Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bug Bounty Hunting for Companies & Researchers

Published byHolly Townsend Modified over 7 years ago

Similar presentations

Presentation on theme: "Bug Bounty Hunting for Companies & Researchers"— Presentation transcript:

1 Bug Bounty Hunting for Companies & Researchers
Bounty Hunting in Sudan and Abroad By: Mazin Ahmed @mazen160 mazin AT mazinahmed DOT net

2 WHO AM I? Mazin Ahmed Freelancing Information Security Specialist / Penetration Tester Freelancing Security Researcher at Bugcrowd, Inc Security Contributor at ProtonMail Interested in web-security, networks-security, WAF evasions, mobile-security, responsible disclosure, and software automation. One of top 50 researchers at Bugcrowd out of 37,000+ researchers. Acknowledged by Facebook, Twitter, Oracle, LinkedIn, and many… You can read more at

3 WHO AM I? And I have contributed to the security of the following:

4 AGENDA MY STORY BUG BOUNTY PLATFORMS PROCESS
WHAT ARE BUG BOUNTY PROGRAM? BUG BOUNTY PROGRAM (HISTORY) WHY BUG BOUNTY PROGRAMS? POPULAR BUG BOUNTY PLATFORMS SELF-HOSTED BUG BOUNTY PROGRAM TIPS & NOTES RESPONSIBLE DISCLOSURE PROGRAM VS. BUG BOUNTY PROGRAM WHAT HAPPENS AFTER STARTING BUG BOUNTY COMMON PITFALLS/MISTAKES COOL FINDINGS INFOSEC, BUG HUNTING IN SUDAN & THE MIDDLE EAST ACKNOWLEDGEMENTS QUESTIONS

5 My Story [My Story]

6 What are Bug Bounty Programs?

7 Bug bounty Programs (History)

8 Why Bug Bounty Programs?

9 Why Bug Bounty Programs? (Company’s Wise)

10 Why Bug Bounty Programs? (Researcher’s Wise)

11 Popular Bug Bounty Platforms

12 Popular Bug Bounty Platforms Bugcrowd
First ever public bug bounty platform. 37,000+ researchers/hackers. Largest-ever security team. Offers managed – unmanaged - on-going - time-limited – public - private bug bounties.

13 Popular Bug Bounty Platforms Hacker One
A “security inbox” for companies, and a bug bounty platform. The client handles the submissions validating process. Around 3700 researchers were thanked in the platform.

14 Popular Bug Bounty Platforms Synack
Only hires the best of best. requiring written exams, practical exams, and background-checks for researchers. Larger payouts than its competitors. Private number of researchers, private clients.

15 Popular Bug Bounty Platforms Cobalt.IO
Bug Bounty Platform + Crowdsourced Pentesting Services. Different pentesting + bounties services. A team of 5000 researchers, 200 vetted researchers, 329 submitted valid reports.

16 Popular Bug Bounty Platforms ZeroCopter
Amsterdam-based bug bounty platform. Invite-only platform for researchers. Around 100 chosen researchers. Handles all reports (aka managed bounty programs). Run scanners on systems to find hanging fruits before launching the program.

17 Self-Hosted Bug Bounty Program
Can be done by handling reports by s, forms, etc... Less opportunity of having hackers noticing it, (unless the company is very well-known) Example: Facebook, Google, PayPal, United Airlines) Bugcrowd hosts a list of self-hosted bounty programs

18 Tips & Notes

19 Tips & Notes for Companies

20 Tips & Notes (for Companies)
Bug Bounties do not replace traditional security assessment. Before getting into bug bounties: Evaluate your systems and networks. Perform internal vulnerability assessments Fix everything!

21 Tips & Notes (for Companies)
Vs Vs Responsible Disclosure Program Bug Bounty Program

22 Tips & Notes (for Companies)
[Preferably] Start with a bug bounty platform. check with bug bounty platforms support. Write an explicit and clear bounty brief. When getting into bug bounties

23 Tips for Companies (After Establishing Bug Bounty Program)

24 Bug Bounty Platforms Process

25 What Happens after Starting Bug Bounty?

26 Tips for Companies (After Establishing Bug Bounty Program)
When you receive a submission, respond with an acknowledgment. Payouts are vital part! Try to fix issues ASAP.

27 Tips & Notes for Researchers

28 Tips & Notes (for Researchers)

29 Common Pitfalls/Mistakes

30 Common Pitfalls/Mistakes
Bug bounty program is NOT a way to get free or almost-free pentests.

31 Common Pitfalls/Mistakes

32 Common Pitfalls/Mistakes
Not paying researchers, while having a full bounty program, aka playing dodgy with researchers. Some companies actually do that! Example: Yandex

33 Common Pitfalls/Mistakes
Example: Yandex Check:

34 Common Pitfalls/Mistakes
Internal Policies Issues To fix or not? to reward or not??

35 Common Pitfalls/Mistakes
Internal Policies Issues

36 Cool Findings “The Fun Part”
Cool Findings “The Fun Part”

37 Cool Findings Target: SwissCom
Why? Because we are in Switzerland!

38 Cool Findings Target: SwissCom

39 Cool Findings Target: Symantec
One day, I woke-up, and I said to myself, let’s hack Symantec! Of course, Symantec has a responsible disclosure policy that I follow.

40 Cool Findings Target: Symantec
Bug #1: Backup-File Artifacts on nortonmail.Symantec.com

41 Cool Findings Target: Symantec
Bug #2: Multiple SQL Injection Vulnerabilities #1

42 Cool Findings Target: Symantec
Bug #2: Multiple SQL Injection Vulnerabilities #2

43 Cool Findings Target: Symantec
Plan There was a CMS on the same web environment Dumb the DB Get root (the server used deprecated and vulnerable kernel) Access the CMS as Admin Reverse TCP connection to my box Upload a web-shell Crack (if hashed) Get password Exploit SQLI Report it to vendor. DONE

44 Cool Findings Target: Symantec
Executing the Plan Found that I have access to 61 databases! I Immediately stopped, and report it without exploitation. Just imagine if I was a bad guy

45 InfoSec, Bug Hunting in Sudan & the Middle East

46 InfoSec, Bug Hunting in Sudan & the Middle East
How is it like to be a bug bounty hunter from the middle east? How is the knowledge level in IT security in the Middle-East?

47 InfoSec, Bug Hunting in Sudan & the Middle East
How powerful are Arabian BlackHat Hackers? When it comes to defacing public property, they get crazy. Motivated by: politics, human-rights, money, and ego. Seriously, don’t underestimate their powers, don’t mess with them, you won’t like the outcome! Note: I do not support any form of unethical hacking by no means

48 and everyone for attending and listening!
Acknowledgements Christian Folini Bernhard Tellenbach @SwissCyberStorm Team and everyone for attending and listening!

49 Questions? Mazin Ahmed Twitter: @mazen160
mazin AT mazinahmed DOT net Website: LinkedIn:

Download ppt "Bug Bounty Hunting for Companies & Researchers"

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)

Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
The Business of Penetration Testing

The Business of Penetration Testing
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.
DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.

DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
By Ramneek Hundal.. 5 types of Virus.. I LOVE YOUI LOVE YOU. WormsWorms.TROJEN HORES.MELISSA.HAPPY 99 What is a virus. A computer virus is a computer.

By Ramneek Hundal.. 5 types of Virus.. I LOVE YOUI LOVE YOU. WormsWorms.TROJEN HORES.MELISSA.HAPPY 99 What is a virus. A computer virus is a computer.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
Nata Raju Gurrapu Agenda What is Information and Security. Industry Standards Job Profiles Certifications Tips.

Nata Raju Gurrapu Agenda What is Information and Security. Industry Standards Job Profiles Certifications Tips.
Trinsoft.com Top 10 Security Checklist John C. Stucky TrinSoft, LLC.

Trinsoft.com Top 10 Security Checklist John C. Stucky TrinSoft, LLC.
Security at NCAR David Mitchell February 20th, 2007.

Security at NCAR David Mitchell February 20th, 2007.
Application Security Testing A practitioner’s rambling advice & musings.

Application Security Testing A practitioner’s rambling advice & musings.

Similar presentations

Ads by Google