Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bug Bounty Secrets


Published on

null Trivandrum Chapter - July 2013 Meet

Published in: Education, Technology, Business
  • Login to see the comments

Bug Bounty Secrets

  1. 1. Bug Bounty Secrets
  2. 2. HARI KRISHNAN. R Security Researcher and new to ppt :P
  3. 3. And get fame and cash  Select the target Gather Information Find bug and report Basic steps
  4. 4. Paying rewards to independent security researchers for finding vulnerabilities in their products. Major Players Google Mozilla Facebook Paypal And what we get ? Money and Fame. And what the company get ? They get their application secured and is very cost effective for them as they pay the independent researchers a minimal amount About Bug Bounty
  5. 5. What all you need to start hunting for bounty ? Know about the target, their products, acquired companies ( which you can find it by searching it in Google ) , sub domains, etc. Do have a good understanding of the application which you are testing. Know which all company is having bug bounty program and some of them are AT&T Barracuda Chromium Project Etsy Facebook Gallery Google Hex-Rays Kaneva LaunchKey ManageWP Mozilla PayPal Samsung Yandex
  6. 6. What kind of bugs are in scope ? XSS XSRF / CSRF SQL injection or equivalent Remote code execution Authentication bypass or information leak Rewards for qualifying bugs can range from 100 $ to 20,000$ or more. So far, Google have paid $828,000 to more than 250 individuals. Mozilla has paid $570,000+
  7. 7. Reference:Slides from Adam Mein at SANS AppSec 2011
  8. 8. Reference: Slides from Adam Mein at SANS AppSec 2011
  9. 9. Example 1 : Dom based Xss in Google Partners
  10. 10. Example 2: XSS vulnerabilities in Google's Gmail's mobile view by Nils juenemann
  11. 11. Conclusion: Report the bugs to the company rather than selling it in black market ;)