Hackers Don't Care About Scope

all right hello good afternoon thanks for uh being here for another Villages talk uh we have Ben hacker content creator and all around great guy he's going to be talking to us today about um Scopes and maybe they matter maybe they don't um but anyways I'm going to hand on over to Ben a quick Round of Applause all right can you guys hear me okay hey Wyoming cool all right let's talk about uh why hackers don't come out scope but before we jump into it a quick little intro about me I'm a hacker and content creator before this I worked at a bug Bounty platform hacker one that's when I learned a lot about bug bounties I also

worked as a exec for security and research I've helped identify hundreds of bugs uh thousands of bugs over 100 bug Bounty programs and some of the companies I've hacked on to our Apple left Amazon Google the Department of Defense and a couple more but just those are to give you some big names that I've been a part of um about this talk um just out of curiosity how many here are involved in a bug Bounty program or managing a bug Bounty program you're doing a bug Bounty platform maybe uh I've seen a lot of people spin up bug Bounty programs more and more it's becoming very popular for a lot of like security teams to spin up their blog

Bounty programs it's a way to secure your products pretty much but I see a lack of uh engagement and a lack of like communicating with your hackers and also getting the most out of your bug Bounty program so we're going to talk about it but the inspiration from this talk came from this poster this is a kiwicon 2009 poster that Jason Haddix posted this actually I can't take their credits for it he's actually selling these on his site if you want to grab one but he posted that and if you can't read it I made sure I communicate it properly to you that hackers don't care about a lot of things and scope is one of them your

project scope we don't care about if it's a legacy system we don't care about uh if it's you know if it's a proof of concept still don't care about it but there's a lot of different things internal systems we don't care you should care about him but we the point is you can put all these limitations to your bug Bounty program or your vdps but guess what we still don't care about any of these and you shouldn't either and we'll talk about some of that more so the talk so far what I've like envisioned how do I present this thing and how do I break it down we're going to go between programs and hackers we're

going to talk about why as a program you should be doing the bug body programs differently and then how that helps with the hackers and why hackers like me would want to participate in your programs more and more if you take some of my advice back to your stakeholders so there is the traditional approach of doing a bug Bounty program you pick your bug Bounty platform uh because you want to get you know I feel like this is a lot of your okrs for a bug Bounty program if you're running one right you want to get some vulnerabilities uh you want to secure your products you want to uh secure your customers data and you

want to hit your internal goals and metrics that you have right do we agree but then you give us this you give us like a single scope of www.site.com right and I I want to ask you like is this really what you want to get out of a program by just giving us this one piece of you know scope like you're giving us a website and a lot of times it's www site has no functionality it's talking to a bunch of different systems but we as hackers can't do anything about it because you gave us a scope that we have to work with and a lot of times if we work with that scope or if we go out of scope there is uh

punishments that come with it either we don't get paid for the Bounty uh the platforms get pissed at us or you don't like the fact that we went out of scope and goes back to my whole we don't care about scope thing which we'll address in a bit but outside of not working with hackers you are ignoring a bunch of different things that work in the background of that main core application right your your app.site.com your main application that you guys are putting into your program it has a DNS server it has a DNS Zone that maybe you know communicating with it has a Dev site it has a Dev API has a Dev environment whatever that

looks like for your infrastructure there's a bunch of apis a lot of times I see bug Bounty programs put their app in there but then 90 of it runs from an API that is not put in the scope maybe you forgot about it or maybe you don't want it to be in scope for some reason but a lot of the data is being pulled in and out of an API and then you have your internal uh development tools you have your Jenkins you know whatever is going into your integration process and all these toolings you're completely ignoring it if it's being exposed to the outside world because you want to put a scope and limitation for your bug Bounty

program so the goal of this talk is to give you an idea or give you some sort of a reason to go back to your orgs and say hey we want to go from that to the second one when everything we do as a bug Bounty program is in scope and I did that as a as one of my jobs at one of the companies that I worked for that was our goal they gave me that program and we slowly added more assets we slowly added more hackers and at some point everything the company owned was in scope and I think that should be in short how you run a bug bonding program and you're paying a ton of money to

these platforms or you whatever your whoever is running a bug bonding program you're spending a lot of money that's coming out of your budget so you may as well get your money's worth and the other part of it is like let's let's keep it honest you're gonna get owned uh cyber criminals are going to go after your infrastructure they will definitely not care about your scope no startup criminal is going to go to your bug Bounty program and say hey guys we're not touching the system the bug manual program says it's Legacy we should stay away from it they're going to the opposite if it's Legacy it's better for them because there's probably vulnerable code in there that you don't

care to maintain or fix and they don't care how they're going to get into your system whether it's your third party Services they want their pii and they want your infrastructures right that's what cyber criminals want to get into depending on regardless of what the goal is they're gonna do that it's gonna happen whether you like it or not and you have a bug Bounty program that could do that for you and before you all tell me we don't want it we don't need it if we don't need bug bounty hunters or red teamers people that are doing the same thing as adversaries or cyber criminals as an industry we wouldn't be creating this this wouldn't exist an external attack

surface management wouldn't exist as an industry if we needed if we didn't need something that could you know mimic the adversaries the same tooling and the continuous monitoring that they do right so as an industry we created this monster it is the last year at RSA there wasn't a single vendor that I walked by that wasn't selling ASM that are on easm which is the external attacks of its management right so you can't tell me that you don't need it because if you don't need it then why does your company have this why are you spending contracts to you know spend this on with other companies that are doing this and the other part of the esm thing is

a lot of these companies the asset notes uh let's see hadron that I worked at the couple ones I got acquired recently guess who created them bug bounty hunters a good portion of them were created by bug bounty hunters they took their bug Bounty approach put it in an infrastructure they automated it and they're now selling it to you they're making boundaries on the side and then they're selling it to Enterprise and they're making money so we created easm as a industry because we didn't want to you know open up our scope or work with hackers even with with a pen test you know the Scopes are limited sometimes so I feel like we need to do more as an

industry whether it's bug Bounty or not so if you can't beat them join them uh it's I mean that's the best thing I can the way I can say it is because you have to we have to do something and Bug bounties isn't the the solution but you you are spending money with bug bounties so you may as well leverage your blog Bounty and uh do the same thing so we're going to talk about the hackers perspective of this I'm doing okay with time so now we're going to take a look at the accurate perspective of how it works uh so work with hackers and you know I wanted to like kind of address like hackers do care it's not

that we don't care about things but hackers do care about having a bug Bounty program that's fun you know they want to find a program that's engaging they want to work with them uh they want a wide or Wild Card scope it doesn't have to be everything you own but it could be something that's big enough if your product's big enough like you know Salesforce is a huge company their product Salesforce alone is huge Airbnb was a big one they they did their core app and then eventually put everything in school but we want to hack on things that we can dedicate hours to or days to instead of hours so we want to also identify your

infrastructure a lot of times I've talked to a lot of Engineers when I submitted vulnerability and they go how do you know this belongs to us so it tells me that you don't even know uh these sites belong to you and that's again why we have ASM as an industry but we can do that thing for you we can we can create this uh ecosystem of us identifying your assets and Reporting vulnerabilities within them of course we want to publish our research we want to make the internet secure at least most of us do we care about bounties and it just all goes down to just wanting to own your stuff as a company and the way we do it is I

personally looked at this and I go when I'm doing a bug Bounty program the immediate question that I ask myself is how can I affect this company's users data or the infrastructure because if I get infrastructure access then I get pii if I dump pii in any way then I've already got my dog my job is done right so the first question that a lot of hackers who are coming from a how do I mimic an adversary approach to bug bounties is this in some aspect aspect this is how I look at it this is what I think at least so I asked myself how do I do that and that's very difficult to do when you

give me this because I can't scope out your internal sites you have an internal.site.com that I can't touch because it's out of scope I can't touch your Dev sites I may have more functionalities it could be open to foreign

I know that they've been around for years but they all have a lot of bounties paid and do you know what they all have in common besides the security budget that they have that's huge they also have uh huge Scopes you know the the bigger companies that I've seen that are successful they're taking out the the risk of saying hey we want you to hack on everything we own Airbnb as a infrastructure it's not a huge infrastructure they have a lot of different uh Acquisitions that has happened over the years but when Airbnb launched your program five years ago they gave us everything that they owned even though it was small but it made it

a challenge for me to identify more places to hike on because they gave us an open canvas of doing what we want as hackers we did whatever we wanted to so sometimes I found uh vulnerabilities in their core app sometimes I found stuff that was in their API and sometimes I found stuff that was leaked on GitHub so there was just I could pick what side of this company do I want to hack into or what part do I want to attack and by choice I have better options doing that for a big company versus a company that's giving me uh this one so I can't do a lot of the work that I want to on this side so

so it's not huge Scopes it's just they have more engagement uh one of the things they have in common is you'll see a lot of the top hackers are on these programs because of the wide scope because they're adding more assets over time and the increased Bounty budget over time once you have a lot of these bugs coming it's a justification for you to go to your stakeholders and say hey we're getting good loans can we get more budget to pay the hackers and find things and honestly this is not on the uh on the part of the talk but just talking to a couple of people outside I think we should also step away from

having bug bounties be in the opsec side and give it to the red teamers so they can see how far that could have gone could could that RC in the site gold Elevate access to your internal Network and that kind of stuff so it's just I feel like overall with bug Bounty you have this proof of concept that you're going to spend money on the government's going to make it a thing for every company eventually have a VDP whether we like it or not so why not make the most out of it and get better coverage by you know adding things over time so we want to go from that and oh I broke it

that one works okay so this one works oh it's not perfect so if you're giving me this uh what you're going to miss out on is like cool bugs like this these are just me browsing on hacker one these are things that is not even on your infrastructure this is hosted on GitHub this is hosted on a a random website that you posted some notes on this is uh hosted on your third-party services or your JavaScript files that people come across you miss these things like your public Jenkins instances your uh your heat pumps are out there for your apis all these different cool wounds and research that could come out of your bug Bounty

program that you're missing out on just because you want to be on the safe side of a bug Bounty program because the legal teams don't want to deal with it or because your stakeholders don't want to be doing the work to go up to a bigger bug Bounty program so I don't have a solution I have a solution slide but I don't have a solution for you I have a suggestion that I can't propose because the solution is up to you and your team to figure out how fast and how quick you can put more things in scope but we wanted to look at two things with bug bounties uh you don't get to do the

social engineering and phishing right that's the thing that bug bounties can do I know that most companies think the way they get owned is through phishing which web is also I think high up there with uh with how companies are getting owned nowadays but the true thing is cyber criminals are going to do the same thing you know we can't do fishing and social engineering but we can do the web stuff but also the similar tooling and the approach is very similar a lot of the the good hackers that you look at they come up from an adversary perspective and they try to do that with their bug bountying and the difference is one's going to play by the rule and the other

one's gonna quote unquote sell your stuff on the dark web and you have to pick one or the other so the number one thing is I think from bug Bounty platforms I've seen a huge shift from just sales to also educating and educating people why they should do their blood bonding program but also as people that are running these bug Bounty programs I think we need to as an industry for bug Bounty industry create something for these legal teams that are going to be okay with wanting to work with companies that are out there in the world uh that it's not in the US it's not Europe I think the biggest scary thing is I don't want to work with this

hacker out in this country and I think there's education that needs to be done that these platforms are doing background checks you know they have done some ID verification and so on so I think there's a lot of Education that could go there and honestly if you are doing a bug Bounty program I've seen this mistake happen over time a lot I see a lesson and less of this happening now with uh the platforms being around that they they do the the walk crawl approach and then you start sorry crawl walk and then running approach you don't go all in and put everything in the scope but you make it a goal you say hey

we're going to launch a bug Bounty program and within a year within two years we're going to add more and more to our scope and just having that goal and having that buy-in throughout these years it's going to push you to want to do those things so do them in phases your first quarter or your first two quarters of black body should be private it should be your main core asset I understand that's the the meat of your product but eventually after the first quarter and two second quarter when the submission started to die down you want to go to the next phase of adding more and more maybe bundle him all together so this next next phase you have a

bundle of new domains and then eventually you work up the courage to put everything in the scope of your bug bounding program uh and then the last one is deal more lenient with your scope uh it's okay if hackers go out of scope on accident I'm not saying reward them but also don't punish them don't go to the bug Bounty platforms and say hey this hacker went out of scope especially if you're going to fix the vulnerability if you're getting value out of it make it more welcoming without you know I get that you don't want people to go out of scope set those rules up but study communication for hackers to be able to

ask you hey I found this asset interesting I think I can find this vulnerability can I test this I think that alone is a big thing but also putting some language around saying hey if you find something that could directly affect our Network our infrastructure or our users without hitting a third party we'll be happy to hear from it and maybe award it but just the language you use is different saying hey we're open to it versus putting the finger up and saying no no we don't want to work with you because it's just uh it's not gonna take us away from the going from a single scope to a wild card thing and then hackers aren't going to

engage with you if they get punished hackers talk to each other so if one hacker is getting banned from a platform or a program it just becomes a thing that most hackers are going to be turned off by it so again I'm going to put this side up one more time we don't want the first one we want more of the bottom one I think I speak for all bar bounty hunters when I say with the second one is the one we want uh and yeah that's it if you want to come and meet us and talk to us I'll be at the bug Bounty Village all day tomorrow we're doing a web hacking uh workshop with Jason Haddix I'm

hosting the Hong Kong June 16th and I'm also doing a training if you want to do more bug Bounty and web hacking and uh if you want to get in touch with me there's my Twitter social media and also my email as well if there's any questions I'll be happy to answer [Applause] check check

um I could ask it direct but I guess in terms of getting that feedback on Bounty programs um from hackers like what's successful what's not um where do you recommend doing that like through like Twitter or bug Bounty Forum or like those type of channels or some is there some other uh as a founder of black Brownian form I would say don't do it unblock money for them yeah yeah it's a wrong place to ask but I would say ask your researchers that are sending stuff to you okay now when you're awarding someone if you put a link and says hey we want you know either a link or a question I'm saying hey can you answer these questions for

us would I appreciate it I think talking to the people that are submitting to you is more valuable than on Twitter yeah because you can also get the the people that I that don't like to do bug boundaries still chime in or the leads that are in the bug bonding committee chime in so directly from your hackers I know uh both of the big platforms have direct communication to your hackers they can select hey hackers have submitted a bug to me or hackers I've done X send them a survey but the report itself I think is the best way to ask I'm like Hey we're curious what can we do to engage you more whether they need

credentials they need you know some account type or something that could give you direct feedback for it no that's great thank you thank you we have time for more

with the uh I guess current Advent of journalist AI how it's just blossomed and mushroomed how has that affected your your uh the things that you're into now is it made things easier does it made it more difficult or uh the thing that I'm into as a content creator has made it easier because I can rely on AI to help me create more content easily you can have my La I have my labs created by AI sometimes like chat CPT but I don't think it's going to affect the the triage part of it just yet maybe there's some machine learning that could have fit that I know a lot of these bug Bounty platforms use machine learning to

a way but I don't I'm one of the people that's going to be resistant to saying it's AI is very far from taking over bug Bounty both from a hacker perspective or triage or blood Bounty Platforms in general I know you can write better reports than chat GPT honestly but very interesting talk thank you very much thank you just like hackers uh VP of engineering engineering managers directors they also don't care about scope good to hear yeah all the carers can I ship this feature or product securely or not but as a product security engineer we do care about scope because that kind of you know Keeps Us on track so what are your views on that

I think uh it depends on org to org but at the end of the day you know when it comes to debug bounties you can put a scope on it but whether you like as a team having a scope or not it's not going to matter with the adversaries it's not going to matter for cyber for cyber criminals so instead of working against people that want to help you I think just having the leniency of being open to getting reports is different than not having that a lot of times what I see is they're giving you that no no don't go out of scope and then when you go out of scope you get an email from

the support team or the you know the team that are on the platform side saying hey you go we went out of scope and you know we tell you not to go out of school so I think it's a leniency of being open to accept something that may be out of your scope because it benefits you understood what do you think about scope creep about what about scope creep uh about a school I depends I mean that's a broad term but uh I don't I can't that's a little question I feel like thank you you're welcome thank you one more hey Ben I have a question for you so I think uh obviously bountyors can make

more money sometimes if they go out of scope but there's got to be a line at some point right a line where if you cross it you're like borderline criminal like stealing data you shouldn't access where is that line for you um my line is if I can export something especially out of scope I report it and I tell them like hey I could do this thing do I have permission to go into it and do it I think I draw the line of like I know I went out of scope but I'm not going to I don't ask for money there was recent news of someone saying hey we want to help you with your

product but Bounty please that's the draw I don't know I don't ask for Bounty because when you ask for money you may not be extorting the company but you you knew what you were doing was wrong going out of scope so it's just I found something I say this is what I found this is what I can do with it can I do more a lot of times I'm lucky enough to know about the companies but a lot of people don't have that connection so just having the communication putting an email that says hey email us if you have questions helps thank you

all right Glenn once going twice all right another round of applause