GETTING BEYOND BUG BOUNTY NOOB STATUS@yaworskwww.leanpub.com/web-hacking-101www.youtube.com/yaworsk1

OVERVIEW

▪Who am I and why do you care?

▪What are bug bounties?

▪Lessons learned (with examples)

▪Getting started

WHO AM I?▪ @yaworsk on HackerOne, Twitter, etc.

▪ 11 – months since I started bug bounties▪ 24 – number of thanks received on HackerOne▪ 105 – bugs found on HackerOne▪ 67 – Rank on HackerOne (as of Nov 3, 2016)▪ 0 – total security experience in November 2015

▪ Formal education in Public Policy▪ Self taught “developer”▪ Web Hacking 101 Book / Hacking Pro Tips

WHAT ARE BUG BOUNTIES

Source: Bugcrowd

WHAT ARE BUG BOUNTIES (CONT’D)▪ HackerOne (as of Nov 2, 2016)

▪ 32,470 bugs fixed▪ 3,970 hackers thanked▪ 155 public programs▪ ~600+ total programs▪ Hacktheplanet + Hacktivity

▪ Bugcrowd (as of Mar 31, 2016)▪ 6,803 paid submissions▪ 26,782 “researchers”▪ ~100 public programs

(62 shown online as of Nov 2, 2016)▪ ~180 private programs▪ Monthly / yearly bonuses + Forum

WHAT ARE BUG BOUNTIES (CONT’D)

HackerOne Bugcrowd

LESSONS LEARNED

Hacking is not easy money

POC || GTFO

Your reputation is gold

Skill, observation & relationships

Pay it forward

1. HACKING IS NOT EASY MONEY▪ @ITSecurityGuard

▪ thanks from Uber, Google, Yahoo, Snapchat, Apple CVE▪ first 7 bugs on Paypal, all dupes and unrewarded

▪ @filedescriptor▪ over $200k from Twitter alone▪ started with n/a’s and gave up for a short time

▪ @nahamsec▪ 18th on HackerOne, thanks from Yelp, Shopify, Apple, Uber, Yahoo▪ Felt burnt out at the beginning of this year, said he wanted to walk away.

Source: Google Bughunter University

1. HACKING IS NOT EASY MONEY

1. HACKING IS NOT EASY MONEY

1. HACKING IS NOT EASY MONEY

2. POC || GTFO

3. YOUR REPUTATION IS GOLDHackerOne Private Invites:

Private Programs == Less Hackers == $$ (potentially)

3. YOUR REPUTATION IS GOLD (CONT’D)

4. SKILL, OBSERVATION AND RELATIONSHIPS

4. SKILL, OBSERVATION AND RELATIONSHIPS (CONT’D)

Correct Approach

4. SKILL, OBSERVATION AND RELATIONSHIPS (CONT’D)

Wrong Approach

5. PAY IT FORWARD

GETTING STARTED - TOOLS

Fiddler Proxy

GETTING STARTED - SCOPES- Not help- Possible red flag- Sets no expectations

GETTING STARTED - SCOPES (CONT’D)- This is 1 policy- Extremely detailed- Sets clear expectations- Indicative of a good program

GETTING STARTED - REPORTS

“Better bug reports = better relationships = better bounties”

https://hackerone.com/blog/how-bug-bounty-reports-work

QUESTIONS?

THANK YOU!

@yaworskwww.leanpub.com/web-hacking-101

www.youtube.com/yaworsk1