I had the great opportunity to participate as speaker at NullCON GOA 2022 last September, in the Tech Bug Bounty Panel with other Bug Bounty and Responsible Disclosure managers. The discussion revolved around the experience & challenges for an Organizations running their own active Bug Bounty Programs.
Panelist: Rishika Hooda — Google | Omar Benbouazza — IKEA | Venkatesh Sundar — IndusFace | Sandesh Mysore Anand — Razorpay
Moderator: Sandeep Singh — HackerOne
What happens when a security researcher finds a bug in your code or the way to access your customer data? Do you have a clear policy and flow to get the findings in a safe way?
During this session I will show you how to create a Bug Bounty or Responsible Disclosure.
This talk was presented in the Barcelona CyberSecurity Congress in May 2021.
Vulnerability Disclosure Programs (VDPs) are a clear way to tell the security researcher community how an organization wants them to report a vulnerability and what an organizations’ commitment will be to fixing it.
They’ve been best practice among progressive tech companies for years and are expanding across new industries, with even governments beginning to mandate them as best practice.
At some point, maybe you had the need to contact the owner of a Github repository. That is a feasible thing but very manual, loosing a lot of time copy&pasting and searching. Now this will be easier with the online tool you can find below.
Simple stuff.
1) Open terminal and install the Yubikey PPA, this module implements PAM over U2.
sudo apt-get install libpam-u2f2) Insert the Yubikey and create the folder to store your Yubikey key
mkdir ~/.config/Yubico pamu2fcfg > ~/.config/Yubico/u2f_keys3) Yubikey Neo will start flashing, touch it! Now you have configured your key in your profile.
1) Open a new terminal to edit the login configuration
sudo vim /etc/pam.d/gdm-password2) Add the below after the “@include common-auth” line
3) Save the file, and logout the session. From now you will need to introduce the Yubikey Neo and press it once you fill the password.
![El cazador de cerebros [ES]](https://miro.medium.com/fit/c/224/224/0*kabeg1_xQJ2BJu0o.jpg)
![El cazador de cerebros [ES]](https://miro.medium.com/fit/c/160/112/0*kabeg1_xQJ2BJu0o.jpg)
En este capítulo descubrimos como en el ciberespacio también existen el bien y el mal: los hackers éticos y los ciber-delincuentes se enfrentan en una lucha por atacar y defender los secretos, sin olvidarse que la ciber-policía patrulla las calles de las redes más oscuras.
What happens when a security researcher finds a hole in your code? Do have a clear policy to submit this kind of findings? Most not.
Responsible Disclosure is something every company should manage, and Bug Bounties Programs help to improve the security as well as be in contact with the hacker community.
During the talk we will see how a Responsible Disclosure Program or a BugBounty Program works, and how the company should focus and not forget about other mitigations and counter mesures related to security.
Also we will dig a bit in how a security report must be performed in a good way.
