BHUSA: Make sure your security bug bounty program doesn’t create a data leak of its own

Researchers, organizations, and bug disclosure platforms can all make enhancements to Help defend consumer data

Make sure your security bug bounty program doesn't create a data leak of its own

Bug bounty applications will be a helpful half of a layered security strategy, however stakeholders have been urged to keep up a tight grip on their data dealing with practices all through the disclosure course of to keep away from creating a data leak of their own.

At Black Hat USA yesterday (August 11), delegates had been advised how analysis oversights and shoddy data governance ideas throughout the bug bounty market have resulted within the leak of customers’ personally identifiable data. And what’s extra, this data is commonly nonetheless out there lengthy after the corresponding ticket has been closed.

RECOMMENDED Black Hat USA: Deliberately weak cloud infrastructure is a pen tester’s playground

In an attention-grabbing presentation, Dylan Ayrey, CEO of Truffle Security (the corporate behind TruffleHog), and Whitney Merrill, data safety officer and lead privateness counsel at software program agency Asana, took a nearer have a look at the potential pitfalls of the bug bounty disclosure course of – beginning with researchers.

Citing real-world examples, Ayrey mentioned that whereas many bug bounty applications prohibit researchers from accessing consumer data, this does nonetheless occur. For occasion, a blind cross-site scripting (XSS) exploit may set off on an administrator endpoint, ensuing within the dump of your entire consumer database.

Data gleaned from bug bounties can find yourself being saved in a wide selection of techniques

This consumer data may then be pushed to varied third-party storage techniques, together with being appended to the bug bounty program’s situation tracker – all of which then turn out to be a potential leak vector of their own.

Scaled up throughout the various tons of of applications on the market, this might end in a wealth of probably delicate data being saved in varied locations for an prolonged interval.

Leave no hint

In addition to unintentional analysis discoveries, Ayrey and Merrill mentioned that organizations and bug bounty platforms are additionally opening the door to leaks by means of their failure to request that bug hunters delete all related data, or by merely leaving the delicate data on file, lengthy after the bug assist ticket has been closed.

Offering recommendation to those that host bug bounty applications, Merrill mentioned: “We’re probably not going to get to ‘perfect’, but we can take incremental steps to move forward. Basic data governance principles and data lifecycle best practises will Help get you there.”

Ayrey added: “These privacy leaks in bug bounties are really common, and for every example that we can share publicly there are 100 examples that can’t be shared publicly. I think it’s time that we start a conversation about it and reduce some of the impact of this.

“We do believe that bug bounties are a positive force for change, and that companies that run bug bounties are in a better place than companies that don’t.”

DON’T MISS New class of HTTP request smuggling assaults showcased at Black Hat USA

Leave a Comment