Cybercrime is on the rise, the reasons for it include:
- Cybercriminals are getting more sophisticated.
- A lot of organizations across industries are getting into the technology space.
- New data-driven businesses are on the rise too.
How can it be countered? How can companies ensure that they are protected? Well, one way is to hire hackers. Over the past few years, corporations have turned to Bug Bounty programs to discover security weaknesses in their applications that would’ve otherwise slipped through the cracks, thus enabling them to resolve the bugs before the general public is made aware or harmed by them. In this post I will show you:
- What bug bounties are?
- How do they work?
- 06 bug bounty programs you can take part in yourself
- Advantages and disadvantages of bug bounties
- A look at a few of the biggest payouts yet in the bountiful field of bug bounties.
Let’s begin.
What is bug bounty?
A Bug bounty is a name given to a deal where ethical hackers find “bugs” in a piece of program in exchange for money, recognition, or both.
Think of it as offering a prize to anyone who can find software and configuration errors (that can slip past developers and security teams) so that they can be fixed before they become an issue.
By December ’18, over hundred-thousand total vulnerabilities have been submitted, and forty-two million dollars have been paid out. In 2018 alone, an estimated nineteen million dollars was rewarded, which is more than all of the previous years combined. Cross-site scripting was the most reported vulnerability, followed by improper authentication, with a high number of big payouts recorded in the financial services and insurance sectors.
Bug bounties were given out by businesses that usually have strict rules which need compliance to be accepted or considered eligible for payment. This not only protects the company from spam but also makes it easier to fix any issues which are identified.
E.g., one common rule is that any bug found should not be shared with anyone else until the company offering the bounty has been informed. That way, the vulnerability can be fixed before others know it’s there.
Let’s take a look at Bug bounty lifecycle:
- Bug bounty brief
First, a company chooses a bounty program and platform. Once it has done that, then it creates a brief that describes the rules of engagement for researchers. It includes detailed info about the company, what to find, and what not to notice, pricing level, and so forth.
- Program launch
After publishing the brief on a bounty page, the company conducts marketing activities to attract white-hat hackers to their program.
- Start of the program
After this, hackers start to work on the software, detect the bugs, and report them. Their reports should reveal how to exploit the discovered vulnerabilities and be submitted through the company’s site.
- Triage team stage
The bug bounty platform must include an in-house cybersecurity triage team, who can verify reported bugs and define what level of security the organization needs.
- Fixing the bugs
After the company receives a report detailing a bug and how to fix it, the researcher who found it should receive a payment, along with reputation points on the platform.
6 Bug bounty programs you can take part in:
- 1Password
Link: https://bugcrowd.com/agilebits
This program comes with an official warning that it is “not” an easy target. And it makes sense since it’s a password storage app, so one can understand why their security would not be easy to break into.
However, 1Password does provide access to a research vault containing info to help researchers find security issues.
You’ll get rewarded depending on the severity of the issue you found. Their top hundred grand prizes are only awarded for finding the ‘unencrypted “bad poetry” flag,’ but for most, it will be less about money and more about the challenge. So go for it if you think you’re up to it.
- Apple
Apple’s bug bounty program was launched in ’16. Having started with only twelve appointed researchers, this program is an exclusive club; it’s unlikely that you’ll get into the program by merely submitting a bug through their support channel.
This invite-only program rewards its researchers with as minimum as $25000, which shows showing the kind of money bug bounties can payout at the top end.
- Blockchain
Link: https://hackerone.com/blockchain
There is a dire need for security in these lucrative cryptocurrency markets, and Blockchain has a bug bounty program in place to help boost their efforts.
With an average bounty of hundred dollars, an average response time of four hours, and an average of twenty-one hours until the bounty is awarded, Blockchain treats their researchers’ time with respect. That is, as long as you meet their rules when submitting your bug.
- Dropbox
Link: https://hackerone.com/dropbox
Dropbox is another case of bug bounty researchers treading a fine line with the companies they’re testing.
If you’re tired of trying to submit bug bounties, only to be rejected due to the company not making their rules clear enough, there is no better place than this, with the most significant rules and exceptions list, Dropbox makes their rules very clear.
Also, Dropbox makes it very clear that no user data should be accessed and, if it is, the company should be notified as-soon-as-possible and the data not examined, altered or otherwise interfered with.
Other than that, their bug bounties are a more than acceptable choice if you’re trying to earn a living doing this full-time.
Link: https://www.facebook.com/whitehat
Facebook’s bug bounty program is the most accessible, allowing anyone to submit bugs through their premade form. As long as the vulnerability is of a reasonable level of importance and your submission meets their rules, the minimum bounty payout is a tidy $500.
They also list every researcher who received a payout for submitting a bug on their thanks page.
- Mozilla
Link: https://www.mozilla.org/en-US/security/bug-bounty/
Mozilla’s bug bounties are separated into two programs. They have a client bug bounty program and a web bug bounty program.
Each program pays differently depending on the severity of the bug found, but the client bounty program spends the most at the top end. That is, the client program has a top prize of ten-thousand dollars while the web program ends with a maximum reward of five-thousand dollars.
The Advantages and Disadvantages of bug bounty programs:
Advantages:
- You’re no longer limited to the talents available to your team locally, as anyone can participate in the program from anywhere around the globe. This means that you’ll benefit from a larger pool of applicants than you have in-house and make use of the best talent available from across the world.
- Due to the extra hands, it’s far more likely that any major bugs or security gaps will be identified before they cause an issue or others with more malicious intent to discover them.
- Any time saved by bug bounty hunters finding issues rather than your team was having to trawl through your program to find the route of the problem that can be spent on other tasks. More effort can be put towards fixing and improving your service instead of just digging into the cause of an error or weakness.
Disadvantages:
Bug bounties aren’t all smooth sailing – they have many drawbacks, which are easily (and wrongly) glossed over when considering the positives.
- Bug bounty programs take careful management to run effectively, and at the very least, will need staff dedicating their time to review the submitted pieces to assess whether the researcher meets the criteria for payment.
- The very existence of bug bounties will incentivize people to break your software no matter their background or intentions. You’ll get white-hat hackers, black-hat hackers, script kiddies, and everything in-between.
- Tests by researchers can be difficult to tell apart from malicious attacks.
- If a relationship with a researcher goes sour (e.g., there’s a payment dispute), there’s a chance that they will use that as motivation to ransom off your security breaches.
All in all, bug bounties shouldn’t be undertaken by anyone who isn’t prepared to manage the submissions effectively and deal with the potential consequences.
In the end, let’s take a look at a few of the biggest payouts yet in the bountiful field of bug bounties.
- Oath/Verizon Media
In April ’18, Oath/Verizon, which owns Yahoo and AOL, shelled out four-hundred-thousand dollars to forty participants in HackerOne’s live hacking H1-415 event. It later doled out another four-hundred-thousand dollar at a separate incident in November that year to hackers who identified one-hundred-and-fifty-nine critical security vulnerabilities.
After the success of these bug bounty events, the company created a consolidated bug bounty program, which paid out five million dollars in ’18 to hackers and researchers who found bugs of various threat levels across multiple platforms.
- Microsoft
Microsoft reached a milestone last year with two million dollars in bug bounty payouts, after which it stopped releasing information about individual bounties besides the amounts and case severity. But their most massive known bonus awarded to a single person went to Vasilis Pappas, who received two-hundred-thousand dollars in ’12 when he was a Columbia University Ph.D. student. Vasilis submitted solutions for a Return-Oriented Programming problem that hackers used to get around security controls and created kBouncer, a program that mitigates anything that looks like ROP.
Google’s Vulnerability Rewards Program dates back to ’10. It has since paid out more than fifteen million dollars, about one-fifth of which was awarded in ’18 (and half of which focused on bugs in Android and Chrome). The largest single payout last year was a bounty of forty-one thousand dollars to an unspecified researcher. Of the public bounties, Ezequiel Pereira (19-year-old from Uruguay) received thirty-six thousand dollars for discovering a Remote Code Execution bug in Google’s Cloud Platform console.
- HackerOne Millionaire
Santiago Lopez, another 19-year-old South American who is killing the bug bounty game. He’s the first person to top one million dollars in earnings on HackerOne’s platform. The self-taught hacker says he got his start by watching YouTube videos and reading blogs on his own, but the thing that jumpstarted his interest in hacking was the 1995 movie Hackers.
With several security lapses over the years, Facebook is a company that needs a bug bounty program. And they have got one; their bug bounty program has paid out over seven million dollars since its inception in ’11. The social network’s previous record of highest single payout went to Andrew Leonov (a Russian security researcher), who was awarded forty thousand dollars for discovering a security flaw in 3rd-party security software that could affect Facebook itself. The new record payout happened last year, a cool fifty thousand dollars to one person.
- US Department of Defense
For one month in ’16, the Department of Defense under the Obama administration said: “Hack the Pentagon!” over 1000 hackers went after bugs in the agency’s systems, and found over one-hundred-and-thirty-eight vulnerabilities worth closing up. The total payout to hackers was one-hundred-and-fifty-thousand dollars, which Ashton Carter (then-Secretary of Defense) said would have cost one million dollars to get a professional security audit.
In ’18, the DoD expanded the hackathon to a slew of new programs hosted by HackerOne, which targeted government systems owned by the Army, Air Force, Marines, and the Defense Travel System. They awarded a combined five-hundred-thousand dollars to hackers who discovered about five-thousand unique vulnerabilities across government databases and websites.
- United Airlines: One Million Miles
United Airlines doesn’t give out cash, but it will give you free miles (and lots of them). Many researchers were awarded flyer miles in 2018, including Olivier Beg (a 19-year-old security researcher from Netherland), who received one million miles for finding around twenty different bugs in the airline’s systems.