Bug Bounty Basics
9 likes4,584 views
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps? All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
Ad
More Related Content
What's hot (20)
Similar to Bug Bounty Basics (20)
Ad
More from HackerOne (16)
Ad
Recently uploaded (19)
Bug Bounty Basics
- 2. hack er /’ha–kər/ noun one who enjoys the intellectual challenge of creatively overcoming limitations. HACKERONE
- 3. Bug Bounty Program /’bƏg ˈbau̇ n-tē ˈprō-ˌgram / A program where ethical hackers are invited to report security vulnerabilities to organizations, in exchange for monetary rewards for useful submissions. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products. HACKERONE
- 4. HACKERONE STEP ONE: DEFINE YOUR SCOPE Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne’s template, ask for help if you want it, modify as needed.
- 5. BOUNTY PROGRAM SCOPE We are interested in any vulnerability that could negatively affect the security of our users. OUR BOUNTIES $100 Minimum Bounty $500 Average Bounty $10,000 Max Bounty IN-SCOPE VULNERABILITIES • Cross-Site Scripting • Cross-Site Request Forgery • Server-Side Request Forgery • SQL Injection • SS Remote Code Execution • XML External Entity Attacks IN-SCOPE PROPERTIES • api.CompanyA.com • bonjour.CompanyA.com • business.CompanyA.com • cn-cfe1.CompanyA.com • cn-dc1.CompanyA.com • cn-dc2.CompanyA.com COMPANY A https://hackerone.com/yourprogram $ 500 AVERAGE
- 6. HACKERONE HOW DO I DECIDE HOW MUCH TO OFFER HACKERS? Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500 and the current record is $50,000. To get attention from the world’s best hackers, pay more than the platform average. See our full list of programs here to see how customers have defined their bounty programs:
- 7. HACKERONE $ 50,000 CURRENT RECORD BOUNTY $ 500AVERAGE BOUNTY $ 100 MINIMUM BOUNTY
- 8. HACKERONE WHO ARE THE HACKERS? Hackers hail from around the world. The reason they hack is varied, but most hack because they love the challenge, want to do good in the world, and of course, to make money. More than 80,000 hackers from 70+ countries are registered to hack on HackerOne and this number grows daily. For your program, you can invite hackers based upon reputation score, identify certain signal requirements, and even search by vetted skills (such as expertise in native applications, mobile applications, hardware/iOT, and web applications).
- 9. WHY DO THEY HACK? HACKERS ARE FROM 70+COUNTRIES YEARS HACKING 71.5 % TO MAKE MONEY 65.9 % TO BE CHALLENGED 70.5 % TO HAVE FUN 64.3 % TO BUILD MY RESUME 50.8 % TO DO GOOD IN THE WORLD 15.8% 14.3% 17% 11.3% 12% 1 2 3 4 5
- 10. HACKERONE HOW SOON DO I GET BUGS REPORTED? In the first day, expect 4 serious, non-duplicate vulnerability reports. The average customer targets 10 to find in the first 2 weeks – you can target more if you like. Ask about HackerOne’s Fully-Managed Program if you need help with triaging inbound reports.
- 11. HACKERONE VALID REPORTS DAY 01 10 8 6 4 2 DAY 14 GET RESULTS FAST
- 12. HACKERONE HOW DO HACKERS GET PAID FOR VALID REPORTS? For valid bugs, HackerOne handles the paperwork and payment to a hacker anywhere in the world. Forget about international financial compliance, tax obligations, and other payment headaches – just leave it to us. We’ve paid hackers from 40 U.S. states and more than 80 countries.
- 13. HACKERONE
- 14. HACKERONE HOW DO WE KNOW THE BUG BOUNTY PROGRAM HAS BEEN SUCCESSFUL? When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. You can use this information and the analytics provided by the HackerOne platform to identify and improve areas in your software development life cycle that seem to be causing the most vulnerabilities. HACKERONE
- 15. HACKERONE Over time, your software becomes more secure and the number of valid submissions will slowly decline. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again. Stored XSS in subdomain Read files lead to RCE Private email server compromised at your.site.com
- 16. HACKERONE ALWAYS BE IN THE KNOW WITH HACKERONE PLATFORM ANALYTICS HackerOne offers all accounts access to a Standard Dashboard to monitor team stats in real-time and stay on top of response time, stale issues, pending disclosures and more. Other, more advanced tools customers love include:
- 17. HACKERONE API Reports Sync your data with your internal data analysis tools. HackerOne Success Index Compare your security posture against other organizations of comparable size on key benchmark metrics. Advanced Analytics Query more advanced reports to track metrics measuring your program’s ROI. Custom Analytics Work with our data science experts to fulfill your custom reporting requirements.
- 18. HACKERONE HackerOne is the no.1 hacker-powered security provider, connecting organizations with the world’s largest community of trusted hackers. More than 800 organizations, including The U.S. Department of Defense, General Motors, Intel, Uber, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Square, Starbucks, and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne customers have resolved more than 50,000 vulnerabilities and awarded more than $18M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, Seattle, Los Angeles and the Netherlands. For the most exhaustive list of live bug bounty programs, visit https://hackerone.com/bug-bounty-programs
- 19. HACKERONE MAKE THE INTERNET SAFER W W W. H A C K E R O N E . C O M / S A L E S @ H A C K E R O N E . C O M / +1 ( 41 5) 8 9 1- 0 7 7 7 © 2 0 16 H A C K E R O N E
- 20. W W W. H A C K E R O N E . C O M / S A L E S @ H A C K E R O N E . C O M / +1 ( 4 1 5) 8 9 1- 0 7 7 7