Foreword xiiiAcknowledgments xvPart 1 Bug Bounty Overview 11 The Evolution of Bug Bounty Programs 31.1 Making History 31.2 Conservative Blockers 41.3 Increased Threat Actor Activity 41.4 Security Researcher Scams 51.5 Applications Are a Small Consideration 51.6 Enormous Budgetary Requirements 51.7 Other Security Tooling as a Priority 61.8 Vulnerability Disclosure Programs vs Bug Bounty Programs 61.8.1 Vulnerability Disclosure Programs 61.8.2 Bug Bounty Programs 71.9 Program Managers 71.10 The Law 71.11 Redefining Security Research 81.12 Taking Action 81.12.1 Get to Know Security Researchers 91.12.2 Fair and Just Resolution 91.12.3 Managing Disclosure 91.12.4 Corrections 91.12.5 Specific Community Involvement 9Part 2 Evaluating Programs 112 Assessing Current Vulnerability Management Processes 132.1 Who Runs a Bug Bounty Program? 132.2 Determining Security Posture 132.3 Management 142.3.1 Software Engineering Teams 142.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response) 142.3.3 Infrastructure Teams 142.3.4 Legal Department 142.3.5 Communications Team 142.4 Important Questions 152.5 Software Engineering 152.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code? 152.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention? 152.5.3 Is the Breadth of Our Enterprise's Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle? 162.6 Security Departments 162.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place? 162.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities? 162.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance? 172.6.4 What Edge Tooling is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device? 172.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure? 172.7 Infrastructure Teams 172.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application is Exploited, or During a Subdomain Takeover Vulnerability? 172.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response? 182.8 Legal Department 182.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department? 182.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues? 182.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management? 182.9 Communications Team 182.9.1 Has the Communications Team Dealt with Security Researchers Before? is the Importance Understood? 182.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations? 192.10 Engineers 192.11 Program Readiness 193 Evaluating Program Operations 213.1 One Size Does Not Fit All 213.2 Realistic Program Scenarios 213.3 Ad Hoc Program 223.4 Note 243.5 Applied Knowledge 243.5.1 Applied Knowledge #1 243.5.1.1 Private Programs 253.5.2 Applied Knowledge #2 253.5.2.1 Public Programs 253.5.3 Applied Knowledge #3 263.5.3.1 Hybrid Models 263.6 Crowdsourced Platforms 273.7 Platform Pricing and Services 283.8 Managed Services 283.9 Opting Out of Managed Services 293.10 On-demand Penetration Tests 29Part 3 Program Setup 314 Defining Program Scope and Bounties 334.1 What is a Bounty? 334.2 Understanding Scope 334.3 How to Create Scope 344.3.1 Models 344.4 Understanding Wildcards 344.4.1 Subdomain 354.4.2 Domain 354.4.3 Specific Domain Path or Specific Subdomain Path 354.5 Determining Asset Allocation 364.6 Asset Risk 374.7 Understanding Out of Scope 374.8 Vulnerability Types 384.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks 384.8.2 Social Engineering Attacks 384.8.3 Brute Force or Rate Limiting 384.8.4 Account and Email Enumeration 384.8.5 Self-XSS 394.8.6 Clickjacking 394.8.7 Miscellaneous 394.9 When is an Asset Really Out of Scope? 394.10 The House Wins - Or Does It? 404.11 Fair Judgment on Bounties 424.12 Post-mortem 434.13 Awareness and Reputational Damage 434.14 Putting It All Together 444.15 Bug Bounty Payments 444.15.1 Determining Payments 454.15.2 Bonus Payments 464.15.3 Nonmonetary Rewards 465 Understanding Safe Harbor and Service Level Agreements 495.1 What is "Safe Harbor"? 495.1.1 The Reality of Safe Harbor 495.1.2 Fear and Reluctance 495.1.3 Writing Safe Harbor Agreements 505.1.4 Example Safe Harbor Agreement 505.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor) 515.3 Service Level Agreements (SLAs) 525.3.1 Resolution Times 535.3.2 Triage Times 536 Program Configuration 556.1 Understanding Options 556.2 Bugcrowd 556.2.1 Creating the Program 556.2.2 Program Overview 616.2.2.1 The Program Dashboard 616.2.2.2 The Crowd Control Navbar 63Summary 63Submissions 63Researchers 64Rewards 65Insights Dashboard 65Reports 666.2.3 Advanced Program Configuration and Modification 666.2.3.1 Program Brief 666.2.3.2 Scope and Rewards 676.2.3.3 Integrations 726.2.3.4 Announcements 736.2.3.5 Manage Team 746.2.3.6 Submissions 756.2.4 Profile Settings 766.2.4.1 The Profile and Account 786.2.4.2 Security 786.2.4.3 Notification Settings 796.2.4.4 API Credentials 806.2.5 Enterprise "Profile" Settings 816.2.5.1 Management and Configuration 816.2.5.2 Organization Details 816.2.5.3 Team Members 816.2.5.4 Targets 816.2.5.5 Authentication 816.2.5.6 Domains 826.2.5.7 Accounting 836.3 HackerOne 846.3.1 Program Settings 856.3.1.1 General 856.3.1.2 Information 866.3.1.3 Product Edition 866.3.1.4 Authentication 876.3.1.5 Verified Domains 886.3.1.6 Credential Management 896.3.1.7 Group Management 896.3.1.8 User Management 906.3.1.9 Audit Log 916.3.2 Billing 926.3.2.1 Overview 926.3.2.2 Credit Card 926.3.2.3 Prepayment 926.3.3 Program 936.3.3.1 Policy 936.3.3.2 Scope 936.3.3.3 Submit Report Form 956.3.3.4 Response Targets 966.3.3.5 Metrics Display 976.3.3.6 Email Notifications 976.3.3.7 Inbox Views 986.3.3.8 Disclosure 986.3.3.9 Custom Fields 986.3.3.10 Invitations 996.3.3.11 Submission 1006.3.3.12 Message Hackers 1016.3.3.13 Email Forwarding 1026.3.3.14 Embedded Submission Form 1026.3.3.15 Bounties 1036.3.3.16 Swag 1036.3.3.17 Common Responses 1046.3.3.18 Triggers 1066.3.3.19 Integrations 1076.3.3.20 API 1076.3.3.21 Hackbot 1076.3.3.22 Export Reports 1086.3.3.23 Profile Settings 1086.3.4 Inbox 1086.3.4.1 Report Details 1096.3.4.2 Timeline 1096.4 Summary 110Part 4 Vulnerability Reports and Disclosure 1117 Triage and Bug Management 1137.1 Understanding Triage 1137.1.1 Validation 1137.1.2 Lessons Learned 1157.1.3 Vulnerability Mishaps 1157.1.4 Managed Services 1157.1.5 Self-service 1167.2 Bug Management 1167.2.1 Vulnerability Priority 1167.2.2 Vulnerability Examples 1177.2.2.1 Reflected XSS on a login portal 117Report and Triage 117Validation 1177.2.2.2 Open redirect vulnerability 117Report and Triage 117Validation 1187.2.2.3 Leaked internal Structured Query Language (SQL) server credentials 118Report and Triage 118Validation 1187.3 Answers 1187.3.1 Vulnerability Rating-test Summary 1197.3.1.1 Reflected XSS in a login portal 1187.3.1.2 Open redirect vulnerability 1187.3.1.3 Leaked internal SQL server credentials 1187.3.2 Complexity vs Rating 1197.3.3 Projected Ratings 1207.3.4 Ticketing and Internal SLA 1207.3.4.1 Creating Tickets 1208 Vulnerability Disclosure Information 1238.1 Understanding Public Disclosure 1238.1.1 Making the Decision 1238.1.1.1 Private Programs 123The Bottom Line 1248.1.1.2 Public Programs 125The Bottom Line 1268.2 CVE Responsibility 1268.2.1 What are CVEs? 1268.2.2 Program Manager Responsibilities 1268.2.3 Hardware CVEs 1268.2.4 Software and Product CVEs 1288.2.5 Third-party CVEs 1288.3 Submission Options 1308.3.1 In-house Submissions 1308.3.2 Program Managed Submissions and Hands-off Submissions 1308.3.2.1 Program Managed Submissions 1308.3.2.2 Hands-off Submissions 131Part 5 Internal and External Communication 1339 Development and Application Security Collaboration 1359.1 Key Role Differences 1359.1.1 Application Security Engineer 1359.1.2 Development 1359.2 Facing a Ticking Clock 1369.3 Meaningful Vulnerability Reporting 1369.4 Communicating Expectations 1379.5 Pushback, Escalations, and Exceptions 1389.5.1 Internal steps 1389.5.2 External steps 1399.5.2 Escalations 1399.5.3 Summary 1409.6 Continuous Accountability 1419.6.1 Tracking 1419.6.2 Missed Deadlines 14110 Hacker and Program Interaction Essentials 14310.1 Understanding the Hacker 14310.1.1 Money, Ethics, or Both? 14310.1.2 Case Study Analysis 14510.2 Invalidating False Positives 14510.2.1 Intake Process and Breaking the News 14510.2.2 Dealing with a Toxic Hacker 14710.3 Managed Program Considerations 14710.4 In-house Programs 14810.5 Blackmail or Possible Threat Actor 15110.6 Public Threats or Disclosure 15110.7 Program Warning Messages 15310.8 Threat Actor or Security Researcher? 15310.9 Messaging Researchers 15510.9.1 Security Researcher Interviews 15510.9.2 Bug Bounty Program Manager Interviews 15910.10 Summary 164Part 6 Assessments and Expansions 16511 Internal Assessments 16711.1 Introduction to Internal Assessments 16711.2 Proactive Vs Reactive Testing 16711.3 Passive Assessments 16811.3.1 Shodan 16811.3.1.1 Using Shodan 16811.3.2 Amass/crt.sh 17111.3.2.1 Amass 17211.3.2.2 crt.sh 17311.4 Active Assessments 17311.4.1 nmapAutomator.sh 17311.4.2 Sn1per 17511.4.3 Owasp Zap 17511.4.4 Dalfox 17711.4.5 Dirsearch 17911.5 Passive/Active Summary 18011.6 Additional Considerations: Professional Testing and Third-Party Risk 18012 Expanding Scope 18112.1 Communicating with the Team 18112.2 Costs of Expansion 18212.3 When to Expand Scope 18212.4 Alternatives to Scope Expansion 18312.5 Managing Expansion 18313 Public Release 18513.1 Understanding the Public Program 18513.2 The "Right" Time 18513.3 Recommended Release 18613.3.1 Requirements 18613.4 Rolling Backwards 18613.5 Summary 187Index 189

John Jackson is a Cyber Security Professional, Hacker, and the founder of the Hacking Group: Sakura Samurai. He is skilled in the art of configuring, managing, and utilizing Application Security Tools and programs, and an effective leader in the Cyber Security space. His unique perspective as both an Engineer and a Security Researcher provides hands-on experience towards configuring programs in a way that both organizations and researchers can benefit.