Security Meetup at the Mail.Ru Group office - how it was

Hello! My name is Ira, I am the publishing editor for Hacker magazine. In early December, I visited the Security Meetup at the Mail.Ru Group office and want to share my impressions. Mitap was dedicated to bug bounty programs. The first report was made by video representative of the authoritative international hacker community HackerOne . She talked about how companies organize their own bug bounty program using this service, and pentesters to improve their skills and earn money. HackerOne is a thing! First, it makes life easier for a company representative:

• You can quickly and easily convey information about the conduct of bug bounty to the target audience (after all, if a website selling, for example, embroidery kits, will place a banner on bug bounty on its home page, it may not wait for a response from pentesters)
• no need to think about how the rewards will reach the users; financial issues are taken over by HackerOne

Secondly, this service protects pensters from company injustice. If the hacker finds a vulnerability, and the company does not want to pay for it, then the HackerOne administration will intervene and resolve the conflict between the two parties.

It would be more logical to deliver this report after the speakers from Yandex, Mail.Ru Group and Badoo talked about the problems they encountered when organizing programs to search for vulnerabilities. After all, people who did not engage in such activities do not have a clue about the difficulties associated with conducting a bug bounty, and it was difficult for them to immediately recognize the benefits that can be gained from working with HackerOne.

Vladimir Dubrovin (Mail.Ru Group) and Taras Ivashchenko (Yandex) told about bug bounty programs conducted by their companies. They noted the following difficulties:

• a lot of spam (there are 3-4 adequate bug reports per hundred). Note: on HackerOne “hacker” spammers banyat, and this is another reason to use it.
• transfer of rewards is a very complicated process. Participants come across from around the world. Some of them do not have bank accounts and e-wallets. Each has to solve this issue individually.
• often hackers send reports on vulnerabilities already found before them and demand a reward. These situations take away moral strength from program organizers. But as a representative of one of the companies said, “who first got up, that and sneakers”.

From a technical point of view, the most interesting report by Ilya Ageev from Badoo seemed to me. If his predecessors talked more about the general problems of conducting programs, then he spoke in detail about the specific vulnerabilities found. In particular, how it was possible, by changing the number in the address bar, to increase the user's balance (I remember, at the turn of 2006 and 2007, VKontakte also had a similar vulnerability, which made it possible to wind up the rating).
')
Dmitry Bumov, as always, was on top. This guy is a great speaker who lights the whole room with his energy. He talked about his experience of participating in bug bounty programs (mentioned such well-known names like Facebook, Twitter, etc.) and the bugs he found. Dima also gave advice on how to find vulnerabilities most effectively (“It’s necessary to think, and not insert scanner output into a bug-report”). It is a pity that not enough time was devoted to his report, but it was successful that they put him at the end. Thanks to this arrangement of speakers, the audience went home with a light and positive mood.

A few words about organizational issues. As a gift they gave a t-shirt with a pattern of zeros and ones. I arrived exactly at 19:00, and therefore managed to get a shirt of my size. A separate Coffee Point was organized for the participants - tea, coffee, cookies and soda. If you know where to go (go up the glass stairs in front of the gym), you can get a pumpkin and fresh orange juice.

The break lasted for half an hour, and this is quite enough to walk around the Mail.Ru Group office. In this "dream office" you can see a lot of interesting things:

• a huge full-screen TV on which the series Silicon Valley was continuously broadcast (for all the times I visited Mail.Ru Group, I didn’t see anyone watching :))
• tables for games (foosball, etc.)
• corners for solitude - depressions in the walls in which sofas and cushions are placed on them (in some you can easily fit in three, and in some you can't even fit in together ... well, only if you try very hard)
• incredible panorama of Moscow from the windows of the 26th floor

Despite the fact that the registration for the meeting was open and participation was free, there were quite a few random guests in the hall. Most of the people in the room were familiar to me (the authors of the Hacker, a half dozen Mail.Ru Group employees, prominent representatives of the Russian information security sector, and just people who had come to know at other conferences). But there were few opportunities for informal communication: the time for questions after the reports was severely limited, and just half an hour’s break was allowed for communication.

This mitap was useful primarily for employees of companies that conducted, conduct, or will conduct bug bounty programs. They learned from it really unique and practically useful knowledge. There was surprisingly little specific information for pentesters. Some listeners did not like it. However, the content of the reports corresponded to the announcement of the event and people knew where they were going.

Video of reports: