December 23, 2014 at 19:48

Security Meetup at Mail.Ru Group office - how it was



    Hello! My name is Ira, I’m a release editor at Hacker Magazine. In early December, I visited the Security Meetup in the office of Mail.Ru Group and I want to share my impressions. Mitap was dedicated to bug bounty programs. The first report was made via video link by a representative of the reputable international hacker community HackerOne . She talked about how companies organize their own bug bounty program using this service, and how pentesters can upgrade their skills and earn money. HackerOne is a thing! Firstly, it makes life easier for a company representative:
    • you can quickly and easily convey information about the bug bounty to the target audience (because if a site selling, for example, embroidery kits, places a banner about bug bounty on its main page, then it may not wait for a response from pentesters)
    • no need to think about how rewards will reach users, HackerOne takes on financial issues

    Secondly, this service protects pentesters from injustice on the part of companies. If a hacker finds a vulnerability and the company does not want to pay for it, the HackerOne administration will intervene and resolve the conflict between the two parties.

    It would be more logical to deliver this report after the speakers from Yandex, Mail.Ru Group and Badoo talked about the problems that they encountered in organizing vulnerability search programs. After all, people who were not involved in such activities do not have a clue about the difficulties associated with running a bug bounty, and it was difficult for them to immediately realize the benefits that can be obtained from working with HackerOne.

    Vladimir Dubrovin (Mail.Ru Group) and Taras Ivashchenko (Yandex) talked about bug bounty programs carried out by their companies. They noted the following difficulties:
    • a huge amount of spam (for a hundred bug reports, 3-4 are adequate). Note: “Hacker” spammers are banned on HackerOne, and this is another reason to use it.
    • transferring rewards is a very complex process. Participants come from all over the world. Some of them do not have bank accounts or electronic wallets. Each has to individually solve this issue.
    • often hackers send reports on vulnerabilities already found before them and demand a reward. These situations take away the moral power of program organizers. But as the representative of one of the companies said, "whoever got up first, that and slippers."

    From a technical point of view, I found the most interesting report by Ilya Ageev from Badoo. If his predecessors spoke more about the general problems of conducting programs, then he spoke in detail about the specific vulnerabilities found. In particular, about how it was possible, by changing the number in the address bar, to increase the user's balance (I remember that at the turn of 2006 and 2007, VKontakte also had a similar vulnerability that allowed it to increase the rating).

    Dmitry Bumov, as always, was at his best. This guy is a great speaker who lights the whole room with his energy. He talked about his experience in participating in bug bounty programs (mentioned such well-known names as Facebook, Twitter, etc.) and the bugs he found. Dima also gave advice on how to find vulnerabilities most efficiently (“It’s necessary to think, rather than inserting a scanner output into the bug report”). It is a pity that little time was devoted to his report, but it was fortunate that he was put to an end. Thanks to this arrangement of speakers, the students walked home with a light and positive mood.

    A few words about organizational issues. As a gift they gave a T-shirt with a pattern of zeros and ones. I arrived exactly at 19:00, and so I managed to get a t-shirt of my size. A separate Coffee Point was organized for the participants - tea, coffee, cookies and carbonated drinks. If you know where to go (climb the glass stairs opposite the gym), you can get pumpkin and freshly squeezed orange juice.

    The break lasted for half an hour, and this is enough to walk around the office of Mail.Ru Group. In this "dream office" you can see a lot of interesting things:
    • a huge TV over the wall, on which the Silicon Valley series was broadcast continuously (for all the times I visited Mail.Ru Group, I didn’t see anyone watching it :))
    • tables for games (table football, etc.)
    • privacy corners - recesses in the walls, in which sofas and pillows are placed on them (in some you can freely accommodate three, and you can’t even fit together in some ... well, only if you really try)
    • incredible panorama of Moscow from the windows of 26 floors

    Despite the fact that registration for the meeting was open and participation was free, there were quite a few random guests in the hall. Most of the people in the room were familiar to me (the authors of Hacker, a dozen employees of Mail.Ru Group, well-known representatives of the Russian information security sector and just people who became familiar with other conferences). But the participants had few opportunities for informal communication: the time for questions after the reports was very limited, and only a half-hour break was allotted for simple communication.

    This mitap was useful primarily to employees of companies that conducted, are conducting or will conduct bug bounty programs. They brought out from him really unique and practically useful knowledge. There was unexpectedly little special information for the Pentesters. Some listeners did not like it. However, the content of the reports corresponded to the announcement of the event and people knew where they were going.

    Video recording of reports:

    Tags:

    Also popular now: