#HITB2017AMS COMMSEC D2 – Uberbounty: Bug Bounty From A Program's Perspective – Rob Fletcher
iSpeech.org
This talk will give researchers insight into a program’s perspective on bug bounty. First, we identify characteristics of a successful bug bounty researcher. Then we’ll dive into some specific example reports with the goal of understanding why some reports are more valuable than others – researchers should expect to understand which types of reports are highest ROI for their time and effort.
Finally, we will give researchers insight into the why/how around our recent program updates.
Characteristics of a successful bb researcher
* Report quality: reproducibility, succinct write-up w/ HTTP requests/responses, document current understanding of security impact
* Communication: kindness, patience, empathy
* Security impact: how would you exploit this? is this monetary impact to Uber or exposure of user data? are there mitigating factors that reduce severity?
Which reports are most valuable and why
* Less valuable bugs: promo code fraud; taking a free ride/sandwich; open redirects
* Most valuable bugs: account take Over (oauth redirects, password resets); authorization issues relating to user data; RCE (because potential user data exposure)
Program updates
* Increasing our minimum bounty
* Change in when we issue bounties
===
Application security keeps me curious and I’m lucky I get to do something I love with awesome people. There are surprising similarities between finding a security vulnerability and understanding how people need/want to be managed – I find that interesting and gratifying.
My workplace happiness scale, increasing from left to right:
find bug - fix bug - find systemic issue - fix systemic issue - manage awesome people - find the right gif
Finding a bug is good, but finding bugs is better.
Fixing a bug is great, but fixing a class of bug is greater.
Educating developers to not write bugs is security nirvana.
My current role involves a mix of all the above and I enjoy the ability to be a manager while also contributing to technical initiatives.
2017-05-05 08:43:02
source
Gloss