Trainings


Bug Bounty Operations - An Inside Look

Bug bounties are increasingly viewed as a part of an effective AppSec program for companies as well as a means for skilled security researchers to raise both their community profile and personally profit. Join us for a view into the inner workings of a managed bug bounty program. In this presentation we’ll discuss what happens behind the scenes including; how the analyst reviews reports, the types of customer audiences, and internal priorities. Use your security researcher talents together with this presentation’s information to increase your bounty success!

Running time: 1hr.

Trainer: Ryan Black

Ryan Black is the Director of Technical Operations at Bugcrowd where he heads strategy and operations for the Application Security Engineering team. This group reviews and validates tens of thousands of vulnerability reports to bug bounty programs.

Prior to joining Bugcrowd, Ryan developed and led the static analysis and code review team for HP Fortify on Demand, later expanding to DevOps tooling and integrations for the enterprise. He has also held various InfoSec and technology positions at companies such as Aflac and Apple in the last decade. In addition to professional experience, he holds several industry certifications and participates in a variety of open source software projects and initiatives. On personal time he enjoys coding, gaming, various crafts, and nature activities with his wife, two kids, and three dogs.



Discovery: expanding your scope like a boss

Whether you do wide scope pentesting or bounty hunting, domain discovery is the 1st method of expanding your scope. Join Jason as he walks you through his tool chain for in-depth discovery including;

Subdomain scraping
Subdomain bruteforce
ASN discovery
Permutation scanning
Port scanning
Discovering Unknown content
Docker automation
and more!

Running time: 1hr.

Trainer: Jason Haddix

Jason Haddix is the Head of Trust and Security at Bugcrowd. At Bugcrowd Jason works with customers, operations, and engineering to design enterprise ready, seamless, bug bounty and responsible disclosure programs. Jason's interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructure security assessments, and static analysis. Jason lives in Santa Barbara with his wife and three children. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and held the #1 rank on the Bugcrowd researcher leaderboard for 2014/2015.



Hacking 101

This is 4-hour training will gear you towards starting your Information Security Career, or just spark the basic, or just simply curious about hacking and hackers.

This training will give the audience an introduction about hacking and it's solid foundation.

Running time: 2 hrs / day for two days.

Trainer: Sherwin De Claro

Sherwin De Claro a highly decorated Information Security Professional, Certified Ethical Hacker and now playing the role of “Senior Information Security Officer” for one of the government’s agencies that has the most number of cyber-attack attempts both foreign and domestic. As Sr. ISO, he advises the institution on how to protect and prohibit attacks or exploitation of the information and network resources through Information Security Management, Vulnerability Management, Risk Management, Infrastructure Management and Enterprise Architecture.



Network Forensics

Network forensics deals with the capture, recording and analysis of network traffic and events in order to discover information about the source of security events or attacks. This training will give an overview of the tools and techniques used for real world traffic analysis.

Running time: 2 hrs.

Trainer: Raymond Nunez

Mon provides security consulting with a special focus to financial services, government systems, and telecommunications industries, while teaching Computer and Network Security for graduate students in UP Diliman. He is currently taking his PhD in Computer Science from the University of the Philippines, Diliman majoring in Security, researching on Wireless Networks, Software Defined Radio (SDR), Software Defined Networks (SDN), and Hypervisor Security.

Just this August, he and his teammate Siege won the much coveted DEF CON Black Badge for winning the CTP Contest. They are now free for life at DEF CON aside from bragging rights. Mon regularly takes certifications such as GSEC, GNFA, GWAPT, GCIH, GASF, CISA, CISM, CICP, among others as a form of entertainment.



The Bug Hunters Methodology 2.0

It's been two years since the original "The Bug Hunters Methodology". This year TBHM will be getting a complete rehaul, incuding tools, methods, and detection logic for several classes of vulnerbilitties that are relvant to anyone security testing web applications. Join Jason as he goes over advents in in the areas of:

Target discovery
SSRF
SSTI
API testing
SQLi
XXE
and more!

Running time: 1hr.

Trainer: Jason Haddix

Jason Haddix is the Head of Trust and Security at Bugcrowd. At Bugcrowd Jason works with customers, operations, and engineering to design enterprise ready, seamless, bug bounty and responsible disclosure programs. Jason's interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructure security assessments, and static analysis. Jason lives in Santa Barbara with his wife and three children. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and held the #1 rank on the Bugcrowd researcher leaderboard for 2014/2015.



Starting Your Bug Hunting Career Now

It happened again today. Another security researcher has bagged 5k $ for a bug he reported to a certain company. It's all over Facebook and Twitter, "19 year old bug hunter finds a Remote Code Execution in an XYZ company". Another bug was released on full disclosure today to the security mailing lists and Twitter but it was not rewarded. It could have been a big scoop for a reward plus he can cooperate with the company without legal threats. He should have adhered to responsible disclosure. It's not too late for a certain individual like you whose crime is that of curiosity. Start bug hunting now and and jumpstart your career. Hack the planet legally and join me in this talk! Together, we will demystify what is bug hunting and how to start your bug hunting career. I am a security researcher and an application security engineer, this is my manifesto. Nobody can stop me, and nobody can certainly stop us all.

Running time: 1hr.

Trainer: Jay Turla

Jay Turla is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.