The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the "fast-forward button" on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.
This month we're visiting the AppSecUSA 2016 [https://2016.appsecusa.org/] conference, which took place recently in Washington, D.C., and was organized by OWASP, the "free and open software security community" and 501c3 not-for-profit charity organization with international reach. If you haven't done so already, check out their wiki. It's pretty great, and they have a huge list of videos from past conferences spread across multiple streaming platforms. The following talk, If You Can't Beat 'Em Join 'Em: Practical Tips for Running a Successful Bug Bounty Program, was presented by Grant McCracken and Daniel Trauner of Bugcrowd on the final day of the conference, Friday, October 14 (thankfully not the 13th).
If you are familiar with bug bounty program logistics or have run one before at your organization, I would recommend jumping ahead to minute 42, where they present a case study and launch into Q&A a few minutes later. This is a short talk though, clocking in at under an hour, and most of the info is really in the audio rather than the slides (no live code demos or anything). So it's perfectly fine to watch this video in the background while you write replies on Twitter and check in when you hear the audience laugh.
In the introduction, the presenters are quick to point out that although security testing has been around for a long time, the first formal use of the term "bug bounty" was over 20 years ago with Netscape Navigator, which we can see in this press release from 1995, thanks to the Internet Archive. In the first half hour of the talk the topics range from how to start a bug bounty program (6:19), to how to prepare and launch a program (8:47), to common set-up mistakes (22:54) — the biggest takeaway being that the better documented and prepared you are, the more likely your project will attract experienced researchers because they want assurance that the program is being properly managed before devoting their time up-front. The presenters also stress the fact that through such a program, you're likely to attract an international audience, so clear communication is key — you do not want ambiguity in terms of what is or is not within the scope of your bug bounty program.
For bug bounty newbies like myself, the big question on your mind going into this talk — and probably on the minds of the rest of your team after proposing a bug bounty program or reading the reports of security researchers who participate and publish their findings online for the entire world to see — is covered halfway through at 26:08 in the "postlaunch" section. It includes tips about being quick and predictable with reply time, when to disclose publicly, and how to coordinate disclosure. They mention Heroku as a specific example of a shining star in that regard, and their Security Researcher Hall of Fame page speaks to this.
The talk then movies into a discussion about Bugcrowd's Vulnerability Rating Taxonomy (VRT), and at 34:09 we get a shout out to the second edition of The Web Application Hacker's Handbook and The Bug Hunter's Methodology repo on Github (a page which also contains the embedded video from a DEF CON 23 talk by Jason Haddix).
Around 37:10 we hear about what makes a good bug bounty report (concise steps to easily reproduce the bug being obligation number one) and the previously mentioned case study from Canvas [http://blog.canvaslms.com/canvas-fifth-annual-open-security-audit#sthash.HktYHIJK.dpbs] (the learning management software, not the drawing tool), which I think is an interesting point of comparison for readers of this blog at institutions that also host or support an LMS. How do you compare? And what are the security implications?
Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.
© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.