We’ve often had the opportunity to hear about bug hunting & bug bounty programs from the researcher perspective, or in the form of sales pitches from companies that help build programs, but less often do we hear from the folks who work on those programs as their main focus. In this talk we’ll explore the ins and outs of GitHub’s Bug Bounty program, along with advice for those working in BB/VDP programs, or submitting bounty reports.
GitHub’s Bug Bounty program is often noted as being a leader in bug bounty – an early adopter, consistently offering generous awards with clear scoping. In addition to having a dedicated team to work with researchers, we’ve helped host three live hacking events with HackerOne, and have paid out over $3,400,000 USD in bounties since the inception of our program in January 2014.
I’ll aim to cover:
– An overview of GitHub’s Bug Bounty program, including our payout strategies, key milestones, and lessons learned
– How GitHub handles report triage & severity assignment including our tooling/automation
– How GitHub’s bounty team interacts with researchers and aims to more deeply understand and analyze bug reports
– Operational considerations of working with a SaaS & on-premise product that has a shared code base
– Our report/vulnerability disclosure practices and why we do things the way we do
– Bug bounty triage as a job & career stepping stone
– Tips for researchers, bounty staff, and program owners
Attendees should walk away from this talk having a better understanding of GitHub’s lessons learned running a bug bounty program, the nuances and challenges that triagers/engineers face working with bounty reports, and also how to improve their ROI when working on or with bounty programs.
The challenges facing today’s CISO and corporate cyber teams are daunting. Cyber Security partners now number in the 100s and product options seem to be 10 times that. The only thing that is certain is that the number of threats and attacks are increasing at an alarming rate. There was a time when you could build or hire a SOC to monitor your environment and, once connected, you could sleep well at night knowing that there was a watchful eye on your corporate environment. Today, however, attackers can identify a new exposure and act on it before most organizations even know that they are exposed. This session looks at this situation from the eyes of a Security Professional charged with protecting their global operations and will talk about creating an Active Defence program that goes beyond a traditional SIEM to proactively ensure that you are protected against both basic and advanced threats.
Clouds, Clouds – everywhere there are Clouds! Built-in cloud-based controls only go so far and may be limited in capabilities. With multi-cloud deployments, these technologies become fragmented and add an extra layer of complexity. In this action-packed session, we will discuss security capabilities offered by cloud service providers and how to systematically determine the right controls to secure the cloud environment while empowering practitioners with the ability to stretch these capabilities. This includes coverage across a multi-cloud, on-premises, and SaaS based environment reducing the overall complexity. Clouds inherently have a better security footprint out of the gate compared to traditional environments, but these controls can quickly become complex and fragmented increasing operational overhead in a multi-IT environment and may in fact increase an organization’s overall risk. Stepping back and understanding the capabilities, the complexities, and the overall risk to each use case allows practitioners to build comprehensive security solutions that are resilient. We will review the capabilities in general, typical controls required, and then review a fictitious breach that highlights the challenges for practitioners. We will then provide a methodology based on a use case to build security solutions with broader coverage that simplify the overall solution.
With recent advancements in both the academic and commercial spaces, quantum computing is going to revolutionize the Information Technology space and pose the single biggest challenge for Cyber security practitioners within the next two to five years. Recently the US government through the National Institute of Standards and Technology (NIST) released, four public quantum resistant cryptographic algorithms. How are these new algorithms going to be used, what questions do they answer, and what effects are they going to have on both an organizations security architecture and security teams’ day to day operations. This presentation will answer these questions.
The presentation starts by explaining the monumental consequences that shores algorithm has unleashed on current cyber security practises. Then the presentation explains, in hopefully a humorous manner, what quantum mechanics is and how quantum mechanics is implemented in quantum computing. The presentation then focuses on quantum encryption and quantum attacks. After that the presentation shows how encryption algorithms can be quantum resistant and how a quantum resistance algorithm differs from normal encryption algorithms. This then leads to a discussion around the recently released NIST post quantum algorithms.
By attending this brief, cyber security practitioners and professionals will understand how quantum computing works, how quantum computing will be used against a network and what tools are available to defend against quantum attacks (for example the NIST post quantum algorithms). Since organizations security architectures and postures usually take time to change, this brief will give practical steps both an individual and organization can take to be ready for the quantum threat.
Training a model using Natural Language Processing (NLP) is challenging. Training one adapted to the unique vocabulary of malicious actors becomes even more difficult. This complex process highlights the need of having a continuously adaptive lexical able to follow new trends in illicit communities.
To overcome the challenge of the distinct vocabulary used by malicious actors, we’ve created and made public the first open-source tokenizer trained on a corpus containing years of content from interactions on the Dark Web. The tokenizer and lexical are in the format of Byte-Pair-Encoding and will be available on GitHub.
We will demonstrate two applications of this model, applied to real world challenges and highlight some insights found by them. First, we will demonstrate how the ML auto-extractor is able to extract contents from a wide variety of illicit forums, without human configuration. Then, we will show how we were able to regroup multiple actors’ monikers based on their writing style.
What you would learn during this talk:
How to avoid the pitfalls when training NLP on slang/jargon.
How to continuously adapt the lexical to follow new trends in illicit communities.
With the release of this open-source model, malware researchers and threat hunters will be able to automate interactions with cybercriminals, support infiltration engagements, and analyze communications and data leaks. Additionally, by constantly updating the lexical based on cybercriminals’ interactions, the model allows researchers to discover and track rising trends.