate tax returns? OWASP 32
Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 33
Conclusion Web Bounty Program works great for Mozilla Recommend exploring how this may work for you Leverage lessons learned & evaluate risk/benefit OWASP 34
Question? @_mwc michael-coates.blogspot.com OWASP 35

More Related Content

Bug Bounty Programs For The Web

  • 1. Security Evolution - Bug Bounty Programs for Web Applications Michael Coates - Mozilla September, 2011 OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 2
  • 3. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 3
  • 4. History of Bounty Programs 1995 - Netscape 2010 2002 - iDefense Google Chromium 2004 - Mozilla Firefox Deutsche Post E-Postbrief Google Web 2005 - ZDI Mozilla Web 2007 - Pwn2Own Barracuda 2011 Hex Rays Facebook OWASP 4
  • 5. Types of Programs Open to all - Reported Central “Clearing House” direct to software maker (2002) iDefense (1995) Netscape (2005) ZDI TippingPoint (2004) Mozilla Firefox (2010) Google Chromium Pre-Approved Teams / (2010) Google Web Competition (2010) Mozilla Web (2007) Pwn2Own (2010) Barracuda (2010) Deutsche Post E- (2011) Hex Rays Postbrief (2011) Facebook OWASP 5
  • 6. Programs for the Web Mozilla Web Bounty General Policies $500 - $3000 Select web sites in Google Web Bounty scope $500 - $3137 Critical issues Facebook Security Bounty Paid for new issues Typically $500, paid up to (not dupes) $5000 OWASP 6
  • 7. Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Work directly with researchers Consistent security at scale is hard Not competing with black market OWASP 7
  • 8. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 8
  • 9. Mozilla Web Bounty - Scope ‣ Goal: Protect Users ‣ Critical issues such as xss, csrf, code injection, authentication flaws Sites In Scope - bugzilla.mozilla.org - www.getfirefox.com - *.services.mozilla.com - addons.mozilla.org - getpersonas.com - services.addons.mozilla.org - aus*.mozilla.org - versioncheck.addons.mozilla.org - www.mozilla.com/org - pfs.mozilla.org - www.firefox.com - download.mozilla.org OWASP 9
  • 10. Mozilla Web Bounty - Submission Timeline +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 10
  • 11. Mozilla Web Bounty - Bugs Reported !"#$%&"'()*+,(-(."/(0,(1*#2345&"( %&#$ '()$*+,-$ !"#$ .+/01234(-$ OWASP 11
  • 12. Mozilla Web Bounty - Types of Issues Reported !"#$%&'%()*+#,-'% (#$ &#$ )#$ '#$ *++$ %"#$ ,-./0$ 1+02$ !"#$ %&#$ 3456-$ +78349/1-$ :6-.$ -8+$ OWASP 12
  • 13. Mozilla Web Bounty - The Reporters How Many Bugs Are People Submitting? Number of Bugs Submitted Percentage of Reporters 1 Bug 47% 2-5 Bugs 33% 6+ Bugs 20% Top 11% of bug finders contribute 56% of bugs OWASP 13
  • 14. Mozilla Web Bounty - What is Submitted Failure in design patterns - ex: image uploads Procedural gaps / forgotten servers Smaller traditional bugs OWASP 14
  • 15. Mozilla Web Bounty - The Bounties $104,000* Total Paid (since Dec, 2010) 175 Bugs Submitted 64 Qualifying bugs 24 Paid Contributors * Mozilla Web Bounty, not including Firefox Bounties OWASP 15
  • 16. Mozilla Web Bounty - Bounty Payments !"#$%&'(&'"#$%(& %#" %#" %!" %!" $#" $$" $!" )" #" !" &#!!" &$'!!!" &$'#!!" &('!!!" OWASP 16
  • 17. Mozilla Web Bounty - Bounty Payments -)*./'0.1)%*'2'()%"*'31'4%,5$6&+' !'$%"""# !'"%"""# (# !&$%"""# &&# !&"%"""# $# )# $# !$%"""# )# '# *# &# &# &# &# &# '# &# &# '# &# &# &# &# &# &# !"# !"#$%&'()"*+$,%*)+' OWASP 17
  • 18. Mozilla Web Bounty - Benefits Engages community Produces many high value bugs Bounty is not purchasing silence Security at huge scope Identifies clever attacks & edge cases OWASP 18
  • 19. Mozilla Web Bounty - Lessons Learned Initial spike of work load Prepare necessary teams Response time & communication is critical Researchers & directions - not always a perfect match +,-."+/"0123" #!!" #$" +!" *!" )!" (!" '!" %&" &!" %!" '*" $!" '!" '!" ')" '(" '&" $" #!" !" !" !" ,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##" OWASP 19
  • 20. Mozilla Web Bounty - Worth It? YES! OWASP 20
  • 21. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 21
  • 22. Bounty Programs - Why? User & user data safety is #1 Productive relationship with community Consistent security at scale is hard Not competing with black market OWASP 22
  • 23. Launching Your Own Web Bounty Program Bug bounties are an enhancement, not a substitute for any portion of a secure SDLC OWASP 23
  • 24. Bounty Programs - Preparation Gain developer & team lead support Check your code Define clear reporting process Define scope and types of issues Build team to respond to reports & establish response time goals Announce program Root cause analysis Learn & adjust OWASP 24
  • 25. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 25
  • 26. Bounty Concerns Common concerns with web bounty programs Encourages attackers Too expensive Veil of cover for attackers Bounty program duplicates internal security work Can’t compete with black market We’ll address why these concerns aren’t necessarily valid OWASP 26
  • 27. Bounty Concerns - Encourages attackers Bad guys already attacking you Without bounty program good guys afraid to test or report Bounty program enables participants that will help you OWASP 27
  • 28. Bounty Concerns - Too Expensive Very high value Compare bounty payout with equivalent 3rd party testing Provides continual testing Use individual bugs to identify root cause flaws What percentage of profit spent on security? OWASP 28
  • 29. Bounty Concerns - Veil of cover for attackers Goal is to identify flaws, not identify bad guys One possible deployment: Full security controls & active blocking in prod Setup public stage for testing with dummy data Configure production to actively blocks attackers Stage area could be next revision of code for prod OWASP 29
  • 30. Bounty Concerns - Duplicates Internal Security Work You don’t know what you don’t know Identifies process breakdowns Identifies areas for training in secure sdlc Another tactic to protect users & critical data OWASP 30
  • 31. Bounty Concerns - Can’t Compete with Black Market Bounty programs and black market target different audiences Some people are bad, but many people are good Many don’t want hassle or questionable ethics/ legalities of black market OWASP 31
  • 32. Bounty Concerns - Can’t Compete with Black Market Black market process Bug bounty process Identify critical issue Identify critical issue Weaponize exploit Report issue to Find buyer on underground reputable program market Negotiate price Receive bounty from Give bank account info for organization wire transfer? Arrange Feel happy you’ve meeting for large cash helped the world be exchange? safer File appropriate tax returns? OWASP 32
  • 33. Agenda History of Bounty Programs Mozilla Web Bounty Results Launching a Web Bounty Program Common Bounty Concerns Conclusion OWASP 33
  • 34. Conclusion Web Bounty Program works great for Mozilla Recommend exploring how this may work for you Leverage lessons learned & evaluate risk/benefit OWASP 34
  • 35. Question? @_mwc michael-coates.blogspot.com OWASP 35

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n