John Jackson - Corporate Cybersecurity

8 Part 3 Program Setup 4 Defining Program Scope and Bounties 4.1 What Is a Bounty?4.2 Understanding Scope4.3 How to Create Scope4.3.1 Models4.4 Understanding Wildcards4.4.1 Subdomain4.4.2 Domain4.4.3 Specific Domain Path or Specific Subdomain Path4.5 Determining Asset Allocation4.6 Asset Risk4.7 Understanding Out of Scope4.8 Vulnerability Types4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks4.8.2 Social Engineering Attacks4.8.3 Brute Force or Rate Limiting4.8.4 Account and Email Enumeration4.8.5 Self-XSS4.8.6 Clickjacking4.8.7 Miscellaneous4.9 When Is an Asset Really Out of Scope?4.10 The House Wins – Or Does It?4.11 Fair Judgment on Bounties4.12 Post-mortem4.13 Awareness and Reputational Damage4.14 Putting It All Together4.15 Bug Bounty Payments4.15.1 Determining Payments4.15.2 Bonus Payments4.15.3 Nonmonetary Rewards 5 Understanding Safe Harbor and Service Level Agreements 5.1 What Is “Safe Harbor”?5.1.1 The Reality of Safe Harbor5.1.2 Fear and Reluctance5.1.3 Writing Safe Harbor Agreements5.1.4 Example Safe Harbor Agreement5.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor)5.3 Service Level Agreements (SLAs)5.3.1 Resolution Times5.3.2 Triage Times 6 Program Configuration 6.1 Understanding Options6.2 Bugcrowd6.2.1 Creating the Program6.2.2 Program Overview6.2.2.1 The Program Dashboard6.2.2.2 The Crowd Control NavbarSummarySubmissionsResearchersRewardsInsights DashboardReports6.2.3 Advanced Program Configuration and Modification6.2.3.1 Program Brief6.2.3.2 Scope and Rewards6.2.3.3 Integrations6.2.3.4 Announcements6.2.3.5 Manage Team6.2.3.6 Submissions6.2.4 Profile Settings6.2.4.1 The Profile and Account6.2.4.2 Security6.2.4.3 Notification Settings6.2.4.4 API Credentials6.2.5 Enterprise “Profile” Settings6.2.5.1 Management and Configuration6.2.5.2 Organization Details6.2.5.3 Team Members6.2.5.4 Targets6.2.5.5 Authentication6.2.5.6 Domains6.2.5.7 Accounting6.3 HackerOne6.3.1 Program Settings6.3.1.1 General6.3.1.2 Information6.3.1.3 Product Edition6.3.1.4 Authentication6.3.1.5 Verified Domains6.3.1.6 Credential Management6.3.1.7 Group Management6.3.1.8 User Management6.3.1.9 Audit Log6.3.2 Billing6.3.2.1 Overview6.3.2.2 Credit Card6.3.2.3 Prepayment6.3.3 Program6.3.3.1 Policy6.3.3.2 Scope6.3.3.3 Submit Report Form6.3.3.4 Response Targets6.3.3.5 Metrics Display6.3.3.6 Email Notifications6.3.3.7 Inbox Views6.3.3.8 Disclosure6.3.3.9 Custom Fields6.3.3.10 Invitations6.3.3.11 Submission6.3.3.12 Message Hackers6.3.3.13 Email Forwarding6.3.3.14 Embedded Submission Form6.3.3.15 Bounties6.3.3.16 Swag6.3.3.17 Common Responses6.3.3.18 Triggers6.3.3.19 Integrations6.3.3.20 API6.3.3.21 Hackbot6.3.3.22 Export Reports6.3.3.23 Profile Settings6.3.4 Inbox6.3.4.1 Report Details6.3.4.2 Timeline6.4 Summary

9 Part 4 Vulnerability Reports and Disclosure 7 Triage and Bug Management 7.1 Understanding Triage7.1.1 Validation7.1.2 Lessons Learned7.1.3 Vulnerability Mishaps7.1.4 Managed Services7.1.5 Self-service7.2 Bug Management7.2.1 Vulnerability Priority7.2.2 Vulnerability Examples7.2.2.1 Reflected XSS on a login portalReport and TriageValidation7.2.2.2 Open redirect vulnerabilityReport and TriageValidation7.2.2.3 Leaked internal Structured Query Language (SQL) server credentialsReport and TriageValidation7.3 Answers7.3.1 Vulnerability Rating-test Summary7.3.1.1 Reflected XSS in a login portal7.3.1.2 Open redirect vulnerability7.3.1.3 Leaked internal SQL server credentials7.3.2 Complexity vs Rating7.3.3 Projected Ratings7.3.4 Ticketing and Internal SLA7.3.4.1 Creating Tickets 8 Vulnerability Disclosure Information 8.1 Understanding Public Disclosure8.1.1 Making the Decision8.1.1.1 Private ProgramsThe Bottom Line8.1.1.2 Public ProgramsThe Bottom Line8.2 CVE Responsibility8.2.1 What are CVEs?8.2.2 Program Manager Responsibilities8.2.3 Hardware CVEs8.2.4 Software and Product CVEs8.2.5 Third-party CVEs8.3 Submission Options8.3.1 In-house Submissions8.3.2 Program Managed Submissions and Hands-off Submissions8.3.2.1 Program Managed Submissions8.3.2.2 Hands-off Submissions

10 Part 5 Internal and External Communication 9 Development and Application Security Collaboration 9.1 Key Role Differences9.1.1 Application Security Engineer9.1.2 Development9.2 Facing a Ticking Clock9.3 Meaningful Vulnerability Reporting9.4 Communicating Expectations9.5 Pushback, Escalations, and Exceptions9.5.1 Internal steps9.5.2 External steps9.5.2 Escalations9.5.3 Summary9.6 Continuous Accountability9.6.1 Tracking9.6.2 Missed Deadlines 10 Hacker and Program Interaction Essentials 10.1 Understanding the Hacker10.1.1 Money, Ethics, or Both?10.1.2 Case Study Analysis10.2 Invalidating False Positives10.2.1 Intake Process and Breaking the News10.2.2 Dealing with a Toxic Hacker10.3 Managed Program Considerations10.4 In-house Programs10.5 Blackmail or Possible Threat Actor10.6 Public Threats or Disclosure10.7 Program Warning Messages10.8 Threat Actor or Security Researcher?10.9 Messaging Researchers10.9.1 Security Researcher Interviews10.9.2 Bug Bounty Program Manager Interviews10.10 Summary

11 Part 6 Assessments and Expansions 11 Internal Assessments 11.1 Introduction to Internal Assessments11.2 Proactive Vs Reactive Testing11.3 Passive Assessments11.3.1 Shodan11.3.1.1 Using Shodan11.3.2 Amass/crt.sh11.3.2.1 Amass11.3.2.2 crt.sh11.4 Active Assessments11.4.1 nmapAutomator.sh11.4.2 Sn1per11.4.3 Owasp Zap11.4.4 Dalfox11.4.5 Dirsearch11.5 Passive/Active Summary11.6 Additional Considerations: Professional Testing and Third-Party Risk 12 Expanding Scope 12.1 Communicating with the Team12.2 Costs of Expansion12.3 When to Expand Scope12.4 Alternatives to Scope Expansion12.5 Managing Expansion 13 Public Release 13.1 Understanding the Public Program13.2 The “Right” Time13.3 Recommended Release13.3.1 Requirements13.4 Rolling Backwards13.5 Summary

12 Index

13 End User License Agreement

1 Chapter 6Figure 6.1 Bugcrowd “Start now” button.Figure 6.2 Bugcrowd: selection “Bug Bounty Program”.Figure 6.3 Selecting the program name on Bugcrowd.Figure 6.4 Adding targets to test on Bugcrowd.Figure 6.5 Adding a target to Bugcrowd.Figure 6.6 Adding reward ranges by severity on Bugcrowd.Figure 6.7 Identify goals and concerns on Bugcrowd.Figure 6.8 Select researcher activities, environments,...Figure 6.9 Upload your company’s logo and create a...Figure 6.10 Vulnerability tasking tabs.Figure 6.11 Bugcrowd documentation.Figure 6.12 Program dropdown menu.Figure 6.13 Crowd control navbar.Figure 6.14 Vulnerability submissions panel.Figure 6.15 Program participants tab.Figure 6.16 Program invitations tab.Figure 6.17 Program rewards dashboard.Figure 6.18 Insights dashboard: technical severity chart.Figure 6.19 Insights dashboard: target breakdown.Figure 6.20 Insights dashboard: performance.Figure 6.21 Program brief settings.Figure 6.22 Scope details.0Figure 6.23 Profile dropdown menu.Figure 6.24 Targets tab.Figure 6.25 Program dropdown menu.Figure 6.26 Add group” button.Figure 6.27 Description of an asset group.Figure 6.28 Target groups.Figure 6.29 Target group rewards.Figure 6.30 Target group listings.Figure 6.31 Integrating various tools to help with report management.Figure 6.32 Announcements option.Figure 6.33 New announcement option.Figure 6.34 Manage team option.Figure 6.35 Invite a team member option.Figure 6.36 Data fields option.Figure 6.37 CVSS v3 option.Figure 6.38 Remediation advice option.Figure 6.39 Retesting option.Figure 6.40 Markdown embedded attachments option.Figure 6.41 Profile and enterprise sidebar.Figure 6.42 Profile option.Figure 6.43 Security option.Figure 6.44 Events option.Figure 6.45 Two-factor authentication option.Figure 6.46 Notifications settings option.Figure 6.47 API credentials option.Figure 6.48 Single sign-on option.Figure 6.49 Unverified domains option.Figure 6.50 Activity summary.Figure 6.51 Submit deposit request option.Figure 6.52 Transfer funds option.Figure 6.53 Program balances option.Figure 6.54 Program settings option.Figure 6.55 Miscellaneous program options.Figure 6.56 Security page function.Figure 6.57 HackerOne product editions.Figure 6.58 Single sign-on with SAML.Figure 6.59 Domain verification example.Figure 6.60 Credential management tab.Figure 6.61 Group management options.Figure 6.62 Group management options.Figure 6.63 Adding users option.Figure 6.64 Audit log option.Figure 6.65 Overview of bounties and fees.Figure 6.66 Adding assets.Figure 6.67 The CIA triad.Figure 6.68 Submit report form option.Figure 6.69 Customizing the report form.Figure 6.70 Response targets option.Figure 6.71 Metrics display option.Figure 6.72 Setting email notifications.Figure 6.73 Inbox views option.Figure 6.74 Disclosure option.Figure 6.75 Invitations option.Figure 6.76 Public launch option.Figure 6.77 Submission requirements option.Figure 6.78 Messaging hackers option.Figure 6.79 Email forwarding function.Figure 6.80 Embedded submission configuration.Figure 6.81 Bounties option.Figure 6.82 Common reponses option.Figure 6.83 Add common response option.Figure 6.84 Edit common response option.Figure 6.85 Default common responses option.Figure 6.86 Create triggers option.Figure 6.87 Hackbot settings option.Figure 6.88 Export reports option.Figure 6.89 Reporting inbox vulnerabilities.Figure 6.90 Example report.Figure 6.91 Timeline option.