Bug Bounty Programs: The Low-Down by Blackhat Pakistan 2023
In this article we will learrn about Bug Bounty Programs: The Low-Down.
The global software industry is massive. Enterprise software alone is estimated to be worth $500 billion annually by 2022. Unless we live completely off the grid, every part of our lives and work is affected by software.
And like taxes and death, one thing you can be sure of is that software contains bugs. The commercial life cycle of software is such that you need to get the software to market quickly. It’s first-come, first-served in an industry where innovation is the pinnacle.
Rapidly-available software means that the industry has had to develop new ways to speed up the development cycle. Agile development techniques and the use of automation in the testing part of the development cycle helped speed time to market. But software bugs never seem to end: You fix one and introduce another. If you look at the CVE Details data source, which lists the number of reported software vulnerabilities since 1999, you can see that the number of software bugs per year has been steadily increasing. In 2017, 14,714 errors were recorded. By mid-November 2018, it was 14,917.
Keeping up with software testing is a lot of work. Even production versions of software contain bugs – as anyone who uses operating system software will attest. For example, Microsoft Windows and Mac OS have regular software updates that are provided to anyone using a device with the operating systems installed. Microsoft’s “Patch Tuesday” has even entered the common parlance of computer users around the world. And while bugs come in all shapes and sizes, some of the most impressive are security flaws.
To this end, the idea of using a bug bounty program to aid in software testing has become an industry standard. This method helps find those pesky security bugs that slip through the tester’s net.
What are Bug Bounty Programs?
Netscape engineer Jarrett Ridlinghafer was the person who originally came up with the idea for the bug bounty program. The idea he proposed was to reward users across the wider user community for finding security flaws in software products. It’s a simple idea, but one that all the world’s leading software companies would use.
The bug bounty program works something like this:
- The company announces that it is running a bug bounty program.
- The bug bounty program centers around the software product(s) that are the “scope” of the program.
- The program can set program exceptions – you will not be rewarded for finding out-of-scope errors.
- Certain types of software vulnerabilities will be identified as worthy of a reward; for example, the company may want you to focus on finding validation errors.
- Financial rewards will (usually) be presented in advance and may vary based on the type of vulnerability found.
- Other rules of the program will be determined.
- How to report software bugs will be explained — a hacker must follow this protocol when reporting to avoid disqualification.
- If you meet the criteria, you are paid a financial reward.
What are some examples of companies that pay you to find security bugs?
Some organizations will run ongoing bug bounty programs, while others run them ad hoc. Examples of bug bounty programs include:
Hack the Pentagon: This was a three-year white/grey hat hacking initiative that started in 2016 and was run by HackerOne. It was created to find software vulnerabilities on public Department of Defense websites. So far, $75,000 in rewards have been paid out.
Facebook Whitehat: The Facebook bug bounty program was launched in 2011 to find vulnerabilities across the social platform. It offers a minimum reward of $500; the largest prize to date was $20,000, with over $1 million paid out to date.
Google Vulnerability Reward Program (VRP): Google introduced its bug bounty program in 2010. It is an ongoing program that has different rewards depending on the type and location of the vulnerability found. Rewards range from $100 to $31,337.
Stellar Bug Bounty Program: Stellar is a decentralized protocol built for financial transactions. Stellar is based on a digital currency called “Lumen”. Hackers are paid lumens when they find a vulnerability in Stellar’s code or any of their repositories. Stellar uses the OWASP risk score chart to determine the severity of a bug found, which is reflected in the number of points the hacker receives. It ranges from 500 to 25,000 (paid in lumens).
Related article about Bug Bounty Programs:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
Microsoft Bug Bounty: Microsoft runs a number of bug bounty programs across its products. These change over time as new products and versions are released. Microsoft has some of the highest paying bug bounties on the bug bounty circuit – the sums offered can be as high as $250,000 for a new exploit. For a reward like this, you have to put in the work, create exploit whitepapers, and be able to demonstrate the innovative novelty of the bug.
Black, gray and white hats of responsible disclosure
The types of people who participate in bug bounty programs are as varied as the bugs themselves. These people who find software vulnerabilities and report them directly to the vendor are known as “white-hat hackers”. Boo, it’s not just white-hat hackers looking for vulnerabilities in new releases and software products. The white hat’s evil twin, the black hat hacker, also looks for vulnerabilities to exploit. These vulnerabilities will be sold to the highest bidder, usually other criminals. In the case of the (supposedly) less evil middle twin, the gray hat hacker, these vulnerabilities are sold to state actors such as governments.
The idea of responsible disclosure is supported in the bug bounty program. It is a set of rules of engagement that dictate how a white hat hacker should behave when looking for and finding a security flaw. For example, HackerOne sets rules that cover respect, privacy and patience on the part of the hacker. They also have guidance for security teams regarding the recipients of bugs found. These rules include respecting finders and maintaining privacy. There is also a rule that specifically says:
“Do no harm.” Do not take unreasonable punitive action against finders, such as threatening legal action or referring matters to law enforcement.”
This creates a safe place for white hat hackers to do their important work.
Lily-White approach to software vulnerabilities
Without the great work of a white hat hacker, our software would be less secure. A white-hat hacker plays an important role in modern software development. Without their input, it is unlikely that a large number of software vulnerabilities could be managed well. The financial incentive for white hats is well worth the cost and allows organizations that tap into the hacking community in this way to benefit from the collective mind of experienced security professionals.
Want to read more? Check out some of our other articles, such as:
How to Become Your Own Security Champion
Top 10 Security Tools for Bug Bounty Hunters
Sources
- Global Enterprise Software Market (By Segment, Industry Verticals, Geography and Vendors) and Forecast to 2022, Orbis Research
- Browse CVE vulnerabilities by date, CVE Details
- Hack the Pentagon, HackerOne
- Whitehat, Facebook
- Google Vulnerability Reward Program Rules, Google
- Bug Bounty Program, Stellar
- OWASP Risk Rating Methodology, OWASP
- Vulnerability Disclosure Guidelines, Hacker One