So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure?2.7 Infrastructure Teams2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application Is Exploited, or During a Subdomain Takeover Vulnerability?2.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response?2.8 Legal Department2.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department?2.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues?2.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management?2.9 Communications Team2.9.1 Has the Communications Team Dealt with Security Researchers Before? Is the Importance Understood?2.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations?2.10 Engineers2.11 Program Readiness3 Evaluating Program Operations3.1 One Size Does Not Fit All3.2 Realistic Program Scenarios3.3 Ad Hoc Program3.4 Note3.5 Applied Knowledge3.5.1 Applied Knowledge #13.5.1.1 Private Programs3.5.2 Applied Knowledge #23.5.2.1 Public Programs3.5.3 Applied Knowledge #33.5.3.1 Hybrid Models3.6 Crowdsourced Platforms3.7 Platform Pricing and Services3.8 Managed Services3.9 Opting Out of Managed Services3.10 On-demand Penetration Tests8 Part 3 Program Setup4 Defining Program Scope and Bounties4.1 What Is a Bounty?4.2 Understanding Scope4.3 How to Create Scope4.3.1 Models4.4 Understanding Wildcards4.4.1 Subdomain4.4.2 Domain4.4.3 Specific Domain Path or Specific Subdomain Path4.5 Determining Asset Allocation4.6 Asset Risk4.7 Understanding Out of Scope4.8 Vulnerability Types4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks4.8.2 Social Engineering Attacks4.8.3 Brute Force or Rate Limiting4.8.4 Account and Email Enumeration4.8.5 Self-XSS4.8.6 Clickjacking4.8.7 Miscellaneous4.9 When Is an Asset Really Out of Scope?4.10 The House Wins – Or Does It?4.11 Fair Judgment on Bounties4.12 Post-mortem4.13 Awareness and Reputational Damage4.14 Putting It All Together4.15 Bug Bounty Payments4.15.1 Determining Payments4.15.2 Bonus Payments4.15.3 Nonmonetary Rewards5 Understanding Safe Harbor and Service Level Agreements5.1 What Is “Safe Harbor”?5.1.1 The Reality of Safe Harbor5.1.2 Fear and Reluctance5.1.3 Writing Safe Harbor Agreements5.1.4 Example Safe Harbor Agreement5.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor)5.3 Service Level Agreements (SLAs)5.3.1 Resolution Times5.3.2 Triage Times6 Program Configuration6.1 Understanding Options6.2 Bugcrowd6.2.1 Creating the Program6.2.2 Program Overview6.2.2.1 The Program Dashboard6.2.2.2 The Crowd Control NavbarSummarySubmissionsResearchersRewardsInsights DashboardReports6.2.3 Advanced Program Configuration and Modification6.2.3.1 Program Brief6.2.3.2 Scope and Rewards6.2.3.3 Integrations6.2.3.4 Announcements6.2.3.5 Manage Team6.2.3.6 Submissions6.2.4 Profile Settings6.2.4.1 The Profile and Account6.2.4.2 Security6.2.4.3 Notification Settings6.2.4.4 API Credentials6.2.5 Enterprise “Profile” Settings6.2.5.1 Management and Configuration6.2.5.2 Organization Details6.2.5.3 Team Members6.2.5.4 Targets6.2.5.5 Authentication6.2.5.6 Domains6.2.5.7 Accounting6.3 HackerOne6.3.1 Program Settings6.3.1.1 General6.3.1.2 Information6.3.1.3 Product Edition6.3.1.4 Authentication6.3.1.5 Verified Domains6.3.1.6 Credential Management6.3.1.7 Group Management6.3.1.8 User Management6.3.1.9 Audit Log6.3.2 Billing6.3.2.1 Overview6.3.2.2 Credit Card6.3.2.3 Prepayment6.3.3 Program6.3.3.1 Policy6.3.3.2 Scope6.3.3.3 Submit Report Form6.3.3.4 Response Targets6.3.3.5 Metrics Display6.3.3.6 Email Notifications6.3.3.7 Inbox Views6.3.3.8 Disclosure6.3.3.9 Custom Fields6.3.3.10 Invitations6.3.3.11 Submission6.3.3.12 Message Hackers6.3.3.13 Email Forwarding6.3.3.14 Embedded Submission Form6.3.3.15 Bounties6.3.3.16 Swag6.3.3.17 Common Responses6.3.3.18 Triggers6.3.3.19 Integrations6.3.3.20 API6.3.3.21 Hackbot6.3.3.22 Export Reports6.3.3.23 Profile Settings6.3.4 Inbox6.3.4.1 Report Details6.3.4.2 Timeline6.4 Summary
9 Part 4 Vulnerability Reports and Disclosure7 Triage and Bug Management7.1 Understanding Triage7.1.1 Validation7.1.2 Lessons Learned7.1.3 Vulnerability Mishaps7.1.4 Managed Services7.1.5 Self-service7.2 Bug Management7.2.1 Vulnerability Priority7.2.2 Vulnerability Examples7.2.2.1 Reflected XSS on a login portalReport and TriageValidation7.2.2.2 Open redirect vulnerabilityReport and TriageValidation7.2.2.3 Leaked internal Structured Query Language (SQL) server credentialsReport and TriageValidation7.3 Answers7.3.1 Vulnerability Rating-test Summary7.3.1.1 Reflected XSS in a login portal7.3.1.2 Open redirect vulnerability7.3.1.3 Leaked internal SQL server credentials7.3.2 Complexity vs Rating7.3.3 Projected Ratings7.3.4 Ticketing and Internal SLA7.3.4.1 Creating Tickets8 Vulnerability Disclosure Information8.1 Understanding Public Disclosure8.1.1 Making the Decision8.1.1.1 Private ProgramsThe Bottom Line8.1.1.2 Public ProgramsThe Bottom Line8.2 CVE Responsibility8.2.1 What are CVEs?8.2.2 Program Manager Responsibilities8.2.3 Hardware CVEs8.2.4 Software and Product CVEs8.2.5 Third-party CVEs8.3 Submission Options8.3.1 In-house Submissions8.3.2 Program Managed Submissions and Hands-off Submissions8.3.2.1 Program Managed Submissions8.3.2.2 Hands-off Submissions
10 Part 5 Internal and External Communication9 Development and Application Security Collaboration9.1 Key Role Differences9.1.1 Application Security Engineer9.1.2 Development9.2 Facing a Ticking Clock9.3 Meaningful Vulnerability Reporting9.4 Communicating Expectations9.5 Pushback, Escalations, and Exceptions9.5.1 Internal steps9.5.2 External steps9.5.2 Escalations9.5.3 Summary9.6 Continuous Accountability9.6.1 Tracking9.6.2 Missed Deadlines10 Hacker and Program Interaction Essentials10.1 Understanding the Hacker10.1.1 Money, Ethics, or Both?10.1.2 Case Study Analysis10.2 Invalidating False Positives10.2.1 Intake Process and Breaking the News10.2.2 Dealing with a Toxic Hacker10.3 Managed Program Considerations10.4 In-house Programs10.5 Blackmail or Possible Threat Actor10.6 Public Threats or Disclosure10.7 Program Warning Messages10.8 Threat Actor or Security Researcher?10.9 Messaging Researchers10.9.1 Security Researcher Interviews10.9.2 Bug Bounty Program Manager Interviews10.10 Summary
11 Part 6 Assessments and Expansions11 Internal Assessments11.1 Introduction to Internal Assessments11.2 Proactive Vs Reactive Testing11.3 Passive Assessments11.3.1 Shodan11.3.1.1 Using Shodan11.3.2 Amass/crt.sh11.3.2.1 Amass11.3.2.2 crt.sh11.4 Active Assessments11.4.1 nmapAutomator.sh11.4.2 Sn1per11.4.3 Owasp Zap11.4.4 Dalfox11.4.5 Dirsearch11.5 Passive/Active Summary11.6 Additional Considerations: Professional Testing and Third-Party Risk12 Expanding Scope12.1 Communicating with the Team12.2 Costs of Expansion12.3 When to Expand Scope12.4 Alternatives to Scope Expansion12.5 Managing Expansion13 Public Release13.1 Understanding the Public Program13.2 The “Right” Time13.3 Recommended Release13.3.1 Requirements13.4 Rolling Backwards13.5 Summary
12 Index
List
