a🧵
⚠️Orgs with mature security programs⚠️
Want a masterclass in scoping/running a bug bounty program?
Read more from a program owner, (former) bounty platform employee, and top bug hunter (me😂)
🚨 Retweet, follow, & like for more sec content! 🚨
1/x
⚠️Orgs with mature security programs⚠️
Want a masterclass in scoping/running a bug bounty program?
Read more from a program owner, (former) bounty platform employee, and top bug hunter (me😂)
🚨 Retweet, follow, & like for more sec content! 🚨
1/x
This thread is about Yahoo!
The @TheParanoids & @Yahoo have one of the best bug bounties in existence. Why? Read on 👇👇👇
hackerone.com
2/x
The @TheParanoids & @Yahoo have one of the best bug bounties in existence. Why? Read on 👇👇👇
hackerone.com
2/x
💰Good payout amounts💰
Not much to say here. Yahoo understands the value of good security research. The top-end of the payouts reflects that. If you're new to starting a bug bounty, ramp up to this.
3/x
Not much to say here. Yahoo understands the value of good security research. The top-end of the payouts reflects that. If you're new to starting a bug bounty, ramp up to this.
3/x
👉Scope:
1 - Yahoo's scope is VAST. The Paranoids understand this so they segment it by product or domain. This helps bug hunters pick one to dive into.
2 - Each scope is outlined with targets and in the majority of cases they are wildcard scopes (*.yimg.com).
4/x
1 - Yahoo's scope is VAST. The Paranoids understand this so they segment it by product or domain. This helps bug hunters pick one to dive into.
2 - Each scope is outlined with targets and in the majority of cases they are wildcard scopes (*.yimg.com).
4/x
⚠️Cybercriminals don't have scope and I think that the Yahoo teams understand that by allowing the maximum flexibility for bug hunters to submit under.⚠️
5/x
5/x
3 - Personal notes and documentation
As yahoo gains intelligence on the types of bugs that exist for each domain they add contextual notes to the brief. They let you know what they are looking for more of, what they are less interested in, and how...
6/x
As yahoo gains intelligence on the types of bugs that exist for each domain they add contextual notes to the brief. They let you know what they are looking for more of, what they are less interested in, and how...
6/x
... to achieve maximum payout per scope for some vulnerability classes.
They also provide DOCUMENTATION links and rate limit information. In some cases, they describe their defenses in the product to see if they can be bypassed.
7/x
They also provide DOCUMENTATION links and rate limit information. In some cases, they describe their defenses in the product to see if they can be bypassed.
7/x
👉Testing Guidelines:
Yahoo outline very specific criteria for technical bugs, including servers you need to reach for LFI and SSRF bugs. They have rate limit criteria and information on registration per product...
8/x
Yahoo outline very specific criteria for technical bugs, including servers you need to reach for LFI and SSRF bugs. They have rate limit criteria and information on registration per product...
8/x
...They tell you if automated or manual testing is preferred on targets where applicable.
9/x
9/x
👉Notes on divestitures:
Yahoo even mentions brands or products they have dropped. The best "recon-based" hunter's in the world find obscure domains all the time. This info gives them a quick reference on if they should pursue a brand/product/domain.
10/x
Yahoo even mentions brands or products they have dropped. The best "recon-based" hunter's in the world find obscure domains all the time. This info gives them a quick reference on if they should pursue a brand/product/domain.
10/x
🧠Custom notes on vuln ratings:
The Paranoids write a bit on their departure from the normal ratings on HackerOne. Their payout decisions are tailored to their own threat models, which is great. They also have a vulnerability review council internally to keep payouts fair.
11/x
The Paranoids write a bit on their departure from the normal ratings on HackerOne. Their payout decisions are tailored to their own threat models, which is great. They also have a vulnerability review council internally to keep payouts fair.
11/x
⚠️Arguably one of the most important is a "catch-all" scope section⚠️
This gives them and bug hunters some leeway in testing/rewarding things that might not have been explicitly documented.
12/x
This gives them and bug hunters some leeway in testing/rewarding things that might not have been explicitly documented.
12/x
✈️In addition, they have a pre-prepared Burp Suite scope file that sets up their scope for testers to start from. it also excludes out-of-scope hosts! Very forward-thinking.
13/x
13/x
In general, their triage and response are quick to resolution.
🌶️There is nothing sexier and more enticing than a program that communicates with you and is fast. 🌶️
14/x
🌶️There is nothing sexier and more enticing than a program that communicates with you and is fast. 🌶️
14/x
🗣️Periodically they use their bounty to systematically ensure they have found certain CVE's, sometimes offering bonuses for this work.
15/x
15/x
🕴️Swag ++ 🎉🥳
They periodically give out swag to good & repeat submitters to the program. Challenge coins, shirts, etc.
They also hold a party in Vegas (at Defcon and Blackhat) for their bug hunters++
On top of good payouts, these things mean a lot to bug hunters.
16/x
They periodically give out swag to good & repeat submitters to the program. Challenge coins, shirts, etc.
They also hold a party in Vegas (at Defcon and Blackhat) for their bug hunters++
On top of good payouts, these things mean a lot to bug hunters.
16/x
They pay for retesting where applicable. 💰
17/x
17/x
That's it for now.
I'm sure there are plenty of other programs that are great and have great features but, Yahoo and the @TheParanoids scope and program should be a gold standard for program owners.
✌🏻For more resources follow, retweet, & like!✌️
18/x
I'm sure there are plenty of other programs that are great and have great features but, Yahoo and the @TheParanoids scope and program should be a gold standard for program owners.
✌🏻For more resources follow, retweet, & like!✌️
18/x
Loading suggestions...