This course aims to explore critical vulnerabilities uncovered through bug bounty programs and their impact on customers. It teaches participants how to differentiate between high-priority critical bugs and noise in vulnerability submissions. The course covers various bug bounty models, submission frameworks, and the importance of rewarding consistently. The teaching method includes discussing real vulnerabilities and engaging with researchers and vendors. The intended audience for this course includes cybersecurity professionals, bug bounty hunters, researchers, and individuals interested in understanding the significance of bug bounty programs in cybersecurity.
Overview
Syllabus
Intro
Agenda
Disclaimer
Google VRP
Google Bounty Program
Google Researcher Location Data
Facebook Bounty Program
Facebook 2014 Report
GitHub Bug Bounty
Microsoft Bug Bounty
Microsoft Online Services Bounty
Acknowledgements
Different Bounty Models
Bounty Data
Customers
Submissions
Rewards
High Priority Critical
Who is finding these bugs
Submissions by geography
Google
Facebook
Delete Photos
Simple Simple
Smartsheet
Import User Bug
Upload Import Bug
Tesla Bug Bounty
Authentication Bypass Bug
Submission Framework Expectations
Other Companies
Other Resources
Out Of Scope
Direct Performance Feedback
Rapid triage prioritization
LastPass prioritization
Is it worth it
SLA
Stop rewarding bad behavior
Reward consistently
Conclusions
Call To Action
Question Time
Taught by
Black Hat
Related Courses
-
Bug Bounty Evolution - Not Your Grandson's Bug Bounty
-
Increasing Your Impact on Facebook Bug Bounty
-
Does Public Disclosure of Vulnerabilities Affect Hacker Participation in Bug Bounty Programs?
-
Bug Bounty Programs - Successfully Controlling Complexity and Perpetual Temptation
-
Bug Bounty Programs - Crowd Sourcing Security
-
An Oral History of Bug Bounty Programs
