Bug Bounties: Crowdsourcing Nosey Bastards

hi everybody my name is Jimmy and we can apologize state of our class region so if you don't know some accent just feel kind of an hour repeat what I said and so yeah as I said bug bite east coast nosy bastards it's quite hard to make a title about bug bunnies and desktops different from other ones you make a scene of a book meniscus can be more about the management of mobility systems and as a part of a war is a part of my lecture review from a master's to saltation however our transitioned away a different topic and so it may not be the best but I can say desktop is gonna be at least better than the end game

influenced and at least I'll try to so when it kind of make an assumption you know about bunnies are you get monetary awards for this causing vonabell is responsibly and we were start off by competing Bobo needs to the methods we use to SMAP and track mundane bugs so your imperfections and the case of you see on bug tracking systems so going follow the compared bug tracking to the ponies there's one finally people share and that's motivation is intrinsically motivated you are submitting for about airports for the betterment of a system be it from promotive and reward or not but the extent of which their intrinsic motivation goes varies between em the the two different types yeah and we'll

get onto that well there's two major differences and we start off with transparency bug tracking systems you'll find them on mail mailing lists and on public forums and a stick in a help application and you don't see that so on my berries because it's quite obvious security flaws you don't want them beer in the public but that strands part is a second has a knock-on effect which application and Bo tracking they don't want to get triplicates however and bunnies duplicates are basically king of like the I've got a boyfriend of my unicorn it's a really hot it's like rejection on the top level and so asking elite on our first gain a problem that's triplication

problem which code the information must match oh so that comes from economic theory that's mess match term and we'll get on to about more you cannot feel they are but it basically boils down to we know what people want but we don't provider and that's kind of shortcoming to get around what people want is the problem so if we look at the one we've got a handy-dandy is all that was updated last yeah and which covers you what you should put and I wonder where the port that's includes of course location step see production PLC work media impact of any types of vulnerability rip causes discord your plans data discovery OS helps towards and the people who get their bug

reported to them just resolve it faster and and as shown and service and academic survey's and and there are market material for the bike police have some stuff but hacker one and borrowed less leads to M faster resolution of bugs not mentioned Ania so bestowed late include are these additional ones I've got myself so supporting references isn't mentioned as much and the is all but asking him just a little bit footnote and then you've also got potential commercials but of course bug bounties you don't really know what's going on behind the curtain so you can't give up all the time good manners cost nothing don't bear that that's kind of self-explanatory and then finally grandma Lee premium now put us on here

as a hope to try and get a sponsorship offer grammar because it's really good but also because it can get our point that M easier to read vonabell reports are actually result faster as well and what sounds quite self-explanatory but it's something it comes up and academics always quiet about but we don't love and last kind of a perfect world where we'll get what we want and learn from em from nice and mesh mats exists so you don't get that you'll get they got so the guards got the void of details which self it's partly you've got bag ponies which is quite a funny town so it's like people doing both ponies and thanking the phone the vulnerability or they find

a very mundane vulnerability they can be really exploited it's not worth I'm gonna throw the castle but it'll beg for money and then a more exclusive version of us is blackmail obviously this happens a lot more and Mulvaney's because the monetary reward than you can can use that so that's what happened with uber without a 10 key maximum bigger what know that 100 grand basically and lastly which is quite a sad way nothing as in foreign languages that's just gonna sad reality of the worldwide kind of about Bernie's it's an infeasible to hire people who speak all the major languages - then who can't do all the vulnerabilities then she asked them and they send them to the companies make

sure about and we moved on till the worldwide and her heart's ability both major platforms have about over 300 thousand accounts from over a hundred companies and then I've gained impact a couple India what you got 30 percent of the population of a fill ecosystem on just one on for one platform and I'm factor Egypt and Argentina a factor at least because these have the 17 points X 25 point - and for a points X which so that the kind of multiplication about the median wage for software engineers this is a bet they're wield marking I'm not really fond of it myself because I station on money and by individuals and bug berries isn't it taken I can't do it

but brain is no everybody can afford fancy blue cars and go drive in London mantra and the facts over here on the Left gain a pointer so so you have the Irish pair for the vulnerability is about $500 that includes all the way from your critical one is there just mundane ones then you have only a thousand hackers on this one platform have earned over five thousand pound or five thousand dollars now so this goes farther than place and the other dozen America and so you have to paint furnace there and then over a hundred hacker so I came for them event over a hundred grand and to hackers of end over a million so it's one platform or 300,000

people and all two of people around over a million and this is worth about fourteen point four percent of that population what can fill time now if you break their numbers it means that 97.5 have never received the bounty have never been able to sail a vulnerability to one of these platforms and that's quite a scary fact when you have 3000 or your faint was pretty hundred thousand people how can it was not the glimmer of hope as of largest companies that have been used so far only sex plus a half of the four photos of Hobbs mm but FS keeps on growing is it necessarily a good thing as do more I more eyes mean the

bear and the answer is no and really academic studies of kind of find out there's a power law but I'm gonna put my hands up I got an in out of my maths classes school like a bank job I was I don't know never I've killed so I don't really understand what Parolo means but I think it's something like does like critical mass so there's like a point where it hours and basically means that if you get too many people looking at your website and didn't above but he's it's too many reports which then has a knock-on effect for the implementation and of the resolution you have too few participants then you have very narrow

coverage of vulnerabilities from the what they can do but also very narrow or very sparse coverage of your actual organization and that can lead to the worst case scenario which is have your own about binary system anything again popping is and people just aren't cement and because you're secure that case of the folks sense of security so you have to manage Bob and ease and people who interact with your system which grew quite hard when they're all over the world and another thing that complicates is ha Hitler unity I can never say that what this well is just a fancy academia work for diverse every hacker is definitely some people who really good SQL injection so they were very good at

crosshedges captain I'm good neither and but that's gonna place until what you need to understand of people that are interacting above your company they some people jackhole traits and some people are one-trick ponies so one survey can have that effects are that each analyzed eighty-two bugbear programs and 2520 hunters and they then fight three archetypes so you have this triangle which is adapted from the survey if your specific hackles up here and they're people that focus on one project usually due to debate the product or they're like no organization then you have your nonspecific which is very self-explanatory they don't pack to one specific organization they will go across and the one kin a methodology

across many more and many organizations on these ecosystems are less active and the corner so that is the mean lets your 97.5% which talked about earlier these people are really some about pennies and if they are they'll give them one in the same done so the nonspecific or the motivation for these as obviously by means for no specific people but for specific ones it's got to be more extrinsically focused they care about actually getting awarded off the company beyond money they want to be and the hall of fame they want to know their security team they want to have a personal communication with them and when you don't do that you risk the chance of them selling it to the black

market which is quite an Hallman and i survey that has been done like a year ago so come back to non specific ones that removes focused on money and i said we're gonna dabble in our second economic feeling when it comes to balboni's and that is a sort of Saint Petersburg paradox basically this is just fancy term for the only taking an expected value you do stupid decisions and as a shouldn't I can say I've done many things hence why I got the Mega Buster last night and get a backup tonight can't afford a plane and when it comes to bout bang is that means that we will think that if we go to aware that every spin -

or I say our organization then we're not gonna get money there's not enough water of the whale campaign and and ii can assure this I've worked on here I've staggered these two reports are just our examples I've taught one is github and a spot - slack and we take for example the the slack but Bernie came up first and there's a big spike this is a civil paradox and then we have the second one it starts our weekly are over you can see how that dies off and then that's one then packs up this happens across your hacker one is about crowds people jump to all the programs and therefore you have a big windfall and then everybody goes away

that his are struggling to retain in active vulnerable a people smell fun bellies and king of regularly so mostly this happens to nonspecific who knows is because they believe that obviously the what money so they believe that portfolio diversification it was a return on investment for adopting a new methodology which is straight grammarly premium and so now you're going on to kind of the conclusion of that this basically can be seen these two things I brought up this impels paradox the hacking worldwide an information much much can be seen as a consequence of gag economy because we chased the money we want this I'm at first we don't want to deal with chip locations I can also be seen as the downside of of

the diversity of hackles because we think they were not good enough then past I was and room that we're not gonna find the front about it if someone hasn't found first and then also per bug Bernie management on the size of people who organize that they're not interacting with the community they're not having a correspondence and they don't retain participants so as a solution to all of us and academic research down so that as no and no one really knows the they've suggested things but as you can imagine one getting D off of M operating companies is quite hard cuz it's security related and they don't want to rock the boat they're getting quite a nice P right now

and a lot of people are anxious about baby so there's no reason they want to make it there and but what they kind of experiment well academic kind of said is terrified school Chris is just the gamification of the symbols paradox every week will release a different part of our organization that you get em we'll just a limited releases so one week it will be ones of the main the next week will think the school and all its private programs because obviously if you're increasing the scope every week when you that means that some parts your website aren't being checked at all until very late alone so you're the private programs to make up for that but private programs

cost a lot of money because your again the best hackers on a premium to come and test yours over what they usually do I mean it could be totally something totally different because we don't actually know of anything because no one's ever implemented or experimented on security but Bernie's but let's hope there may be a solution which is yet to be discovered or been discussed and the openness could all be probably behind Silicon Valley's cause dolls and so good a reference is the skin of the safety for the talk and there's two kind of names again I wanna put it here so zone number seven and I think he's up number nine as well that's guys doing us that I

know there's a PhD in brain install economic philia comes from because I wasn't small enough think of myself and I name you've got that's one number five which is an interview of ke the one with the pen kill you would have seen talk with vulnerability of my bug brain use before and these are really good ones can look over and discuss cuz they are the more cutting edge of everything I've referenced here and that's that there was a massive potential for further academic research and about Bernie's although and it's I've said it's quite hard to get the Ireland off or how to come the reasonable conclusions that wraps up my ramblings hopefully even left with some ongoing

problems I've been Jamie [Applause] any questions thanks for the for the presentation and for a review of actually ecosystem from both sides the participant and the company actually taking the back bounty what's your view on actually possibly on a statement that basically the background is also misunderstood as a method of improving security and misunderstood by the participants themselves not to judge because obviously the companies have fear is that something am I ready for it you know should I let it go but there is also it seems misunderstanding in how basically the participants approach the back bounties and how that translates that it's you know self-fulfilling prophecy and a vicious loop what what if you on this one so I'll have to say that

the marketing about bees and how we kind of seer and the community is like something really cool to brag about and to look at it is quite harmful because we jump on it and we think that all these are prior and people come through uni that's a path they should go down if you're a bear pen tester and then for companies they think as a solution to pen test and we don't need pen testers if you've got all these people are not supposedly hacking or trying tackers and and it says the compassionate article of potential people just not understanding but it should be that and to provide supplementary security to mature organizations if you're not and if

you're not mature if you're not being around you don't have as internal security team then there's no point around the bobbin at all and and when it comes to pain testers and people want to be pen testers yeah it's good to get to learn and try a trade but em it's not something to really hang your hat on as a normal job question on the right I will get my steps in hello thanks to the talk hi Sam hello Jamie yeah I was just no I have no idea who this guy is Weegee right yeah I was just wondering um do you think overall that the way the bug bounty systems currently are are a

good thing like on the scale that they're being used currently or do you think they should be kind of cooled back and maybe tested a bit more before being deployed on such a massive scale I think if you don't test them in the public then you're never going to get an actual potential what its gonna be like and eventually and what I've got a nose like sex percent of the of the Forbes 2000 and if they get the rest or a majority of that then it's got to be what Toth right now and some people got said that or inventor Hank it will be interesting to see the can awaits bail over because mostly Western companies are going to

put ponies right now and we've yet to see if like any other kinda cultures of the Akita which is kind of a interesting take on it and overall Angus ternal key as long as we don't kind of buy into all the marketing propaganda pom toe as of late there's also other kinda interesting companies so I spoke to COBOL and full set today they do pain testing as a service which came the transition the way from bobbin is the don't offenders in the service which can meet some happy medium and however you're losing are in the potential scale set up on Bennie's yeah good thanks other questions hey do you all know each other is that the deal okay yeah I

recognize the shirts hi James hi Jamie and senior solutions part of your slide if you go buy one yeah and you put your private programs yeah see you in your answering Sam's question you are saying the best way for a competition to stand their weaknesses is to act like they're kind of late into the wild parting a private program and are we going to see more of an increase in like the kind of epic games scenario where we have exclusive kind of companies taking on this kind of thing and then McGrath they're maybe not gonna get that eclipse is very targeted based in the Tesla's a ban but was it defensive on a private program an Indian

pain testing as a service and when you're doing private programmers are getting the best people and is known for these private programs before they go public that they'll leave the low-hanging fruit so the community can come in and just out take some part of the cake and when it comes to private programs as well your pain are that close my money for the people that we know drive fancy blue cars and post a bit went well and that's just kind of problem offer has to be public so you get a few diversity of people that hurt thanks and with that everyone who doesn't know Jamie getting a round of applause and everyone who doesn't right

applause I buy him a beer