Release the Hounds! A look inside Bugcrowd - Ruxmon 1 March 2013

Release the hounds! A look inside Bugcrowd.

Casey [email protected]

@caseyjohnellis

Summary

• I’m not here to sell you anything– Unless you’re buying

• Quick overview of how Bugcrowd works• Some stats from the bounties we’ve run and

general experience of how it all goes down• Questions

About me

• 12 years in I.T. • Started off technical then moved to the

business side, then went rogue• Got bitten by the entrepreneur bug– White Label Security, RDPCheck, others

• I know enough to *sometimes* ask the right questions– but right now I’m probably the dumbest guy in the

room.

Bug bounties are awesome…

• Just ask Google, Facebook, Paypal• Lots of eyes == more bugs found faster• Lots of eyes = diverse talent pool• Theoretically continuous coverage– If your rewards are big enough

…but hard.

• Just ask Google, Facebook, Paypal• Overhead of managing the tester community• Spurious findings– Here’s Nessus scan, I can haz money nao?

• Managing payments to testers• How do I cap my spend?• How do I control the crowd?

Enter Bugcrowd!

(hat tip to @snare)

The gist of it…

• Managed bug bounties for web, mobile and client/server apps

• “Came out of stealth” in December• Founded by Sergei Belokamen (@sergicles) and I• Nick Ellsmore (strategic advisor)• Funded and mentored by Startmate Accelerator– Validating and improve the idea and the business model– Off to Silicon Valley in April to raise capital and work on

the US market

How does it work?

• Ongoing bounties (a la Google)– Bugs validated, scored & passed on “as discovered”– Payments managed, etc

• Time-boxed bounties– Kind of like a crowd-sourced pen test– Client sets size of reward pool and duration of testing– Fixed rewards

• Higher reward for the 3 most “creative” bugs • Lower for the rest

– Report at the end of the bounty

What else?

• Kudos points• Private bounties• Crowdcontrol• Free bounties for charities (awesomesauce)• Charity or non-paid valid findings = ISC2 CPE

So, does it work?

A typical bounty:

• 2 mins – Clickjacking (EVERY. SINGLE. TIME)• 0 to 6 hours – Lots of XSS, CSRF and other

“common” bugs• 6 to 24 hours – Stragglers• 24 hours + - The interesting stuff… bug

chaining, non traditional vectors, etc

Some stats

• 10 bounties– 4 charity– 2 private paid– 3 open paid– 1 malware bounty

• 1,500 testers• ~ 250 active submitters• ~ 1,000 submissions

0-day?

• An unpatched security bug in 3rd party software has been disclosed in 4 of the bounties we’ve run so far

• OK, not really 0-day, but goes to show that these guys are going reasonably deep

Total validated submissions

• Up to Beta 006• 85 unique bug types (e.g. Reflected XSS,

storage-based XSS, SQL Injection, authentication/automation, etc)

• 140 unique findings

Countries of origin• Australia• New Zealand• UK• Italy• Germany• Spain• France• Sweden• Georgia• Pakistan• India• Malaysia• Norway• South Africa• Argentina• Israel• USA• Iceland

• A lot of “known” bounty hunters

• A lot of day-job pen testers

General observations

• IT’S WORKING (mostly… still a lot to learn)• Charity bounties work too!• Running an accelerated start-up is wicked hard

work• Start-ups and charities have no idea how bad

their appsec is• Bug bounty on outdated Wordpress on

GoDaddy?– You’re gonna have a bad time

Next…

• More bounties• Get some ongoing bounties going• Get better at running these things• Off to the valley…

Thanks! Questions?

• [email protected]• @caseyjohnellis• @bugcrowd