BSidesSF 2020 - Panel: Let's Get 360 w/Bug Bounty! (Maria M • Chloé M • Jeff B • Tanner E • Ben S)

okay you guys ready alright welcome welcome welcome um thanks for joining us J Brand get 360 with some bug bounty and I have some incredible people on this panel please note that this is bug bounty platform-agnostic meaning that we have some from hacker 1 and bike ride on here and anything that is said on here is not representing a company in particular but just sharing a background and information and details from experiences my myself my name is Chloe mystique and the vp of 0.3 security i awesome the founder of women hackers and also the co-founder of whoa sec and in my spare time i try to get more and more women into bug bounty so I'm gonna first start

all the way to my left Ben can you please introduce yourself yeah Ben today Kippur most people know me as the homesite I'm a bug bounty hunter and when I have free time and during the day I work as the head of hack of education at hacker one for we created CTF and free educational material for hackers well I'm Tanner I'm ik people know me as Cash Money I do both security engineering for a company as well as hack hi everyone my name is Maria Mora I'm a staff security and compliance engineer um at crunchyroll and today I'll be talking more on the company side of things partially winging it and I'm Jeff Boothby currently a senior trusted

security engineer at bug code and also a researcher slash hackers whatever you want to call it so it's really cool because we have three people on here that are active into but Bonnie but also you have two people that are from two of the most biggest actually bug bounty platforms so you're in for a real good show to see everything and answer any questions that we usually get please note that this will be reducing a lot of fake news that is out there around bug bounty all right so let's dive in some questions so for the hunter out there I have some questions for you first one is how often do you hunt I could start not as often as I would

like trying to find a balance of not spending too much time on your computer has been a little bit hard but I want to say a few hours a day if I get the chance after work are you what I was doing full time you know most of the day eight nine hours a day but now I've reduced a to maybe 20 hours 10 hours a week just for my own sanity and also I've tried to learn to be efficient so I can redo less make more if I can yeah I try to hack as much as possible it's usually at least a few times a week sometimes if you're on to something I'll just grind for a week straight after

work and until 2:00 or 3:00 in the morning I did do it full-time for a little bit over a year and during that period it varied also where I go on vacation then come back and just sit out for a couple weeks and then take a week off and just try to keep I try to do it as regularly as possible yeah no not as often as I like it echoing been here definitely significantly less than before it would used to be probably like tens of hours a week but now because it is still my day job is not where I want it to be Roger that okay so tanner we're gonna ask you this

question first which is how did you start hunting and how did you become successful at it yeah so I started I guess back in the day I would do kind of mini CTF sand kind of like small hacking challenges that were set up there are websites like hack the site that org would make like an XSS challenge something so you could learn with that and this was maybe in 2004-2005 ish and then didn't really know about bug bounties and then once I started yeah I guess hearing about it I realized that oh this looks cool but it's probably something I couldn't do and then around 2016 I actually found a bug and United while I was trying to

change my password submitted through their bounty program and then it's actually something that seems like I could do it and just took off from there and I became successful at it I would say just from the resources that are available I went through like every single poll he disclosed report on Hacker one at the time read this book that Peter Warrick had written which was like intra bug bounty and just learning about like reports that I paid and what actually like what was actually found in the whole interaction between the company and the hackers and kind of replicated that I love Pete's buck by the way if anyone has an read it you should he has what packing 101 and I got

him Bugs Bunny it is definitely a must read then same question right back at you yeah I am I got into backgrounds by accident kind of I heard about both bark rotten hacker won back in 2013 24 2014 one of my buddies was just telling me how I couldn't make money as hacking as having hacked in years and he's like hey you should make money from hacking and my immediate thought was mmm kind of sketchy I don't know if I want to get into it and he's I just look up bug bounties and that's where Yahoo was still doing their own bug bounty program on their site that akka static pager put the names on there every month and when

they move to a platform is when I know I found out about these platforms or more programs a lot of it was just me jumping in I like to I do things backwards sometimes I jump into something and I try to make sense of it and then learn it as I go so I drove right into it with Yahoo none of some of the paranoids are here from years ago but I started just hacking on Yahoo and anything that it didn't make sense I didn't know how to do I would just hook it up you know hack this I was a good place to play around there were a few limited resources there was a vulnerable web app hack this site

I went through all of those just to like understand the basics and while I was going to learn I just jump right into it was the best way to get hands-on experience what about yourself actually Mia so the way I got double Granny's was through a friend of mine who a colleague I should say also a friend he joined bugcrowd several years ago and I did actually hadn't heard of bug bounties until that so that's how I got into it because he urged me to become a researcher and actually start testing and finding bugs on the programs that Buckeye was hosting but that's kinda how I got started and then eventually did join the company as

well alright so the next question I have remember once again this is AG mani platform agnostic but what are some issues you've dealt with when it comes to reporting on bug bounty platforms so some of the issues like that you'll come across is like customer or the company running the program might not consider to be like as severe as you think it is or is like it actually is as well as they might not just want to hear about it but presenting on the aura submitting on a platform itself is usually a lot better than actually having to reach out and find like a security at or like a support at alias to be able to try and

track down somebody from their security team so again having a bug bounty platform actually being able to like manage all that have like a main point of contact certainly helps quite a lot excellent yeah I think I mean bug on your platforms are it's great because they want happy companies and happy researchers so they're pretty proactive to make changes so if you do have an issue with it they'll either release a new feature or kind of change the way something works so I thought that that was really good but I think different platforms work in different ways there is for instance there's a platform where they have different kinds of targets on it but one of the requirements that you

have to tell all testing through a VPN right so it's like there's some hackers that actually don't want to do that for various reasons it might be slower it's just kind of more annoying to test through that so I guess that's not a problem with the platform but it's just the way the platform works which is a way that might not be conducive to all researchers for me it's mostly the communication aspect not just with the platform but even the security engineers on that company on the company's team sometimes you know as triage members or the security engineers they don't know their product as good as we may know at this point so the communication becomes

hard because first I don't know if they understand what the thing that I found because of their experience with the app depending on how much they've dealt with it I think communication is a very very huge role in bug bonney's you know being able to communicate your vulnerability properly for them to understand the impact and also understand you while you're reporting especially when we work with companies that are in a different part of the world with maybe English is on their first language the communication was one of the hardest things and I've gotten better at it throughout the years to understand how do I unify this that regardless of who the other person is whether they're a

triage team or the work of their company to understand exactly what I'm trying to get across how to reproduce it and understanding what the impact is on their users or the infrastructures I like that you brought up communication that's like one of the big things that in the bug running space especially you have a lot of people that are submitting that English is not their first language so they're always runs into some situation I was wondering have you ran into any issues with companies not really with the companies no a lot of times the issues of how with the companies is them not understand the vulnerability because of their exposure either their new engineer or I've never

seen this the said in future that I've found they don't even know they existed so the question is how do I make them understand like just because you haven't seen it yet as I mean it's not vulnerable or because you don't ascend a vulnerability the impact is in there and that all goes back to communication and how much information you provide and how accurate and clear that description is yeah I've had some issues in the past with companies it's usually it revolves around say I say something is of maybe high severity and then they say no that's it's a low sometimes the company is right it's like that if they have mitigation in place I can't see that if

they know that the impact is low because maybe 1% of users actually visit this part of the app then sure that makes sense but there's some times when you actually are pretty confident that you think ok this is high severity it's very exploitable not difficult to find and you pretty much have to go back and forth trying to convince them that this is higher severity and here's why sometimes it works sometimes they see it sometimes they don't but a lot of times you know like you could kind of convince them and then they'll be oh okay you're right we didn't think of that or we didn't know that it was this easily exploitable and they'll either raise the

bounty or raise a severity actually I kind of want to ask you a follow-up question on that um with regards to actually convincing companies how do you exactly do that do you give them a better proof of concept how do you kind of walk around those eggshells without like actually going against their rules yeah there's a few ways one is like a one-click POC is it's the most valuable thing you could have so it's like you're trying to explain an account takeover for instance and it's like maybe somewhat theoretical where to go if you do this and do this and copy this request over here it's hard to follow where if it's like okay log into your

account and click this link and notice I just took over it so then that really helped solidify like oh wow okay this is like this is pretty bad something like that there has been a case before we're proving impact would have had to result in hacking some third party which was really hard to convey and say okay like I don't want to have to hack this third party but there are a bunch of third parties that could possibly be hacked that could be used to exploit this yeah yeah building on Tanner's response there so yeah that's one of the things is that usually in most companies bounty briefs they'll state that hey don't like prove

that there's a vulnerability there but don't do the full exploit don't actually extract any data right and then obviously there's going to be certain times where they don't think that it's actually a vulnerability maybe because they don't understand it but one of those things that you can always do is like say hey I can actually do the full exploit do I have your full permission like ask for permission first before actually doing it so if they need extra convincing that's one way to go about it yeah the permission thing is very important there's a couple of times where I know like if I run a particular command a site might go down and I don't

want to be responsible for it sort of just asking for permission there's also times when I describe the things that I want to do but I'm kind of afraid of doing on their website you know especially when you're testing and prod with boundary programs it becomes a little bit weird so just include the things that you want to try and you know I give them the benefit of the doubt to believe me and give it a try and I can even go as far as trying to craft a payload or a POC that may work and they can try it out and tell me if it actually work on their hand and they have the app they have the resources to

monitor and see if these things are actually true they can go look at the source code and see if you know these claims are true so it doesn't hurt to give them those claims and also ask them if you don't want to try it I would love to do it or do you have it they've you know the environment where I could try this or something like that that's always been helpful excellent ok so we talked a little bit about like the issues with by baddies and companies when you are a hunter yourself what are some ways that they both can improve on so on the bug bounty platform itself and also for the companies that participate

in bug bounty so come again it comes back to the communication feature it never hurts to over communicate it explain exactly what you're doing very good descriptions again just to echo what everyone else has already been saying communicate some of the the best I should say is we so I'm sure all platforms do this but they do review and like kind of survey the crowd for which like what's the best program what program do you like the best it's not the one that actually has the most rewards the highest rewards it's generally going to be the one that communicates the best and has economy king drinking a communication back and forth between the company the platform

as well as the researchers so over-communicate yeah a great communication is definitely key in anything we do even with bug bounties I'm going even further allowing hackers to interact either with the program manager on the platform side or directly the program manager on the company side having a way of asking questions because there's times where I look at a future I don't understand what it's supposed to do I don't know if it's a future or a bug right avital hard having those ways of asking game okay if it is a future what is it not supposed to do so I can exactly do that and having communication and having the ability to ask questions outside of a

report after the platform and directly getting in touch with whoever runs a program on either and platform or company is very very helpful if it wasn't for communication with the company like Airbnb when I hack on them if it wasn't for their engineers right away answering my questions when I don't know what I'm like what I'm dealing with sometimes those better bugs that became critical wouldn't have happened yeah definitely I call that but also one of my favorite things to see when I'm not gonna with the program is engagement from the company's side it feels better when you I guess you interact with the engineers over there and they could answer questions for you but also maybe help

you escalate an incomplete bug right it's like if you see something that's absolutely terrible practice and it looks really vulnerable and you think there's something there but you can't you can't get like a full exploit yet it's good when it's a company that's like hey we'll look into this and they'll go and look at the code and they'll like kind of help you with it and you know if they could prove impact with it also then you get the full bounty that's I mean I'd run a program at the company I work at and that's something I try to do is I always I'm open to questions if you think something is a bug let me know multi-tow report it

and all investigated I'll try to escalate on my end and I'll let you know why we chose a certain severity for something like list outlet the reasons of oh well we had mitigations in like in these ways which is why I paid out a certain way I like that everyone keeps bringing up communication it is like the number one thing that can be improved on for sure in all directions and it definitely does bring you back to you wanting to work with them again or working on a program with them it's definitely one of those what other things basically bring you back to that program and also when sent advises you to look at specific programs I like what Tanner

said the engagement from a company when I see them that's if it programs managed and I see them popping into the Inbox it doesn't have to be a I don't care so much about saying oh we found value in this but also seeing them answer their questions that I don't know and directly interacting with me it shows that they're invested they have dinner there they're spending some resources to answer all these questions and also goes with you know how often they expand their bug bounty program how long have this scope in the same has it been the same for three years or as I gradually changed and became bigger and bigger those play a huge role and

outside the monetary rewards and engagement those are like a very big impact on choosing programs yeah for me one of my favorite things is working on programs for products that I use because you already understand it so you already completed a bunch of the work by being able to I guess if you know how how it works and you could actually think of some interesting owner abilities that more along the business side or the business logic side of it right so it's like if you just dive into a program a lot of times that it's just like some huge enterprise software it's kind of difficult to see like what the business use case is and how to actually like

some clever ideas are being creative is a little more difficult first as if it's something like maybe uber lyft github which are just products you use and you could always just think of is there any way to I don't know get free rides or something you know so stuff like that a big scope is cool I mean that's it's pretty frustrating if you the scope is so narrow that pretty much every link you click ends up going to a domain that's not in scope and then you don't really have much to work with over there and also communication like quick payouts are great for momentum if you're hacking on a program and they pay out

within a few days or sometimes in within a day it really keeps you engaged and it keeps you want to attack more versus if it takes months to pay out you kind of forget about it then you get the payout and then you're like oh yeah there was this program so yeah yeah engagement time to pay out as and then kind of building along the the large scope I would say also open scope just so that everything under the Sun under their brand name is within scope obviously is a little bit easier to find bugs because you can find a vulnerability that exists on maybe something that they don't even know that they own so again a lot easier

to get paid out that way show of hands how do you guys have actually done any bug bounty before this is nice I'm seeing a lot more hands that like the previous year what other advice you guys have for newbies in a sense like besides learn the ins and outs of burp suite and also to not give up this is gonna sound a little too obvious but learn the fundamentals like learned what goes behind our website for it to be built you don't have to become a full stack developer but I understand the super basic level of how a website works you know what goes behind it before you jump into breaking it and stay away from

play loads like stop focusing on payload stop copy pacing things without understanding it because when you copy pasting things you miss a ton of bugs because you don't understand the fundamentals and you relying on someone else's payload for it to work in your context and that's not how it works yeah I totally agree with that also I mean there's so many resources out there I would definitely make use of those I mean there's a lot of stuff for free I mean there's just hacker once activity is great it's it's the communication it's basically as raw as you could get it's the exact report that a researcher sent to the company how the company reacted to it what they felt about it

the communication between them and what the pail was so if you're trying to get into it you could say okay this is what companies tend to care about if you don't know how to write a report or how to even phrase it it's all right there for you like I said P orsk has a great book to go through and I would say it is to go through these as you're as you're putting them into practice instead of just reading a bunch of stuff and then going into it later it should be done at the same time and yeah I think once you start finding bugs and it just keeps it it keeps not feeding itself I would say

adding on top of all of that knowing how to Google like Google is really a good knowing how to use like Google's modifiers like plus or minus or quotes right so there's a number of them out there to be able to filter for exactly what you're looking for and chances are someone has already asked the question that you're asking maybe not specific to the code that you're looking at but guaranteed someone has already lasted before and there's generally going to be an answer out there Google's gonna be your best friend that's a very good advice just with how many bug bounty hunters are out there and how many write-ups come out every week putting just the topic and the

keyword bug bounty next to it has always had a solution for me it's always not the first page somehow that's really good advice I think company name if there's a specific company you're looking for people will put a bunch of write-ups on medium for specific company which always helps definitely on BBS by bounty farm bad if you don't know Ben is under the founders of bug bounty form I'm gonna ask some questions about triaging and Jeff you're gonna probably answering all of them congratulations but before I go into that part there's been a massive rumor that goes around about bug bunny that kind of wanted to squash really fast which is but Benny was not created to take over jobs for

security teams it was to complement your security it's two very different things and I just want to really push that out there and any facts that you hear that are not like that are before 2013 those are not applicable today standards alright now it's going to triaging questions alright how do you handle out of scope submissions so that's one of those things is - before I get into that it's like if you're reading a bali brief you participating read what's in there read with the rules make sure to stay in scope but that being said again if you do submit something that that's out of scope expected to maybe perhaps not get the monetary reward that you're hoping for

but as far as like a triage perspective we do have to notify the company that who's running the program that hey here's this bug it's out of scope but we think you should look at it anyway just because of the criticality of it or the context of the vulnerability if it exists like one of their partners or their third party associated codes then again they still want to know about it but they just might not be able to pay out because again might not be something the control or is just something that's not in scope at this time okay so what happens if the triage I can't reproduce the submission so again this does come

back to communication so communication really is key so if the platform comes back and we're unable to reproduce it then we go back to the researcher or whoever submitted it to be able to ask for additional information to be able to make sure that it really is not reproducible before market as such because we want to be able to make sure that we are doing our due diligence in not just for our work but for the work of whoever submitted it as well as the company that's being submitted against as well because again if it does turn out to be a vulnerability we do want to surface it to them but again we do want

to have that communication channel open to be able to get more information maybe walk through it with the researcher maybe get out like a like a video conferencing to be able to see what's going on and see what they're saying I think on that topic it's not just in the triage teams to figure it out it's also up to the hacker as a hacker if you know you have a complex complex bug it doesn't hurt to include a video please don't go and make a video for every single POC but if you have something complex that you think the other party can reproduce easily because you know there's 40 steps included there's three accounts included having a good POC with

the video and having some sort of a proof or image that shows the vulnerability helped so it's not always on the triage team the hackers have to also put on the effort to make sure whatever they're communicating and going back to the communication thing is getting very well communicated to the triage team as well also with that I think it's important for the company itself if you kind of skim the inbox of reports coming in if it's a report that's pretty deep in your the way your app works it's possible that a triage sure might not understand it right because they're switching between so many different reports from so many different companies they don't have the

context of every app so if you're working at the company you see that feel free to step in and help you go hey I could reproduce this or I understand what they're saying because that would help shortcut things a lot I wanted to go back to what Ben was saying about like taking videos there are a lot of tools out there one of which I've I've been like looking at for a long time now I saw this open-source tool called repro now re PR o & o w that's a pretty good tool if you're doing like video and network captures from your browser um yeah so you might want to check it out if you don't have a tool yet it can

do both Network and like video capturing at the same time so I find it really useful all right next question what roles does the platform control versus the company control so a lot of it is going to be controlled by the company itself there are like suggestions that the platform will make due to our experience our history with running these types of programs with a ton of other companies but again it's ultimately going to be up to the company itself whose program it is that determines what the actual rules are because again is it is their program they are paying out the reward so again it's under their control typically but it is up to the platform to be able to

make those suggestions if suggestions or if something needs to be changed or updated all right um next one I have for you is what are some of the most interesting submissions you've encountered and I do know you shouldn't state any company names trying to speak a little bit more broadly about this and not mention specific companies or like researcher names just something in general is that we do get from like a lot of new people that maybe don't really understand security a whole lot it's like kind of like the weird ones where like a there's a grammatical error on your on the website give me $50 right don't do that likewise be able to prove that the

vulnerability exists don't just argue for argument's sake include all the reproduction steps because again it's it's one of those things where we do have to be able to actually believe in and validate that is a real vulnerability so there's numerous times that we do have to just mark things as not reproducible because it might not actually be a boner ability itself I think if you can't answer the question of what now like what can I do with this thing if you can't answer that on your own before you like it so what question okay I see this thing so what does the answer that then don't file it like if you don't have an answer to concrete

answer you can back up with something that you have found don't report it yeah I like I like what you could put the impact of the vulnerability in the title where it's like xxx leads to account takeover where it's like very tangible just right reading the title you could see what the impact is and then you know it's like a valid issue right it's like it's clear if it to everybody all right um then and Jeff this questions for you what fears do bug bounty platforms have with researchers and companies besides miscommunication and taking over or something you wanna go for a spin yeah I mean I'm just gonna go back to the communication thing I worked with

our mediation team very closely and a lot of times what I see is the two parties don't understand each other they're both saying the same thing going in full circles and they're just not understanding what's going on and that's the the biggest thing is why I brought up that communication thing is unless we can get all three of us it's not just the programs and the honkers it's a program platform and the hackers all three of us do speak the same language the same way for this to work and my biggest fear is that when they don't speak to each other they're following out happens and trying to explain like it's not you know there's a perception of misperception of

like oh they don't want to pay it's not so much that it doesn't come out of the engineers pocket they're not paying for us personally they're not using their own credit card their giant corporations in some cases I have hundreds of thousands of millions of dollars in $1,000 bounties and anything they pay that you know twice a day or 20 times a week sometimes with some companies and it all comes down to making sure you are being respectful you're not crossing any lines you're not pushing things too much and you're very clear in what you are explaining to this company and they think that keeps me up at night is sometimes those things not happening and not being able to

communicate very clearly lots of mediation on the by battey front for sure yeah so again communication is very key and one of the things that kind of like we have as a fears like kind of like the the platform is especially with companies is them not only like not having enough money but again it's that communication feature right so if like they want a bug bounty think about this way there's and I get a lot of researchers don't ever think about this way but there's a budget I can Ben was saying that it's not the engineer that pays out it's not even like even the security engineer right it's not even their team right it's the budget that's

been allocated them so they might run out of budget they might not have enough to be able to pay high reward so even though I might be like a really critical vulnerability on a really big name-brand they still might not be able to pay out as much even though they might have like billions or trillions of dollars in that worth right so it's again comes down to budget how much they're allocated so something to always keep in mind especially for like the researcher side but again that's kind of like a fear that you have as the platform to be able to make sure that we want to keep the researchers happy as well to be able to

make sure they are paid for their time and work actually um if you don't mind I'm curious about so when it comes to like companies and their budgets and you know let's let's keep this like pretty drunk general like generic um do you sometimes or often see companies that you know might be low on the budget or like resource side where they can't really respond quickly if I'm kind of curious like what the trend is it happens from time to time but we generally try to set those expectations before the program launches so before the researchers even see it just so that they can plan for themselves and again it's even before in like the entire

process of when they purchase right we want to make sure that they understand there does need to be a program manager or a program owner on the cut on the company side to be able to like receive the submissions and be able to make sure that they respond with in a timely manner maybe not necessarily fixing them right away but at least being able to respond to be able to make sure that we serve you paid out for their time so it kind of does vary but it's it's happening less and less often now because again it's bug bounties are starting to become a little more popular a little bit more well-known and so companies are starting

to accept that fact and be able to allocate more resources to security in general not so much to that but also like I see a lot of hackers on Twitter mostly bringing up the fact that why is it this company paying a bounty I know I so people are laughing they understand where I'm going with this there is a lot of work that goes behind the scene to happen both on a and I have to do a lot of work to make these companies and customers get on board with these things and also other customers and the security teams have to work with a number of folks to make this happen PR is one of them legal teams are

another one and when money gets involved socially when you're paying money to a different country a country where you don't even have an office things get a little tricky so my biggest thing is give it some time the spark banners are still new you know security itself is a little new but working with hackers and a crowd source or a backer power and security it's very very new it takes time it's not going to happen overnight but I would much rather have the company have a volunteers closure program than me getting a seasoned deceased in a mail that tells me to screw off and not go deliver again okay so we're gonna go into a company

triaging um are you ready Maria this is this is gonna be all you now okay what kind of hoops do bug battery ports go through once it's submitted okay um so this might be like a long winding answer and I'm gonna talk a little bit on what happens right after we get a report so right after we got a report we don't like necessarily see it ASAP um so it depends per company like whether or not they have their own program going on or you know if they're working like with a platform and you know there there are other ways to like go about actually receiving that information and some people you know like depending on the bug bounty program

or vulnerability disclosure program they will just get stuff in the mail like for an email to security at and depending on the company maybe they're not even looking at that email too often so you know it has to go through proper channels so given that you know when once the report goes in through proper channels if the company does have a program going on within within the company usually like with engineering teams big or small there is a software development lifecycle and I'm gonna be speaking from more of an agile company side you know people having scrum teams with Sprint's like two weeks one week cycles and I think the big part there is these people

already have like planned work and the thing is when you have emerging work you still have to work with different departments if they have a product manager they have a product owner if they have a project manager you they also have to like talk to those people to get that fix within within their like regular cycles and that's only for the fix another thing is that when a security representative at the company looks at a report they also have to figure out on their side if you know if this is a valid report and they also have to like calculate the cbss score and if you haven't heard of CB SS it's common vulnerability scoring system and

it's how how some people decide how important or how severe a particular vulnerability is so this is usually seen like when it comes to platforms they might ask you how how rep reducible is it can you reproduce it within the network or a physical that sort of thing so once a security team you know figures out the CB SS or sometimes they don't in which case they will have to like go back to the engineering teams that are responsible for that product because no one person can know like the entire scope of the company or like all the products they have to go back to the engineering team sometimes and ask them hey how does this work or you know if

you're not well-versed in mobile applications you'll have to go back to the mobile team get someone on their team and figure out the proper communication there so it depending on how busy those other teams are there's a lot of like talking between different people in a company however you know if if a particular vulnerability is like obviously severe and you know it gets expedited every now and then like oh my god this is super serious for example like this handle this is a credit card information problem like that one might be expedited and then you got like all hands on deck something like that so you know it really depends on the particular vulnerability otherwise it has to go

through multiple cycles multiple people and then once a security representative finally like figures out okay this it's this serious this is the fix and then this is how much we're going to pay and then that's when they can go back to the security researcher and give them the proper bounty all right so this question is for like everyone who can answer which is what fears do companies have when entering bug bounties space and starting that I want to also include vulnerability disclosure program so vdps such as like testing pre-production NDA's and so on what are some of the issues that you have guys seen so from the company perspective is that the questions yes so a lot of so when we

speak to customers and this is a little less prevalent now now that again it bug bounties are starting to become a little bit more than norm we used to hear a lot of like how do I know I can trust someone how do I know I can trust a hacker or the researcher right and it's one of those things where you have to just basically understand that it's there's already people out there that are going to try and attack the website or hack the website it's just matters of like harnessing the people that want to do it for good and again it's one of those things where someone with malicious intent doesn't need a bug

bounty platform to be able to actually go out and harm some company out there right they again they don't need a platform to do that they don't need some rules or some bullying disclosures your program do they're already gonna do it so again it's one of those things where it's again becoming a little bit more accepted for the researchers in that and act hacked hackers out there excuse me to be able to to figure things out but that's that's one of them yeah I don't think malicious hackers are going to come knocking I give you a heads up I agree that's one of the biggest things that you understand like out sort of even not

knowing these hackers if if your stuff are vulnerable you want to hear from these hackers who are willing to help you versus find out after all your data has been dumped I think that's the biggest thing to have a little bit of trust to understand these platforms I've worked with these hackers that have long-term relationships I've made some of these folks and there are some measures there's for us to control it yeah something that I guess is pretty scary is testing their testing on prod the security team does not want to be responsible if the site happens to go down so it's not necessarily going to be a hackers fault right say if there's some endpoint where when you hit a it

just shuts down the whole system it's happened before I'm not like I've accidentally triggered that a company before I felt really bad about it but at the same time it's like they had to do some explaining to the engineering teams and to the product team or whoever else saying like oh why'd you start the security program that just completely just destroyed our system I mean I think you're on our side and you know I'm sure there are conversations like that so I guess you want to be careful it's it's a good idea to start with a smaller group for instance like a private program at first I would say and kind of wrapped up from there versus just going public

altogether all right off the bat because you never know if there's something that's coated poorly that will choke the system I completely agree with that you should start first private go public because you don't know what you're gonna get into you at the very beginning it's very good to first put your foot in slowly not just jump in okay call it crawl walk and right now exactly so another thing that kind of crosses my mind or yeah comes across when you know when you talk about like fierce that companies have would be the fact that you know especially for smaller companies or companies that don't even have a proper security team that they'll be like how do you even deal with this

and you already have like so much work to do how do we roll that in and that's something for the companies to actually like figure out I mean security is a pretty big deal and you know whether or not you can actually have a full bug bounty program is definitely up to the company and you'll have to see if it's right for you but at least like have that baseline VDP or a vulnerability disclosure disclosure program so that if someone does find something at least they have a means of notifying you aside from like resources the thing that we talked about earlier with like budget and the people that are going to be working on this program

there is also going to be a matter of communication within the company like how do you establish communication with other teams and you know it's it takes a whole village to figure this out it's not just the security team but you also have to work with like product and engineering and other business units within your org Jeff anything you want to add to that oh that's that's very well set yeah okay so if you guys have heard different perspectives from the hunter side to the bug bounty platform to the company side I want to talk about kind of the future and one of the things I am if you know about me is that I'm

very Pro bilateral trust that means we need to have every company should have a vulnerability disclosure program and you're going to need a manager to handle that too so I want to ask some questions around bilateral trust and as well what you guys see in the future for a bug bounty so first question for you is do you believe we will ever have bilateral trust amongst us such as safe harbor if so what is needed right now to make all parties move forward yeah this this comes again back to the communication piece everybody does need to have communication between all parties involved and especially in order to gain that trust and this is a little bit more

on the companies to be able to handle is having like some sort of like legal language to be able to promote safe harbor to be able to protect the researchers who are doing the testing and the submitting on their program so it does have to start a little bit more on the company side to be able to make sure that not only do they trust the the researchers but that the researchers can trust them as well so that's probably one of the biggest starting points in order to keep moving forward with this is to make sure that we can get companies on board so we can get again more companies more researchers on board with it I'd like to add to that so when

it comes to companies like you know you mentioned that there should be like proper language and everything so one there should be like really a really good legal perspective on it you need to properly like address the fact that some people might be scared and doing just legalese might be difficult so having the same text the same legal text and easier to understand birds like the bottom point is yes you can do this no you shouldn't do that or yes you can but ask us first so those kinds of like easy to understand um I don't know uh rules would be very helpful as well another thing that I'd like to say about you know like the future of bilateral trust

is that there has to be more awareness around like the community in general and not just this community but also like people outside the security circles companies that might not even have security teams being the news for example like there's so many companies out there that don't have a security team or you know they're always afraid of these hackers you know out there wearing the black hoodies with the balaclavas yeah and they don't understand what's going on you know so I think awareness is a really big aspect here and it's gonna take some time I think assuming good intent also plays a big role on both sides hackers and customers or bug bounty programs assuming that there is good intentions

the hackers are here to help you and the customers or the programs are here because they want to work with you there is no bad intent to screw anybody out of everything or have to do something on purpose when things go wrong it could be you could come off as you know malicious but in some cases just not understanding that and seeing the whole picture honestly I think that every single company should have a policy that is easy to understand like if English is second language you should still be able understand how many guys have actually read user agreements I mean if you have an Apple phone how many times will you actually read any of the

updates exactly point me I think a very simple policy is very important to have knowing what's in scope what's a scope being and we'll communicate that from a company's perspectives very important have a email that people can actually write to you to tell you I found this vulnerability how many of you guys have spent hours or days and just have given up reporting something in this room it is so common you should also be able to know what are the rewards that you might get as well so having something like that is extremely important how many of you guys have heard of disclosed I owe raise your hand okay honestly check it out if you are someone who likes to look

for vulnerabilities you should know of it I have some stickers for you a very last question and we have to wrap this up the last question is what do you see in the future for a bug bounty I think there's going to be a point where more companies are going to be either adopting a bug bounty or a vonda's closure program either by choice or by a government regulation I don't think we're too far from it I also think that you know throughout the future in the next 3-4 years there's going to be a lot more education happening on both ends educating hackers on how to work with customers and also educating everybody in the world why does should work with

hackers and how did it work with them I think once those two happened and I think when it is hacking and bug bite has become more mainstream and a big part of a security culture yeah I think more company's going to start opening them up I think we're already starting getting a lot more hackers on the platforms which is awesome there are hacking events and there's new faces at them all the time now new research is constantly coming out there's a lot of attention on it now so I think it's just gonna keep progressing and it'll be really easy to submit a vulnerability in the future and yeah hopefully more companies do adopt some of those legal languages of regarding

safe harbor such as like disclosed iOS language but again since security is relatively new to the world and it's not really that new it's just people are becoming aware of it it's starting to become like one of those things where you can actually have a major in that in college now there's a lot of training courses right so a lot more people are becoming to be involved in it as well as learning about it as well as being able to actually do it themselves so not only will there be a lot more researchers hackers out there but there also be just like the general public knowing about it too so I think bug bounty can only go

forward from this point in time yeah another thing is that I know that not all countries are pretty aware of bug bounties so far and you know there's a lot of a lot of improvements that can be done outside of the world that we know like the US for example on Europe Canada all sorts of countries I do know for one that bug bounty is kind of like starting up in the Philippines I do know a few people over there there's a couple of companies that focus on like as a bug bounty platform in the Philippines specifically so you know it's it's gaining traction somewhere else in the world I just want to say thank you guys

for being transparent honest and being very out there about communication and thank you too besides San Francisco for having us and for accepting this talk and thank you for everyone who's attending this make sure to give hugs or just get to know each other we're feeling kind of isolated these days just know that we were small commute but we got each other's heart thank you you and we'll be outside ask for any questions that you may have thank you