OWASP Poland – Secrets of Google VRP

We have seized the opportunity that our colleague - Krzysztof Kotowicz from Google Security Team is in a town for few days and we are organizing meeting with him. The topic of this meeting is Google Vulnerability Reward Program. Tons of practical info for bug bounters, for companies who want to organize similar programs, but also for general app-sec enthusiasts who will learn how to evaluate importance of the bug. Secrets of Google VRP. The bug hunter's guide to sending great bugs - Krzysztof Kotowicz, Google Security Team Did you ever want to know how a CSRF may be more dangerous than a stack buffer overflow? Are you curious what makes a bug critical? Have you ever wondered why Google Security Bot doesn't pay for open redirects, and not every XSS is the same? During this workshop, you'll get to know the answer to those questions - and all other secrets of the Google VRP too. You'll see how Google Security Team evaluates the incoming vulnerability reports, what do we focus on, and how to make our day by sending us a great bug. Several examples of vulnerabilities sent to our VRP will be presented - both successful submissions and rejected ones. We'll talk extensively about the differences between those to help you find and report the bugs worth your time. We'll discuss various OWASP Top 10 vulnerability types and how do they relate to Google VRP rules. Come to the workshop, talk to us and learn how to become one of the top bughunters!"