1
00:00:01,410 --> 00:00:02,140
Hello, everyone.

2
00:00:02,910 --> 00:00:11,580
So in this video, we're going to see bug bounty reporting on Nancy WIBC.

3
00:00:12,390 --> 00:00:19,650
So basically, Nancy, the ABC is a unit of entero that is national technical research organization,

4
00:00:19,650 --> 00:00:20,680
Government of India.

5
00:00:21,420 --> 00:00:31,620
So this is an initiative by government of India wherein security researchers from India as well as world

6
00:00:32,070 --> 00:00:42,570
can report valid security vulnerabilities to NCW PC and can contribute in making India's critical infrastructure

7
00:00:42,570 --> 00:00:43,050
safe.

8
00:00:44,400 --> 00:00:54,720
So if you are able to find any valid vulnerability into any critical infrastructure or any government

9
00:00:54,720 --> 00:01:03,120
website, then you can report to the APC based on your report, they will verify and they will acknowledge

10
00:01:03,130 --> 00:01:07,560
you if you have sended are right to report or not.

11
00:01:07,770 --> 00:01:12,810
If you have sent it a valid report, they will acknowledge you with appreciation.

12
00:01:14,430 --> 00:01:22,410
So and see, the ABC is an important part for reporting vulnerabilities to secure our nation.

13
00:01:23,280 --> 00:01:24,180
So let's see this.

14
00:01:24,300 --> 00:01:25,700
How can we do this?

15
00:01:27,180 --> 00:01:34,800
So you just have to type and see the APC dodgier without end to logging onto this website.

16
00:01:35,400 --> 00:01:39,270
After logging in onto this website, you just have to scroll down.

17
00:01:39,660 --> 00:01:43,290
You can read about the mission and everything.

18
00:01:43,590 --> 00:01:50,040
These are the newsletters we are going to call a newsletter and we are going to see what is newsletters.

19
00:01:50,440 --> 00:01:57,670
These are the updates they keep on giving on Twitter when liability disclosure, wherein we can send

20
00:01:57,670 --> 00:01:58,320
a report.

21
00:01:58,870 --> 00:02:04,710
If you see at the bottom of the page when liability disclosure, they have given an email address that

22
00:02:04,710 --> 00:02:09,110
is out of GDP at NCW, APC Dorjee of IDOT.

23
00:02:09,120 --> 00:02:15,090
And so this is the email address where we are going to send all of our security reports.

24
00:02:15,810 --> 00:02:22,350
Anyone lability that you find in the application of any government website needs to be send it over

25
00:02:22,350 --> 00:02:22,630
here.

26
00:02:25,230 --> 00:02:25,760
Perfect.

27
00:02:25,790 --> 00:02:33,450
So I'm just going to share our report, which was shared to the ABC by my student.

28
00:02:33,960 --> 00:02:38,640
So this report was Accessors vulnerability and willful underachieve thought.

29
00:02:38,650 --> 00:02:47,370
And so now you will see how to write an email to report to them, as well as how to write a good report.

30
00:02:47,730 --> 00:02:52,080
And what are the important steps your report should cover and not miss?

31
00:02:52,950 --> 00:03:00,900
So as you can see, the subject line should contain the responsible disclosure of disclosure report

32
00:03:01,710 --> 00:03:09,060
as well as the subject line should contain what is the vulnerability and in what website you have found

33
00:03:09,060 --> 00:03:09,990
this vulnerability.

34
00:03:13,030 --> 00:03:23,770
This report needs to be send it to our GDP, as you can see, this is the body and this is a report

35
00:03:23,770 --> 00:03:24,900
which was attached.

36
00:03:25,240 --> 00:03:29,650
So as you can see in this report, there is a summary of excesses.

37
00:03:29,710 --> 00:03:40,030
So basically, what is excessive and description of exercice, the severity as high as we can see.

38
00:03:40,930 --> 00:03:42,890
And next is the bailout.

39
00:03:43,090 --> 00:03:48,210
So what is the payload that is allowing us to trigger the exercise?

40
00:03:48,220 --> 00:03:55,020
As you can see, an interesting payload to bypass LGT, which is a Tmall encoding complexity.

41
00:03:55,130 --> 00:03:55,550
Easy.

42
00:03:55,990 --> 00:03:58,820
We have done this attack from remote external.

43
00:03:59,140 --> 00:04:00,370
What is the impact?

44
00:04:01,610 --> 00:04:04,230
What are the affected it as well for India?

45
00:04:04,260 --> 00:04:07,190
The GOP thought in that you are in itself.

46
00:04:07,630 --> 00:04:09,150
What are the recommendations?

47
00:04:09,430 --> 00:04:11,620
And lastly, what are the references?

48
00:04:15,700 --> 00:04:16,250
Perfect.

49
00:04:16,630 --> 00:04:20,570
So as you can see over here, these things should be included into our report.

50
00:04:21,730 --> 00:04:30,430
Do not worry, I'm going to share this report template into the description so you guys can also utilize

51
00:04:30,430 --> 00:04:31,180
this report.

52
00:04:32,200 --> 00:04:35,320
Now, the most important part is the proof of concept.

53
00:04:35,650 --> 00:04:42,130
As you can see, this is the PEOC, which shows that Exercice happened over here.

54
00:04:43,780 --> 00:04:47,920
The figure number is a lot on her website application.

55
00:04:49,240 --> 00:04:53,170
The payload again, which cost to the exercise to happen.

56
00:04:57,900 --> 00:05:02,500
Again, a biopsy from the source code and again, the same payload.

57
00:05:04,980 --> 00:05:11,370
So I hope you guys understood how you can write a good report which contains all the necessary information

58
00:05:11,640 --> 00:05:15,420
that needs to be send it to this e-mail address.

59
00:05:15,750 --> 00:05:21,810
And the e-mail addresses are Redzepi Aderet and see the ABC dodgier restart.

60
00:05:21,810 --> 00:05:26,760
And so you need to shoot the email to this security email.

61
00:05:41,400 --> 00:05:49,770
Yeah, so when you have sent the email to them, they will acknowledge you into 24 hours based on your

62
00:05:49,770 --> 00:05:53,910
report, they will tell you that it is a valid report or an invalid report.

63
00:05:57,960 --> 00:06:04,160
Now, let's go to the ANC, the APC page, and here is the interesting thing is the newsletters.

64
00:06:04,200 --> 00:06:09,530
So I'm just going to click the April 2020 newsletter, which is the latest newsletter.

65
00:06:10,830 --> 00:06:19,650
So whenever security researchers report vulnerabilities to ANC, the APC, they release a newsletter

66
00:06:19,650 --> 00:06:23,400
every quarter that is three months and every three months.

67
00:06:24,720 --> 00:06:33,930
And the list down the top, security researchers of the country who have sent in a valid report, the

68
00:06:33,930 --> 00:06:41,010
maximum valid reports that you sent increases the chances of your name to appear in this newsletter

69
00:06:41,130 --> 00:06:44,010
and to the top security researchers report.

70
00:06:44,910 --> 00:06:48,030
So, as you can see, this is the report.

71
00:06:48,030 --> 00:06:49,440
I will just scroll down.

72
00:06:49,440 --> 00:06:55,400
You can read many things from your articles and news.

73
00:06:55,680 --> 00:07:03,560
So basically, I will come down to and see the APC Responsible Vulnerability Disclosure Program over

74
00:07:03,570 --> 00:07:03,830
here.

75
00:07:03,840 --> 00:07:07,330
You can see the name that is Karthick.

76
00:07:08,280 --> 00:07:15,180
So these are the top 15 security researchers and they acknowledge them for the contributions during

77
00:07:15,180 --> 00:07:18,360
December 2019 to February 2020.

78
00:07:18,720 --> 00:07:19,210
Perfect.

79
00:07:20,580 --> 00:07:28,500
So the first student this is my student, whom I have trained has been appeared into and see the APC

80
00:07:28,500 --> 00:07:29,200
newsletter.

81
00:07:30,000 --> 00:07:33,840
This is the second student which is ready savola again.

82
00:07:33,840 --> 00:07:42,630
I have trained her who has appeared into the newsletter and there is one more student is truly a mystery.

83
00:07:42,630 --> 00:07:50,610
I have trained her to for Pokemon Hunting and these three students have been introduced into the top

84
00:07:50,610 --> 00:07:52,250
15 security researchers.

85
00:07:54,930 --> 00:08:01,350
Similarly, if you see the other newsletter's also my students have been in the top 15 security researchers

86
00:08:01,830 --> 00:08:04,080
newsletter list price.

87
00:08:07,150 --> 00:08:15,220
So I hope you guys understood how you can report vulnerabilities to and see the I how they will acknowledge

88
00:08:15,220 --> 00:08:20,720
you, how you can write a good report and how you can see your name into the newsletter.

89
00:08:21,880 --> 00:08:23,290
So I hope you guys understood.

90
00:08:24,420 --> 00:08:24,990
Thank you.