conf 2018-11-08 14:00 – 14:50 EN

3 years later: a crossed look at Swisscom bounty

Name: Black Alps 2018
Start: 2018-11-08
End: 2018-11-09
Location: Y-PARC, Yverdon-les-Bains

Abstract

3 years after the launch of the bug bounty program at Swisscom it is time to take a step back. This talk starts from the point of view of a (somewhat frustrated) bug hunter and walks back from the launch of the program to the current state. Crossed looks from the company and the researcher outline the difficulties encountered on both sides, shows what improved over time and how. It is a story of collaboration and communication. A second part will disclose some interesting vulnerabilities that were found and fixed through the program. Those are not yet chosen but will probably include RCE, SQLi, prevented data leaks or other high-impact issues.

Speakers

Florian Badertscher

Security Analyst CSIRT

Swisscom

Before joining Swisscom Florian Badertscher worked as penetration tester, security analyst and teacher on various security topics. Working now in the Cyber Defense team of Swisscom he is responsible for Swisscom's Bug Bounty Program beside his duties in incident management and response.

Nicolas Heiniger

IT Security Analyst

Compass Security AG

Nicolas Heiniger is a happy husband and proud father of 3 children. After some years in public health and at an IT service provider, he's now working at Compass Security where he is most interested in web applications and penetration testing. At night, he hacks for fun and bounty.

Talk

3 years later: a crossed look at Swisscom bounty